What other user-related events are logged?

In addition to sudo commands and logins, Linux tracks almost every lifecycle event of a user account. In your current LabEx environment, these events are primarily handled by the shadow-utils suite (tools like useradd, usermod, passwd).

Here are the other user-related events you will find in /var/log/auth.log:

1. Account Creation and Deletion

Whenever you create or delete a user, it is logged. This is vital for knowing who added a new person to the system.

• Event: new user, delete user
• Search command:

  sudo grep -E "useradd|userdel" /var/log/auth.log

2. Group Membership Changes

Since permissions often rely on groups, Linux logs when a user is added to or removed from a group (like when you added joker to sudo).

• Event: add 'joker' to group 'sudo'
• Search command:

  sudo grep "add '.*' to group" /var/log/auth.log

3. Password and Expiry Changes

Any time a password is changed, or an account is locked/unlocked, it is recorded. Note: The log recorded that a change happened, but never the password itself.

• Event: password changed, CHAUTHTOK
• Search command:

  sudo grep "passwd" /var/log/auth.log

4. Direct Information Changes

If you change a user's home directory (as you might have noticed for joker in your /etc/passwd file) or their login shell, these modifications are logged via usermod.

• Search command:

  sudo grep "usermod" /var/log/auth.log

5. Switching User Identity (su)

When a user uses the su command to become another user (which you did in your command history with su - joker), this transitions are logged differently than sudo.

• Event: session opened for user joker by labex(uid=5000)
• Search command:

  sudo grep "su:" /var/log/auth.log

Summary Table of Logged Events:

Tip for your Lab: Since you just set a password for joker and likely added him to a group, try running sudo grep "joker" /var/log/auth.log now. You will see a "paper trail" of every step you have taken so far in this experiment!