User creation date
 

Hi All,

I tried a lot to get an answer for how to check when a user was created,but got no answer. Can anybody let me know the command or how to check when a user was created?

Check the date their .bash_logout file was created. That usually doesn't get touched so it should be the original date.
This is assuming that you are talking about a system user with a home directory, not some other kind of unspecified user (you didn't specify).

I am not sure about which user to specify. What kind of users are there? Like say, I am newly joined as an Admin in a company. There is a user account in my company and I am asked to find when was this user account or username created. So,how should I go about it. Hope this is quite explicit.

No, sorry. What kind of user are you talking about ?
There are mail users, ftp users, users with shell accounts, users of websites, users of databases, users who can log into the computer from a keyboard, etc, etc.

There are users on this website.

Which are you referring to ?

I think its users with shell accounts. Like, I create a user with username & passwd command. Then how can I check when was this username created?

Hey, I think this works. either .bash_logout or .bash_profile file can be checked for this. But, you need to login to this particular user account and then run 'ls -l .bash_logout' command. The reason why I am asking this question is that this was asked to me in an interview. The interviewer said that we need to check a certain log file. I forgot to ask him which log file he was talking about.

Any default Linux installation I know of doesn't have any logging
regarding the creation of user accounts. If you have authentication
via LDAP or AD you can use an ldapsearch to find out when & by whom
an account was created.

The time stamps on the files mentioned above could easily be wrong
if the user decided to e.g. edit them, or the admin moved them from
one mountpoint to another at some stage.

And you don't need to login as those users in an ordinary linux setup;
as root an "ls -l /home/*/.bash_logout" should give you all users
times for the .bash_logout file, or "ls -l /home/<username>/.bash_logout"
for an individual account.


Cheers,
Tink

Yeah..You are right. If you just touch this file, the time stamp changes. I don't know what the interviewer meant. Anyways, thanks a lot guys for all your help.

I have read that some versions of Unix have a /var/log/adduser file which, presumably might have the information of creation time. I haven't found such a file on my Linux installations, though.

Try /var/log/secure.

On most distro's /var/log/secure only goes back 4-5 weeks.

I had tried adding a user and checking ~/secure, but found no entry for adduser, prior to my post.

Check out the manual page for shadow(5) 'man 5 shadow' Your answer might be there.

You might be able to make this determination from one of the fields of an /etc/shadow entry

ezekieldas:$6$VuZUmz8sxxxxSjfFete7yk7aN9tNBtmSL21:13826:0:99999:7:::

Again, I had checked the shadow file, but found nothing that seems to indicate the actual date of the user account creation. Perhaps I've misinterpreted, "days since Jan 1, 1970 that account is disabled", but it wouldn't seem to be relevant.

Man...Is there nobody in this forum who could answer this question? There are so many members in this forum, but nobody has a precised answer for this. Anyways, I am still trying to find this info. If I get, then I will update you all with the same.

There are plenty of logical answers given. You should have learned several things by reading the replies:

1. A native Linux install doesn't record the initial creation date.
2. If created and not touched when the user was created, .bash_logout is a good chance at determining the date.
3. Unless you keep a record of all logs or bash history for users, you cannot determine the date.

Honestly, if you want to keep track of when a user is created, there are fields in the /etc/passwd file you can specify a users full name, phone number and other info, you can add a creation date here when you create the user.

useradd -c or --comment options can be used as a text string, reserved for description of user (ex. Full Name).

The apparent answer is that most Linux distributions do not store the timestamp of user account creation. At least some forms of Unix, including some of the BSDs, maintain a log of adduser activity, which may hold that information, but you'd need access to such an installation to determine that.

Some filesystems are reported to store file creation date and, on such a filesystem the creation date of the user's home directory would give a fairly reliable indication of when the account was initiated. The common Linux filesystems, ext2 and ext3 do not store this information. It should be easy enough for you to determine if ext4, Btrfs, or other filesystems have such facility, if they are available to you. Otherwise, I'd suggest starting another thread to poll those with such filesystems at their immediate disposal.

