Hello:
I am working on setting up auditing on a Debian 8 64 bit system. I have left the computer running for several days.
When I run aureport against the local audit logs, the computer consistently reports "changes to accounts, groups or roles", when there shouldn't be any.
if I search for the events (aureport -m) and look at what is triggering these reported "changes in accounts" I see events like this that happen in the middle of the night:
type=USER_CHAUTHTOK msg=audit(1534662002.939:44423): pid=30145 uid=0 auid=0 ses=1913 msg='op=display aging info id=0 exe="/usr/bin/chage" hostname=? addr=? terminal=? res=success'
Can anyone help explain to me what these audited events actually are, and if they are not significant security events (such as a user changing groups, or being deleted, etc), is there a way to filter them out? I would prefer it if aureport wouldn't alarm the user for something that is not of any considerable security significance.
**upate**
TIGER Cron jobs were checking the status of passwords using /usr/bin/chage -l. This is not altering an account; it's just a status inquiry. Bug was reported and fixed here
https://www.redhat.com/archives/linu.../msg00123.html for redhat by updating passwd. Don't believe there is an update for Debian. Don't believe it is possible to filter this out without filtering out too much.
Thanks!
