cancel
Showing results for 
Search instead for 
Did you mean: 

Logs for the usercreation

 
Abhilash Krishnan
Frequent Advisor

Logs for the usercreation

Hi,

In my one of the server somebody has deleted one user is there any log file for knowing that when and who deleted the user....

Thanks
Biju
4 REPLIES
Pete Randall
Outstanding Contributor

Re: Logs for the usercreation

You can look at the timestamp on /etc/passwd to see when it was last modified, but, other than that, you would have to look at root's history file, if there is one. The problem with the history file is that there are no time stamps, and you really don't know who was acting as root. I'm afraid you really have to rely on asking the people who have root access which one of them did it.


Pete

Pete
Hakki Aydin Ucar
Honored Contributor

Re: Logs for the usercreation

There is no standard way of investigating this type of problem in Unix.
You can make a guess; for example probably user "root" could do that but the problem more than 0ne people can use the root. root is not standard user.

Re: Logs for the usercreation

If the user was deleted through SAM/SMH, you might find something in /var/sam/log/samlog

But of course there are half a dozen different ways to do this outside of SAM anyway.

If you want to look at capturing this kind of detail in the future, you need to use Auditing on the system - but even then you'd need to know what you were looking for at a system call level...

If you want to capture every keystroke done by everey user on a UNIX system there are solutions for this (Powerbroker comes to mind), but these usually have a big $$$ attached to them

HTH

Duncan

HTH

Duncan
Jozef_Novak
Respected Contributor

Re: Logs for the usercreation

Hello,

one addition, you can determine who was acting as root by examining the /var/adm/sulog file.

J.