LinuxQuestions.org - How can get information about the creation date of a user?

- Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)

- - How can get information about the creation date of a user? (https://www.linuxquestions.org/questions/linux-software-2/how-can-get-information-about-the-creation-date-of-a-user-649142/)

How can get information about the creation date of a user?

Hello all,

I´ll appreciate if you can indicate me how can I get information about the creation date of the users that has been created in the system.

I have a lot of distros in my site and I have to do this task. The distros that I use are: centos, red hat and Ubuntu.

Thanks a lot
mcc

If you keep logs from the time the machines got used, then you could look for useradd|adduser messages in the system logs.

I don't think there is any reliable way to get this kind of information. Your alternatives are:
- a log kept by your specific user management application (does any user management application keep a log?)
- ls -lc /home/ (if the users don't use their home directories)
- /etc/log/wtmp (if users log in often)
- passwd -S username (if users never change their login password)

I don't think that's always possible. Log files on Linux systems are rotated, and typically only kept for a few weeks, or months at most.

The only thing you strictly need to do to add a user to a system is to add a line in the /etc/passwd file. This would not log anything beyond the changing the last update date of the file each time you add a user, so you can tell the last time a user was added (or any of their login details changed), using:

Code:

ls -l /etc/passwd

More commonly, the useradd script is used, which will create a home directory for the user. Some filesystems store the directory creation date, but most don't so you probably can't figure it out this way.

I just tried adding a user to Ubuntu, and it didn't log anything. There are a few patches around that you can use to modify adduser to get it to log the creation of new users; you might try looking for a file called /var/log/adduser.log or similar.

You can run the command lastlog to find out the last time each user logged in, and where they logged in from.

If you are using sudo to create users then all sudo commands get logged, usually into /var/log/secure or /var/log/auth.log

Hope that's of some help!

—Robert J Lee

From all those options mentioned the only reliable one is still logging. I started my reply with "if you keep logs" because log retention does depend on legal or business requirements, site policy or in absence of those personal preference. Any good admin who has been (bitten by or made) aware of accountability issues will have altered their log retention anyway. At least on on RHEL and equivalent messages get logged when handling users/groups. If Debian machines don't out of the box, or not at your site, then this is a good reason to change logging options and retention.

Everything else that has to do with reading time from inodes, volatile login records or other logs or files will be extremely unreliable since any arbitrary process can modify it, will account only for the last user added (which could have been a daemon account), and as far as I know it is not possible to tell the creation date from a file. See http://www.securityfocus.com/infocus/1738 and http://www.brandonhutchinson.com/ctime_atime_mtime.html.