PAM Admin wants to know how to determine who changed certain Unix Accounts from Password Authentication to Public Key Authentication.
Release : 4.0.x, 4.1.x
Component : PRIVILEGED ACCESS MANAGEMENT
Ultimately we have the following report that would capture this information:
However the data only goes back 7 days because via the default archive settings:
PAM UI >> Settings >> Credential Manager >> Auto-Archive
If the data is archived and then if either Syslog Forwarding or Splunk Forwarder enabled, look into their logs. He
host="<pam primary ip>" OR host="<pam primary ip2.>" OR "<pam primary ip3>" "audit DETAIL Target.Account" "User.name=<target user>" "Update.User"
This will advise (highlight) the Update.User -> who last updated that account.