Are root password changes logged?

Question

Long story short, after a recent company "reorg" the root password on all of our servers was mysteriously changed. I need to figure out first how to regain root access, but second how to figure out what happened (eg. when was the password changed, and who the &@^% did it).

I can find plenty of answers to the question "how do I recover a root password", but not so many to the question "who changed my root password and when was it changed", so that is my main question, although other suggestions and comments are welcome as well.

Answer 1

In the /var/log/auth.log there should be an entry like:

Mar 31 12:41:41 UBUNTU sudo: daniel : TTY=pts/1 ; PWD=/dev ; USER=root ; COMMAND=/usr/bin/passwd root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) password changed for root
Mar 31 12:41:52 UBUNTU passwd[25160]: (pam_unix) Password for root was changed

from here.

Do mind that once the log is full, your entries might be gone forever.

Answer 2

In addition to BloodPhilia's response... sometimes those entries are in /var/log/messages or other files. It'd be best to try something like:

cd /var/log
grep -R -i passwd *

...to locate the entries.

As far as log longevity is concerned, here's the log archives for one of my unmodified Debian boxes. That is, default logging.

/var/log# ls -atlr auth*
-rw-r----- 1 root adm  35941 2009-06-21 06:47 auth.log.6.gz
-rw-r----- 1 root adm  78092 2009-06-27 06:25 auth.log.5.gz
-rw-r----- 1 root adm  72322 2009-07-09 06:25 auth.log.4.gz
-rw-r----- 1 root adm  18186 2010-08-08 06:47 auth.log.3.gz
-rw-r----- 1 root adm  18742 2010-08-15 06:47 auth.log.2.gz
-rw-r----- 1 root adm  23542 2010-08-22 06:47 auth.log.1.gz
-rw-r----- 1 root adm 271204 2010-08-29 06:47 auth.log.0
-rw-r----- 1 root adm 160744 2010-09-02 13:01 auth.log

As you can see, it goes back a while by default (in this case).