How to determine if a cPanel user changed their password using the cPanel interface

Introduction

If a user's password was changed via cPanel, the password change action will be logged in cPanel's access log.

Procedure

1. Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
2. Grep the /usr/local/cpanel/logs/access_log file for changepas and the cPanel username.

   [root@server ~]cPs# grep changepass /usr/local/cpanel/logs/access_log|grep $cpusername|grep POST
   203.0.113.2 - cpusername [05/04/2023:14:11:52 -0000] "POST /cpsess8811443411/frontend/jupiter/passwd/changepass.html HTTP/1.1" 200 0 "https://domain.tld:2083/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/112.0" "s" "-" 2083

   Please note that "$cpusername" must be replaced with the cPanel user's username.

If a user changed their password using the Linux shell, the change would not be logged in the access logs. This may instead be present in the user's /home/$cpusername/.bash_history file.