Password changed for user admin

Reply
L1 Bithead

Password changed for user admin

Hi all,

Yesterday we noticed a line in the Monitor tab that made concerns:

changed_password_admin.png

But none of the administrator changed the password for user admin.

When checked the logs if this user has logged in on Monitor tab, there was no login with this username admin in front of this password change.

Could a commit or other system auto-commit make this log line?

 

Thanks in advance.

 

Regards.

L7 Applicator

Re: Password changed for user admin

Device tab (or Panorama tab if using it) > Config Audit

 

At the bottom, compare the most recent config version before and after that log entry. If the password was changed, you should see an entry like:

 

configauditpasswordchange.png

 

If the phash value is the same, the password didn't actually change. If the password did change, then you'll need to take a closer look at the logs under Monitor > Configuration. The user who changed the password may have been logged in for quite a while or even via serial console. If you've got a console server connected to the device, check its logs as well to see who may have logged in.

L7 Applicator

Re: Password changed for user admin

@aespinosa,

To add to what @gwesson already mentioned, you can modify any other users password as long as you have superuser permissions. So the user 'admin' doesn't need to be the one to modify the password. 

Highlighted
L1 Bithead

Re: Password changed for user admin

@BPry @gwesson thanks for your reply.

The only admin password entry I can see in the ‘config audit’ was when I changed the password after we became aware of the log entry.

In the Configuration monitor logs there are no other entries for admin password change beside the one I did. To me it looks like a “false” entry, but why?

I notice that another admin have a configuration entry at the exact time as the admin password log entry:

Could this have somehow triggered the entry about the admin password change?

 

Thanks!

Regards,

L7 Applicator

Re: Password changed for user admin

@aespinosa,

Generally an admin changing something wouldn't trigger a password change notice unless they modified the master key, in which case the phash value would change and you could see the notice as the password did change as far as the firewall is concerned. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!