HPE Community
Operating System - HP-UX
1828406 Members
3136 Online
109977 Solutions
New Discussion

How can you tell when a Unix account was created?

 
Craig Johnson_1
Regular Advisor

‎02-14-2008 11:59 AM

‎02-14-2008 11:59 AM

How can you tell when a Unix account was created?

Is there a bulletproof method of doing so? Sam logs aren't because you don't have to use Sam. /home directory date and contents won't work either. Any ideas?
0 Kudos
Reply
12 REPLIES 12
Grayh
Trusted Contributor

‎02-14-2008 12:12 PM

‎02-14-2008 12:12 PM

Re: How can you tell when a Unix account was created?

cat /etc/passwd
0 Kudos
Reply
Grayh
Trusted Contributor

‎02-14-2008 12:12 PM

‎02-14-2008 12:12 PM

Re: How can you tell when a Unix account was created?

#cat /etc/passwd
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎02-14-2008 12:16 PM

‎02-14-2008 12:16 PM

Re: How can you tell when a Unix account was created?

Hi Craig:

Only by inference. First, there is no such attribute/property as a "creation" timestamp in Unix. You have a modification timestamp ('mtime') and that would coincidently equal the creation moment until such time as the file in question was changed; or until such time (for a directory) as a file was added or removed from the directory.

Regards!

...JRF...
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎02-14-2008 12:20 PM

‎02-14-2008 12:20 PM

Re: How can you tell when a Unix account was created?

Bulletproof??? No.

Looking at /etc/passwd isn't going to tell you anything because there are no date stamps. The closest you can come is looking at the date/time stamps on the user's home directory but, as Jim says, there's no guarantee with that either.


Pete

Pete
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎02-14-2008 12:33 PM

‎02-14-2008 12:33 PM

Re: How can you tell when a Unix account was created?

For the future.

Add an audit log to your user creation/removal script.

0 Kudos
Reply
Craig Johnson_1
Regular Advisor

‎02-14-2008 12:58 PM

‎02-14-2008 12:58 PM

Re: How can you tell when a Unix account was created?

We have an audit log but it's ugly (does a diff on /etc/passwd every single day, amongst other things). I was hoping for a more elegant solution.

There are five senior admins here and none of us could come up with anything better.
0 Kudos
Reply
Tim Nelson
Honored Contributor

‎02-14-2008 01:17 PM

‎02-14-2008 01:17 PM

Re: How can you tell when a Unix account was created?

Now you have 8 more without a concreate solution. Must be no solution.

Is all your user admin done via SAM ? If so, do you delete the SAM logs ?

Do you clear out your wtmp files ? First entry for each user could be close to their creation time.

Otherwise back to a better solution for going forward.

Create your user admin scripts with a nicely formatted audit/log file.

0 Kudos
Reply
Peter Nikitka
Honored Contributor

‎02-15-2008 07:22 AM

‎02-15-2008 07:22 AM

Re: How can you tell when a Unix account was created?

Hi,

attached is my audit program for logging changes in /etc/passwd + /etc/shadow.
Logdirectory $PWwdir (default: /root/pw) needs creation/modification before the first run.
My crontab runs this in a 4hour frame - your milage may vary.
Note that my 'key' is the UID - so UID-changes result in NEW/DEL records.

mfG Peter
The Universe is a pretty big place, it's bigger than anything anyone has ever dreamed of before. So if it's just us, seems like an awful waste of space, right? Jodie Foster in "Contact"
0 Kudos
Reply
Torsten.
Acclaimed Contributor

‎02-15-2008 08:03 AM

‎02-15-2008 08:03 AM

Re: How can you tell when a Unix account was created?

Bulletproof?

This is bulletproof:

http://hp.feedroom.com/index.jsp?fr_story=4771fb6e6ae03e45534d08bfbe17cade6656025b&fr_chl=d9138bf1d80fad18e3bfa58c2dc62ae5716c10df

off topic, anyway.

Have a funny friday!

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
Reply
Court Campbell
Honored Contributor

‎02-15-2008 08:08 AM

‎02-15-2008 08:08 AM

Re: How can you tell when a Unix account was created?

we have a script that we use to create users and delete users. One of the things the scripts do is put the user account info and a creation/deletion timestamp. Or you could switch to something like openLDAP which may store that info.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
Court Campbell
Honored Contributor

‎02-15-2008 08:12 AM

‎02-15-2008 08:12 AM

Re: How can you tell when a Unix account was created?

Torsten,

That was awesome.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
0 Kudos
Reply
TTr
Honored Contributor

‎02-15-2008 09:00 AM

‎02-15-2008 09:00 AM

Re: How can you tell when a Unix account was created?

The last two places I worked we used scripts, similar to what everybody else mentioned, to create and delete users. The scripts put detailed entries in logs for user accounting. The /etc/password file is a simple text file and not a database table with lots of information in it.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.