On one of our servers we received an email like:
Reported Modifications:
New account [root] has been created with uid:[0] gid:[0] login:[/root] shell:[/bin/bash]
But nothing was changed for the root user.
grep '0:0' /etc/passwd
root
0:0:root:/root:/bin/bashchage -l root
Last password change : , 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
It is a CloudLinux release 7.7 server with cPanel.
What can be the issue, how can I test the lfd script which checks the account modification?