Here are two accounts I created on two different dates. You can do the math from here:

ezekieldas:$1$yMRsM5LJ$osafajE7vibaU/:14778:0:99999:7:::
xyz:!!:14805:0:99999:7:::

---
Install tripwire

---

Also, check your logs:

/var/log/messages

Jul 15 11:33:17 fr-virt001 useradd[1123]: new group: name=xyz, GID=501
Jul 15 11:33:17 fr-virt001 useradd[1123]: new user: name=xyz, UID=501, GID=501, home=/home/xyz, shell=/bin/bash

The only problem with /var/log/messages is by default it gets rotated, unless changed to keep all logs forever, if the system has been running for quite sometime, not a very good way to get such info from.

I don't know any sysadmin that keeps tabs on file changes with tripwire on log files, since these are changed all the time. It would only make sense if you tell it to monitor /etc/passwd, /etc/shadow but then again, on a busy system with a lot of users, you might be getting a bunch of useless info. It would report a change everytime a user changes their password, etc.

Now another way is to take the stamp in the shadow file of the last time the password changed, but that would only give you time of creation if the user has never changed their password, which I don't recommend and a force of password changes is a good thing on any system after 60-90 days on most systems.

There is no answer because there is no answer. The only way to check the creation date is to record the creation date at the time of creation. there are various auditing systems that will create and check things like that, but only after they've been installed.
Try googling and read some of the solutions.
You could create your own logfile, by adding a file which is owned by root to /etc/skel . (files in /etc/skel get added to a users home directory when it is created). The user will never be able to edit it, and if you script the file creation, any date inside the file cannot be changed if the file is moved to a new partition.

Yeah, like my suggestion, use the -c option or manually edit the text field in the /etc/passwd with the creation date.

Example:

ezekieldas,

Your results may be distribution or log settings dependent, as I tried adding and removing a user on my Hardy installation and no entries resulted in the messages file. I did use the System Settings to add the user and not adduser, but I must assume the GUI simply calls the utility.

sure -- you might also set something up in /etc/skel to use logger.

Another possibility suggests itself: Many distros use adduser, a Perl script, to call and pass parameters to useradd, an executable. In Ubuntu, for instance, adduser.conf is what causes the files in /etc/skel to be created in the new user directory; in the /etc/default/useradd configuration file, the line which would cause useradd to create such files is commented out,(actually, all the lines in the file are commented out on my installation, except SHELL=/bin/sh). It shouldn't take much to add a line or two to the script creating a file with a timestamp in it.

Naturally, one would need at least a little knowledge of Perl, a requirement many might find onerous, (sorry, Larry). Such a solution must be taken preemptively, of course, and does little for trying to determine account creation date after the fact.

You GOT the answers. There is no default/standard way.
You need to devise a mechanism/process yourself; or use LDAP.


Cheers,
Tink

Wait a minute
 

Tinkster,

Your tag line about Windows not being that bad originally suggests you weren't around for the early versions. The BSOD has been with us since the beginning, which was more like 25 years ago. Trust me on this: Windows and DOS before it have always been a tangle of spaghetti code and memory leaks.

Maybe I need to update my sig ;} ... I've used M$-Dos 3.1 and Windblows 2 (yes,
the fugly black and white thing that looked like GEMs poor relation).



Cheers,
Tink

Hope this helps
 

All the answers above are valid... and since there isn't any out of the box effective way of knowing this...
I will say the best answer for me at least is the following... Just get the oldest file a user might have and take that
as the most proximate answer.

The following will give you all the users under the home directory...

for USER in $(cat /etc/passwd | sed 's/:/ /g' | awk '{print $1}')
do
if [ -d /home/$USER/ ]
then
echo $USER $(ls -latr /home/$USER/ | head -2 | tail -1 )
fi
done

you can go further by taking the home from the /etc/passwd and checking it
Or creating a little python script etc etc ... this is just an idea

@jmedinar,

Be aware that this thread is 8 years old. When answering very old threads it's best to see if the OP has been on LQ lately. Their profile indicates they were last active in 2013.

Yes, I was aware of that. Not necessarily answering to the original post but to anyone in the future that might look for the same.