|
Quote:
1. A native Linux install doesn't record the initial creation date. 2. If created and not touched when the user was created, .bash_logout is a good chance at determining the date. 3. Unless you keep a record of all logs or bash history for users, you cannot determine the date. Honestly, if you want to keep track of when a user is created, there are fields in the /etc/passwd file you can specify a users full name, phone number and other info, you can add a creation date here when you create the user. useradd -c or --comment options can be used as a text string, reserved for description of user (ex. Full Name). |
The apparent answer is that most Linux distributions do not store the timestamp of user account creation. At least some forms of Unix, including some of the BSDs, maintain a log of adduser activity, which may hold that information, but you'd need access to such an installation to determine that.
Some filesystems are reported to store file creation date and, on such a filesystem the creation date of the user's home directory would give a fairly reliable indication of when the account was initiated. The common Linux filesystems, ext2 and ext3 do not store this information. It should be easy enough for you to determine if ext4, Btrfs, or other filesystems have such facility, if they are available to you. Otherwise, I'd suggest starting another thread to poll those with such filesystems at their immediate disposal. |
Here are two accounts I created on two different dates. You can do the math from here:
ezekieldas:$1$yMRsM5LJ$osafajE7vibaU/:14778:0:99999:7::: xyz:!!:14805:0:99999:7::: --- Install tripwire --- Also, check your logs: /var/log/messages Jul 15 11:33:17 fr-virt001 useradd[1123]: new group: name=xyz, GID=501 Jul 15 11:33:17 fr-virt001 useradd[1123]: new user: name=xyz, UID=501, GID=501, home=/home/xyz, shell=/bin/bash |
Quote:
I don't know any sysadmin that keeps tabs on file changes with tripwire on log files, since these are changed all the time. It would only make sense if you tell it to monitor /etc/passwd, /etc/shadow but then again, on a busy system with a lot of users, you might be getting a bunch of useless info. It would report a change everytime a user changes their password, etc. |
Now another way is to take the stamp in the shadow file of the last time the password changed, but that would only give you time of creation if the user has never changed their password, which I don't recommend and a force of password changes is a good thing on any system after 60-90 days on most systems.
|
Quote:
Try googling and read some of the solutions. You could create your own logfile, by adding a file which is owned by root to /etc/skel . (files in /etc/skel get added to a users home directory when it is created). The user will never be able to edit it, and if you script the file creation, any date inside the file cannot be changed if the file is moved to a new partition. |
Quote:
Example: Code:
johndoe:x:500:500:John Doe Created-2010-07-15:/home/jdoe:/bin/bash |
ezekieldas,
Your results may be distribution or log settings dependent, as I tried adding and removing a user on my Hardy installation and no entries resulted in the messages file. I did use the System Settings to add the user and not adduser, but I must assume the GUI simply calls the utility. |
sure -- you might also set something up in /etc/skel to use logger.
|
Another possibility suggests itself: Many distros use adduser, a Perl script, to call and pass parameters to useradd, an executable. In Ubuntu, for instance, adduser.conf is what causes the files in /etc/skel to be created in the new user directory; in the /etc/default/useradd configuration file, the line which would cause useradd to create such files is commented out,(actually, all the lines in the file are commented out on my installation, except SHELL=/bin/sh). It shouldn't take much to add a line or two to the script creating a file with a timestamp in it.
Naturally, one would need at least a little knowledge of Perl, a requirement many might find onerous, (sorry, Larry). Such a solution must be taken preemptively, of course, and does little for trying to determine account creation date after the fact. |
Quote:
You need to devise a mechanism/process yourself; or use LDAP. Cheers, Tink |
Wait a minute
Tinkster,
Your tag line about Windows not being that bad originally suggests you weren't around for the early versions. The BSOD has been with us since the beginning, which was more like 25 years ago. Trust me on this: Windows and DOS before it have always been a tangle of spaghetti code and memory leaks. |
Maybe I need to update my sig ;} ... I've used M$-Dos 3.1 and Windblows 2 (yes,
the fugly black and white thing that looked like GEMs poor relation). Cheers, Tink |
Hope this helps
All the answers above are valid... and since there isn't any out of the box effective way of knowing this...
I will say the best answer for me at least is the following... Just get the oldest file a user might have and take that as the most proximate answer. The following will give you all the users under the home directory... for USER in $(cat /etc/passwd | sed 's/:/ /g' | awk '{print $1}') do if [ -d /home/$USER/ ] then echo $USER $(ls -latr /home/$USER/ | head -2 | tail -1 ) fi done you can go further by taking the home from the /etc/passwd and checking it Or creating a little python script etc etc ... this is just an idea |
@jmedinar,
Be aware that this thread is 8 years old. When answering very old threads it's best to see if the OP has been on LQ lately. Their profile indicates they were last active in 2013. |
| All times are GMT -5. The time now is 04:38 PM. |