[system][auth] Populate user.target.name and ECS fields for PAM chauthtok events

[nicholasberlin]

Proposed commit message

For pam_unix(passwd:chauthtok) password change events, user.name holds the target user (not the actor). This adds user.target.name alongside user.name, indexes it in related.user, and sets event.category=iam, event.type=change, event.outcome=success, event.action=password-changed — fields that were previously absent for this event type. All changes are additive.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Review all changes to golden files are additive.

Related issues

• Closes [System]: Pipeline failed to extract user.target.name from the log messages for password change event #19112

[infra-vault-gh-plugin-prod]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[github-actions]

TL;DR

The failing Buildkite step is caused by a changelog version mismatch: packages/system/manifest.yml is still 2.18.0, but this PR added a new top-level changelog block for 2.19.0, so lint reports that the current manifest version has no matching changelog entry. Update the changelog entry to align with the manifest version.

Remediation

• Move this PR’s new changelog note under the existing 2.18.0 section in packages/system/changelog.yml (instead of creating a new 2.19.0 section), or bump packages/system/manifest.yml to 2.19.0 if a version bump is intentional.
• Update the changelog link to the PR/issue that actually tracks this change (currently it points to .../issues/19247, but this change is PR #19247).

Investigation details

Root Cause

elastic-package lint failed with:

current manifest version doesn't have changelog entry

The PR content shows:

• packages/system/manifest.yml:4 → version: "2.18.0"
• packages/system/changelog.yml:2 → new top block - version: "2.19.0"

This mismatch is what the package lint check rejects.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/43634
• Job/step: Check integrations system (.buildkite/scripts/test_one_package.sh packages/system origin/main 67a596d21bd4b58695686d11c113d9cb1593b5b7)
• Key log excerpt:

Error: checking package failed: linting package failed: found 1 validation error:
   1. current manifest version doesn't have changelog entry

• Relevant PR file changes include a newly added changelog section:
  • packages/system/changelog.yml adds - version: "2.19.0"

Verification

• Not run locally (workflow is read-only); diagnosis is based on the Buildkite failure log and PR diff.

Follow-up

After adjusting the changelog/version alignment, re-run CI for Check integrations system.

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: e482901

History

• 💔 Build #43634 failed 67a596d

cc @nicholasberlin