Is it possible for the Solaris audit sub system to log all password resets for local Solaris accounts?
I can't find anything in Oracle's docs, or through general googling, so I'm curious whether this can be done, or if this is a technical limitation of the operating system.
How about the ua audit flag? I'd expect it to cover user password changes.
https://docs.oracle.com/cd/E19683-01/817-0365/auditref-tbl-2/index.html
Perhaps something like this helps you:
root@solaris:~# auditconfig -setflags ua
user default audit flags = ua(0x40000,0x40000)
Please check alreaded set flags with auditconfig -getflags
Then read the audit log with the usual auditreduce/praudit combo.
root@solaris:~# auditreduce -c ua /var/audit/20180910183619.not_terminated.solaris | praudit
file,2018-09-10 18:39:21.000+00:00,
header,97,2,passwd,,solaris,2018-09-10 18:39:21.251+00:00
subject,jmoekamp,root,sys,jmoekamp,staff,1188,787827102,151 2 192.168.1.xxx
return,success,0
header,97,2,passwd,,solaris,2018-09-10 18:41:07.981+00:00
subject,jmoekamp,root,sys,jmoekamp,staff,1194,787827102,151 2 192.168.1.xxx
return,success,0
AUE_passwd is the audit event, which is indeed in the 'ua' class (which is not enabled by default before Solaris 11.4, so you may need to explicitly add it).
An AUE_passwd event can be generated by the passwd(1) command or when a user changes their password during login or reauthentication using: /bin/login, /bin/su, vt switch on system console, gdm, xlock, xscreensaver, ssh.
