View Password Change Logs in Linux
Logs are a valuable asset when troubleshooting servers and checking for root password changes. Password changes are logged in the following files:
For Ubuntu®/Debian® systems:
/var/log/auth.log
For CentOS®/RHEL® systems:
/var/log/secure
To check for root password changes, look for lines that mention either of the following messages:
password changed for root
Password for root was changed
Updated about 1 year ago