Security recommendation

Root account password modifications should be closely monitored and immediately investigated. The root account has unrestricted access to all system resources, making unauthorized password changes a critical security event that requires immediate attention and response.

Compliance

• Monitor account password modifications (found in CIS)

Documentation

The passwd command is used to change user account passwords on Linux systems. Root account password changes are particularly sensitive because the root account has complete control over the system.

Remediation

Prerequisites

You must have:

• root privileges or access to another privileged account
• Access to system audit logs and authentication logs
• Knowledge of authorized root password modifications procedures
• Access to recovery mechanisms (console access, single-user mode)
• Agent v7.27 or newer for Workload Security monitoring

Step-by-step guide

Step 1: Investigate the Root Account Password Modifications Immediately

Identify who modified the root password, when, and from where:

# Check authentication logs for passwd command execution on root
sudo grep "passwd.*root" /var/log/auth.log | tail -20

# Review audit logs for root password changes
sudo ausearch -c passwd -ts recent | grep root

# Check for recent password changes in shadow file
sudo ls -la /etc/shadow

# Identify the user who executed the passwd command
sudo ausearch -c passwd -ts recent -i

# Check active root sessions and login history
who
last | grep root

Step 2: Verify Authorization with System Administrators

Immediately verify if the root password change was authorized:

• Check if the change was made by the account owner or administrator
• Review change management tickets or approval records
• Contact the user or administrator who made the change
• Check if the change aligns with scheduled maintenance or rotation policies