User creation date
Hi All,
I tried a lot to get an answer for how to check when a user was created,but got no answer. Can anybody let me know the command or how to check when a user was created? |
Check the date their .bash_logout file was created. That usually doesn't get touched so it should be the original date.
This is assuming that you are talking about a system user with a home directory, not some other kind of unspecified user (you didn't specify). |
Quote:
|
No, sorry. What kind of user are you talking about ?
There are mail users, ftp users, users with shell accounts, users of websites, users of databases, users who can log into the computer from a keyboard, etc, etc. There are users on this website. Which are you referring to ? |
I think its users with shell accounts. Like, I create a user with username & passwd command. Then how can I check when was this username created?
|
Quote:
|
Any default Linux installation I know of doesn't have any logging
regarding the creation of user accounts. If you have authentication via LDAP or AD you can use an ldapsearch to find out when & by whom an account was created. The time stamps on the files mentioned above could easily be wrong if the user decided to e.g. edit them, or the admin moved them from one mountpoint to another at some stage. And you don't need to login as those users in an ordinary linux setup; as root an "ls -l /home/*/.bash_logout" should give you all users times for the .bash_logout file, or "ls -l /home/<username>/.bash_logout" for an individual account. Cheers, Tink |
Quote:
|
I have read that some versions of Unix have a /var/log/adduser file which, presumably might have the information of creation time. I haven't found such a file on my Linux installations, though.
|
Quote:
|
On most distro's /var/log/secure only goes back 4-5 weeks.
|
I had tried adding a user and checking ~/secure, but found no entry for adduser, prior to my post.
|
Check out the manual page for shadow(5) 'man 5 shadow' Your answer might be there.
You might be able to make this determination from one of the fields of an /etc/shadow entry ezekieldas:$6$VuZUmz8sxxxxSjfFete7yk7aN9tNBtmSL21:13826:0:99999:7::: |
Again, I had checked the shadow file, but found nothing that seems to indicate the actual date of the user account creation. Perhaps I've misinterpreted, "days since Jan 1, 1970 that account is disabled", but it wouldn't seem to be relevant.
|
Man...Is there nobody in this forum who could answer this question? There are so many members in this forum, but nobody has a precised answer for this. Anyways, I am still trying to find this info. If I get, then I will update you all with the same.
|
Quote:
1. A native Linux install doesn't record the initial creation date. 2. If created and not touched when the user was created, .bash_logout is a good chance at determining the date. 3. Unless you keep a record of all logs or bash history for users, you cannot determine the date. Honestly, if you want to keep track of when a user is created, there are fields in the /etc/passwd file you can specify a users full name, phone number and other info, you can add a creation date here when you create the user. useradd -c or --comment options can be used as a text string, reserved for description of user (ex. Full Name). |
The apparent answer is that most Linux distributions do not store the timestamp of user account creation. At least some forms of Unix, including some of the BSDs, maintain a log of adduser activity, which may hold that information, but you'd need access to such an installation to determine that.
Some filesystems are reported to store file creation date and, on such a filesystem the creation date of the user's home directory would give a fairly reliable indication of when the account was initiated. The common Linux filesystems, ext2 and ext3 do not store this information. It should be easy enough for you to determine if ext4, Btrfs, or other filesystems have such facility, if they are available to you. Otherwise, I'd suggest starting another thread to poll those with such filesystems at their immediate disposal. |
Here are two accounts I created on two different dates. You can do the math from here:
ezekieldas:$1$yMRsM5LJ$osafajE7vibaU/:14778:0:99999:7::: xyz:!!:14805:0:99999:7::: --- Install tripwire --- Also, check your logs: /var/log/messages Jul 15 11:33:17 fr-virt001 useradd[1123]: new group: name=xyz, GID=501 Jul 15 11:33:17 fr-virt001 useradd[1123]: new user: name=xyz, UID=501, GID=501, home=/home/xyz, shell=/bin/bash |
Quote:
I don't know any sysadmin that keeps tabs on file changes with tripwire on log files, since these are changed all the time. It would only make sense if you tell it to monitor /etc/passwd, /etc/shadow but then again, on a busy system with a lot of users, you might be getting a bunch of useless info. It would report a change everytime a user changes their password, etc. |
Now another way is to take the stamp in the shadow file of the last time the password changed, but that would only give you time of creation if the user has never changed their password, which I don't recommend and a force of password changes is a good thing on any system after 60-90 days on most systems.
|
Quote:
Try googling and read some of the solutions. You could create your own logfile, by adding a file which is owned by root to /etc/skel . (files in /etc/skel get added to a users home directory when it is created). The user will never be able to edit it, and if you script the file creation, any date inside the file cannot be changed if the file is moved to a new partition. |
Quote:
Example: Code:
johndoe:x:500:500:John Doe Created-2010-07-15:/home/jdoe:/bin/bash |
ezekieldas,
Your results may be distribution or log settings dependent, as I tried adding and removing a user on my Hardy installation and no entries resulted in the messages file. I did use the System Settings to add the user and not adduser, but I must assume the GUI simply calls the utility. |
sure -- you might also set something up in /etc/skel to use logger.
|
Another possibility suggests itself: Many distros use adduser, a Perl script, to call and pass parameters to useradd, an executable. In Ubuntu, for instance, adduser.conf is what causes the files in /etc/skel to be created in the new user directory; in the /etc/default/useradd configuration file, the line which would cause useradd to create such files is commented out,(actually, all the lines in the file are commented out on my installation, except SHELL=/bin/sh). It shouldn't take much to add a line or two to the script creating a file with a timestamp in it.
Naturally, one would need at least a little knowledge of Perl, a requirement many might find onerous, (sorry, Larry). Such a solution must be taken preemptively, of course, and does little for trying to determine account creation date after the fact. |
Quote:
You need to devise a mechanism/process yourself; or use LDAP. Cheers, Tink |
Wait a minute
Tinkster,
Your tag line about Windows not being that bad originally suggests you weren't around for the early versions. The BSOD has been with us since the beginning, which was more like 25 years ago. Trust me on this: Windows and DOS before it have always been a tangle of spaghetti code and memory leaks. |
Maybe I need to update my sig ;} ... I've used M$-Dos 3.1 and Windblows 2 (yes,
the fugly black and white thing that looked like GEMs poor relation). Cheers, Tink |
Hope this helps
All the answers above are valid... and since there isn't any out of the box effective way of knowing this...
I will say the best answer for me at least is the following... Just get the oldest file a user might have and take that as the most proximate answer. The following will give you all the users under the home directory... for USER in $(cat /etc/passwd | sed 's/:/ /g' | awk '{print $1}') do if [ -d /home/$USER/ ] then echo $USER $(ls -latr /home/$USER/ | head -2 | tail -1 ) fi done you can go further by taking the home from the /etc/passwd and checking it Or creating a little python script etc etc ... this is just an idea |
@jmedinar,
Be aware that this thread is 8 years old. When answering very old threads it's best to see if the OP has been on LQ lately. Their profile indicates they were last active in 2013. |
Yes, I was aware of that. Not necessarily answering to the original post but to anyone in the future that might look for the same.
|
All times are GMT -5. The time now is 10:35 PM. |