Solved: Re: Last password reset info

CPArk

Experts, is there anywhere that the information on the last time a password was changed for specific local users in Gaia?

Lesley

No access to test, so try maybe this:

dbget passwd:<user>:lastchg

Example:

# dbget passwd:admin:lastchg 1535050451

Timestamp is in Unix/Epoch time. 1535050451 = 08/23/2018 @ 6:54pm (UTC).

Or check:

/var/log/secure

Gaia system supports password history so it should keep this data on the system.

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

the_rock

Local user in Gaia? Hm, probably not in smart console, but let me see in the lab, maybe var/log/audit dir and then audit files. Just grep for that username.

ie -> grep -i johndoe audit.log

Andy

PhoneBoy

This is not information that we store, I believe.

AkosBakos

Hi @CPArk

This entries created after password change in /var/log/messages

Sep 16 19:41:57 2024 gw-sakos-lab01 xpand[11241]: Configuration changed from localhost by user admin2
Sep 16 19:42:17 2024 gw-sakos-lab01 xpand[11241]: User entry created for "admin2" in the password database
Sep 16 19:44:31 2024 gw-sakos-lab01 xpand[11241]: User entry created for "admin2" in the password database

These are not too talkative 😞

Akos

----------------
\m/_(>_<)_\m/

the_rock

Same here...just created user andy. did pw reset, but based on below, does not look super useful as far as info...

Andy

[Expert@CP-GW:0]# cd /var/log/audit
[Expert@CP-GW:0]# grep -i andy audit.log
[Expert@CP-GW:0]# grep -i andy audit.log
audit.log audit.log.1 audit.log.2
[Expert@CP-GW:0]# grep -i andy audit.log1
grep: audit.log1: No such file or directory
[Expert@CP-GW:0]# grep -i andy audit.log.1
[Expert@CP-GW:0]# grep -i andy audit.log.2
type=USER_AUTH msg=audit(1720977701.389:1710): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1720977701.440:1711): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=cp_pam_tally,pam_unix,pam_nonuse acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977701.442:1712): pid=2003 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_START msg=audit(1720977701.443:1714): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977701.446:1715): pid=2029 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_END msg=audit(1720977707.827:1716): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1720977707.827:1717): pid=2003 uid=0 auid=0 ses=283 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_AUTH msg=audit(1720977724.071:1718): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:authentication grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_ACCT msg=audit(1720977724.131:1719): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=cp_pam_tally,pam_unix,pam_nonuse acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977724.134:1720): pid=2320 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_START msg=audit(1720977724.135:1722): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1720977724.138:1723): pid=2344 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=USER_END msg=audit(1720977744.574:1724): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_unix,pam_loginuid acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1720977744.574:1725): pid=2320 uid=0 auid=0 ses=284 subj=kernel msg='op=PAM:setcred grantors=pam_dof_tally,cp_pam_tally,pam_unix acct="andy" exe="/usr/sbin/sshd" hostname=100.65.16.1 addr=100.65.16.1 terminal=ssh res=success'
[Expert@CP-GW:0]#

Lesley

No access to test, so try maybe this:

dbget passwd:<user>:lastchg

Example:

# dbget passwd:admin:lastchg 1535050451

Timestamp is in Unix/Epoch time. 1535050451 = 08/23/2018 @ 6:54pm (UTC).

Or check:

/var/log/secure

Gaia system supports password history so it should keep this data on the system.

-------
If you like this post please give a thumbs up(kudo)! 🙂

AkosBakos

This works!

[Expert@gw-sakos-lab01:0]# dbget passwd:admin2:lastchg
1726508671

Assuming that this timestamp is in seconds:
GMT: 2024. September 16., Monday 17:44:31
Your time zone: 2024. szeptember 16., hétfő 19:44:31 GMT+02:00 DST
Relative: An hour ago

Is there a list somewhere about dbset commands?

------------------------------------------

Sep 13 19:35:44 2024 gw-sakos-lab01 agetty[14957]: /dev/tty4: cannot set process group: Inappropriate ioctl for device
Sep 16 19:41:32 2024 gw-sakos-lab01 login: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: Accepted password for admin from 10.211.132.121 port 52909 ssh2
Sep 16 19:42:51 2024 gw-sakos-lab01 sshd[12516]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Sep 16 19:42:51 2024 gw-sakos-lab01 sudo: admin : TTY=pts/1 ; PWD=/home/admin ; USER=root ; COMMAND=validate
Sep 16 20:02:24 2024 gw-sakos-lab01 sshd[12516]: pam_unix(sshd:session): session closed for user admin
Sep 16 21:09:53 2024 gw-sakos-lab01 sshd[21571]: Connection closed by 10.211.132.4 port 55449 [preauth]
Sep 16 21:09:58 2024 gw-sakos-lab01 sshd[21584]: pam_radius_auth: No RADIUS server found in configuration file /etc/raddb/server
Sep 16 21:09:58 2024 gw-sakos-lab01 sshd[21584]: Accepted password for admin from 10.211.132.4 port 55450 ssh2

Here is no PWD related entry.

----------------
\m/_(>_<)_\m/

the_rock

Very good question mate. This is what I get when trying to get all the options. Not sure if all the possibilities can be listed somehow, but would be nice!

I found below sk, but still not clear to me if its actually possible...

Andy

https://support.checkpoint.com/results/sk/sk92770

CPArk

Nailed it!

the_rock

Never knew of that...FANTASTIC!

PhoneBoy

Well done for using dbget 🙂

Are you a member of CheckMates?

Last password reset info