From 39e43c2674d7ed44da02c2c866ce0380e0bc0f15 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Fri, 13 Feb 2026 09:09:55 +0100
Subject: [PATCH] src/passwd.c: add audit messages for aging operations

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 src/passwd.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/passwd.c b/src/passwd.c
index 5ae8bf2b8..103393382 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -34,6 +34,7 @@
 #include "sssd.h"
 #include "string/memset/memzero.h"
 #include "string/sprintf/aprintf.h"
+#include "string/sprintf/snprintf.h"
 #include "string/strcmp/streq.h"
 #include "string/strcmp/strprefix.h"
 #include "string/strcpy/strtcpy.h"
@@ -748,6 +749,17 @@ static void update_shadow(bool process_selinux)
 		             NULL, pw->pw_uid,
 		             ret ? SHADOW_AUDIT_SUCCESS : SHADOW_AUDIT_FAILURE);
 	}
+	/* Audit aging parameter changes if any were modified */
+	if (xflg || nflg || wflg || iflg) {
+		char aging_msg[256];
+		stprintf_a(aging_msg,
+		           "changed-password-aging min=%ld max=%ld warn=%ld inact=%ld",
+		           nsp->sp_min, nsp->sp_max, nsp->sp_warn, nsp->sp_inact);
+		audit_logger(AUDIT_USER_MGMT,
+		             aging_msg,
+		             NULL, pw->pw_uid,
+		             ret ? SHADOW_AUDIT_SUCCESS : SHADOW_AUDIT_FAILURE);
+	}
 #endif /* WITH_AUDIT */
 	if (ret == 0) {
 		(void) fprintf (stderr,
-- 
2.47.3