HPE Community
Operating System - HP-UX
1755506 Members
3827 Online
108834 Solutions
New Discussion юеВ

How to find the creation date of a particular user or group

 
SOLVED
Go to solution
Karthik S S
Honored Contributor

тАО12-31-2003 07:01 PM

тАО12-31-2003 07:01 PM

How to find the creation date of a particular user or group

Hi Gurus,

How to find the date on which a user/group is created/modified. Is there any programmatic way to find this assuming that Auditing is not enabled for "/etc" directory.

Pl. help.

Thanks,
Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
7 REPLIES 7
Karthik S S
Honored Contributor

тАО01-01-2004 01:03 AM

тАО01-01-2004 01:03 AM

Re: How to find the creation date of a particular user or group

I am atleast expecting a YES/NO reply.

Thanks,
Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
Duncan Edmonstone
HPE Pro

тАО01-01-2004 01:34 AM

тАО01-01-2004 01:34 AM

Solution

Re: How to find the creation date of a particular user or group

Karthik,

I think the answer is probably no, you can't do this. Anyone with root priviliges can edit the /etc/passwd and /etc/group file, and there's no easy way of telling what was changed.

You could keep a copies of the files somewhere else, and compare them regularly, but that might not give you the granularity you require.

Or if all users/groups are added through SAM, you could examine the contents of /var/sam/log/samlog (IIRC).

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Michael Schulte zur Sur
Honored Contributor

тАО01-01-2004 01:43 AM

тАО01-01-2004 01:43 AM

Re: How to find the creation date of a particular user or group

Hi Karthik,

you could do a daily compare with the file of yesterday. Make a copy of /etc/passwd and /etc/group and compare them once a day, recording the differences.

greetings,

Michael
Reply
Bill Hassell
Honored Contributor

тАО01-01-2004 02:06 AM

тАО01-01-2004 02:06 AM

Re: How to find the creation date of a particular user or group

There is no guranteed method. The reason is that a user or group is defined simply by an entry in /etc/passwd or /etc/group. The home directory can be anywhere, even shared with other users. Unix doesn't really know much about users, it's a concept designed for humans to separate tasks and activities. If you alway use SAM, the sam logs can be useful but if they get trimmed, the info is lost. About all you can do is look for the oldest file in the home directory, something like:

ll -t /home/ | tail

Groups are named as an entry in /etc/group but there is no other record. In fact, groups are simply numbers associated with a file's inode. If an entry does not exist in /etc/group, files can still be assigned a group number and ll will show that number. So a group is more of a documentation feature. /etc/group also defines multiple group membership but there is no record kept of changes to /etc/group.


Bill Hassell, sysadmin
Reply
Karthik S S
Honored Contributor

тАО01-01-2004 04:02 PM

тАО01-01-2004 04:02 PM

Re: How to find the creation date of a particular user or group

Thank you Duncan, Michael and Bill ...

I wish if Version Control can be enabled by default for important configuration files in Unix .... :-((


Thanks again,

Karthik S S
For a list of all the ways technology has failed to improve the quality of life, please press three. - Alice Kahn
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО01-01-2004 11:58 PM

тАО01-01-2004 11:58 PM

Re: How to find the creation date of a particular user or group

Well, the good news is that HP-UX is extremely configurable, and you aren't forced into a single way of doing things. For instance, you can use the tools like useradd, userdel and usermod with a script wrapper to invoke rcs (ie, co and ci) - see man rcsintro. Similarly, vipw could be wrappered and a new command vigrp created so that changes can be tracked. One of the problems with audit and/or version controls is what should be in the list of 'important' files. This means that all sysadmins agree not to use SAM for changing user accounts.


Bill Hassell, sysadmin
0 Kudos
Reply
Rory R Hammond
Trusted Contributor

тАО01-02-2004 11:00 AM

тАО01-02-2004 11:00 AM

Re: How to find the creation date of a particular user or group

If it is really important and is a really recent change.
you can recover /etc/group /etc/passwd to a none root file system. the day the group change appears, recover sulog, wtmp, sylog. history files etc.. start with the oldest backup first, use some algorythm to work forward.

Rory
There are a 100 ways to do things and 97 of them are right
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.