passwd logging

[Chuck Swiger]

Sean Murphy wrote:
> Chuck Swiger wrote:
>> Look at syslogd (/etc/syslog.conf) and /var/log/security or 
>> /var/log/auth.log, I suspect that what you want to see is already 
>> being logged there.
>>
> I checked out syslog.conf and did not see what to uncomment to add the 
> passwd logging it currently logs bad logins and su but not successful 
> changed passwds then I had a look at /var/log/security but nothing was 
> in that file. hmm  would I have to add a line to the syslog.conf file to 
> log this type of activity?

Take a look at the end of /usr/src/usr.bin/passwd/local_passwd.c:

[ ... ]
         if (!pw_mkdb(uname))
                 pw_error((char *)NULL, 0, 1);
#ifdef LOGGING
         syslog(LOG_DEBUG, "user %s changed their local password\n", uname);
#endif
         return (0);
}

This message is being logged at DEBUG priority level, so I believe you should 
change the line in /etc/syslog.conf from "auth.info" to "auth.debug" and 
restart syslogd.

Or you could adjust this code to log using a higher priority (or write the 
info to a file directly, or whatever else you like), and build and reinstall 
the passwd binary with your changes.

-- 
-Chuck