This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CPArk
Participant
‎2024-09-16 07:16 AM
Jump to solution

Last password reset info

Experts, is there anywhere that the information on the last time a password was changed for specific local users in Gaia?

0 Kudos
1 Solution

Accepted Solutions
Lesley
Mentor Mentor
Mentor
‎2024-09-16 12:08 PM
Jump to solution

No access to test, so try maybe this:

dbget passwd:<user>:lastchg

Example: 

  • # dbget passwd:admin:lastchg
    1535050451

Timestamp is in Unix/Epoch time. 1535050451 = 08/23/2018 @ 6:54pm (UTC).

Or check:

 /var/log/secure

Gaia system supports password history  so it should keep this data on the system.

 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

12 Replies
the_rock
Legend
Legend
‎2024-09-16 07:19 AM
Jump to solution

Local user in Gaia? Hm, probably not in smart console, but let me see in the lab, maybe var/log/audit dir and then audit files. Just grep for that username.

ie -> grep -i johndoe audit.log

Andy

PhoneBoy
Admin
Admin
‎2024-09-16 09:58 AM
Jump to solution

This is not information that we store, I believe.

AkosBakos
Mentor Mentor
Mentor
‎2024-09-16 10:52 AM
Jump to solution

Hi @CPArk 

This entries created after password change in /var/log/messages 

Sep 16 19:41:57 2024 gw-sakos-lab01 xpand[11241]: Configuration changed from localhost by user admin2
Sep 16 19:42:17 2024 gw-sakos-lab01 xpand[11241]: User entry created for "admin2" in the password database
Sep 16 19:44:31 2024 gw-sakos-lab01 xpand[11241]: User entry created for "admin2" in the password database 

These are not too talkative 😞

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
‎2024-09-16 10:56 AM
In response to AkosBakos
Jump to solution

Same here...just created user andy. did pw reset, but based on below, does not look super useful as far as info...

Andy

 

[Expert@CP-GW:0]# cd /var/log/audit
[Expert@CP-GW:0]# grep -i andy audit.log
[Expert@CP-GW:0]# grep -i andy audit.log
audit.log audit.log.1 audit.log.2
[Expert@CP-GW:0]# grep -i andy audit.log1
grep: audit.log1: No such file or directory
[Expert@CP-GW:0]# grep -i andy audit.log.1
[Expert@CP-GW:0]# grep -i andy audit.log.2
type=USER_AUTH msg=audit(1720977701.389:1710): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1720977701.440:1711): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=cp_pam_tally,pam_unix,pam_nonuse acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977701.442:1712): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_START msg=audit(1720977701.443:1714): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977701.446:1715): pid=2029 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_END msg=audit(1720977707.827:1716): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1720977707.827:1717): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_AUTH msg=audit(1720977724.071:1718): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1720977724.131:1719): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=cp_pam_tally,pam_unix,pam_nonuse acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977724.134:1720): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_START msg=audit(1720977724.135:1722): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977724.138:1723): pid=2344 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_END msg=audit(1720977744.574:1724): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1720977744.574:1725): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
[Expert@CP-GW:0]#

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-09-16 12:08 PM
Jump to solution

No access to test, so try maybe this:

dbget passwd:<user>:lastchg

Example: 

  • # dbget passwd:admin:lastchg
    1535050451

Timestamp is in Unix/Epoch time. 1535050451 = 08/23/2018 @ 6:54pm (UTC).

Or check:

 /var/log/secure

Gaia system supports password history  so it should keep this data on the system.

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
AkosBakos
Mentor Mentor
Mentor
‎2024-09-16 12:15 PM
In response to Lesley
Jump to solution

This works!

[Expert@gw-sakos-lab01:0]# dbget passwd:admin2:lastchg
1726508671

Assuming that this timestamp is in seconds:
GMT: 2024. September 16., Monday 17:44:31
Your time zone2024. szeptember 16., hétfő 19:44:31 GMT+02:00 DST
Relative: An hour ago

Is there a list somewhere about dbset commands?

------------------------------------------

Sep 13 19:35:44 2024 gw-sakos-lab01 agetty[14957]: /dev/tty4: cannot set process group: Inappropriate ioctl for device
Sep 16 19:41:32 2024 gw-sakos-lab01 login: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: Accepted password for admin from 10.211.132.121 port 52909 ssh2
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Sep 16 19:42:51 2024 gw-sakos-lab01 sudo: admin : TTY=pts/1 ; PWD=/home/admin ; USER=root ; COMMAND=validate
Sep 16 20:02:24 2024 gw-sakos-lab01 sshd[12516]: pam_unix(sshd:session): session closed for user admin
Sep 16 21:09:53 2024 gw-sakos-lab01 sshd[21571]: Connection closed by 10.211.132.4 port 55449 [preauth]
Sep 16 21:09:58 2024 gw-sakos-lab01 sshd[21584]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 21:09:58 2024 gw-sakos-lab01 sshd[21584]: Accepted password for admin from 10.211.132.4 port 55450 ssh2

Here is no PWD related entry.

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
‎2024-09-17 05:16 AM
In response to AkosBakos
Jump to solution

Very good question mate. This is what I get when trying to get all the options. Not sure if all the possibilities can be listed somehow, but would be nice! 

I found below sk, but still not clear to me if its actually possible...

Andy

https://support.checkpoint.com/results/sk/sk92770

PhoneBoy
Admin
Admin
‎2024-09-17 02:49 PM
In response to AkosBakos
Jump to solution

dbset directly changes the configuration database for Gaia OS.
dbget...queries it.
As we don't (externally) document our database structure, there's not much to say about it.

Generally these tools should only be used as described in SKs or via TAC.

0 Kudos
the_rock
Legend
Legend
‎2024-09-17 03:55 PM
In response to PhoneBoy
Jump to solution

Point taken...BUT, just an idea...it would be nice if say there was an option to tab and you get all the possibilities like in clish. I tried so many combination in the lab, also using the sk, but not much luck so far.

Andy

0 Kudos
CPArk
Participant
‎2024-09-16 12:25 PM
In response to Lesley
Jump to solution

Nailed it!

0 Kudos
the_rock
Legend
Legend
‎2024-09-16 12:28 PM
In response to Lesley
Jump to solution

Never knew of that...FANTASTIC!

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-16 12:40 PM
In response to Lesley
Jump to solution

Well done for using dbget 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top