Jean-Pierre Radley wrote:
> Jeff Hyman typed (on Mon, Mar 24, 2008 at 01:25:25PM -0400):
> |
> | Can 'ap' be used to determine if ones password has been changed?
> | especially root's password? .... other then grepping '/etc/shadow'
> | for a user and checking for a change?
>
> Not at all. 'ap' just takes a snapshot of current parameters.
>
> Just what would you grep for in /etc/shadow to tell you that a password
> had changed? The file's mtime would be more relevant, but that would
> just indicate some change somewhere in, and not *which* change.
>
> You might want to check the times recorded in /tcb/files/auth/r/root.
>

You'd compare it to the previous night's /etc/shadow snapshot.