Local Account Creation Date
Solution 1
Account creation may be logged. Under Linux (if using the common shadow utility suite), useradd
makes a log entry under the facility auth.info
. This log is typically located in /var/log/secure
or /var/log/auth.log
(it depends on the distribution).
You can check your backups of /etc/passwd
and see which is the youngest backup that doesn't have this account. I use and recommend etckeeper to keep track of changes in /etc
, so git annotate /etc/passwd
would give me the answer. (Actually git annotate
would tell me the last time a user's entry was changed; a bit more digging whose automation is out of scope of this answer would tell me when the entry was added.)
If you lack audit logs, backups and revision history, you'll have to resort to heuristics. A good clue is the file whose inode change time (ctime) is the oldest. This heuristic can lie both ways: if a directory is moved into the user's home, it may contain files with an old ctime (but for them to be older than the user, their uid would have not to be that of the user as a change of uid involves updating the ctime, so you can skip those files that are not owned by the user); conversely, some events can change a file's ctime (e.g. if the whole system was restored from a backup). You can start from the user's home directory (ls -Alctr ~bob
| sed -n 2p), which might contain files from /etc/skel
that the user has never modified (.bash_logout
is a common one), and see if there are older files with find ~bob ! -cnewer ~bob/.bash_logout -user bob
. With zsh, run ls -ld ~bob/**/*(Doc[1]u:bob:)
.
Solution 2
If created and not touched since the user creation you can use the .bash_logout
file to determine the date.
As root run:
ls -l /home/<username>/.bash_logout
OR, If the user has a home directory, you can check that directory's last modification date:
ls -ld /home/username/
to get only the date you can use awk
:
ls -ld /home/username/ | awk '{ print $6,$7,$8 }'
Solution 3
For local users, you could look at their home directory birth time for those systems and file systems that record it (Linux, most BSDs, macOS at least). How to do that varies with the system.
For users in LDAP directories, you can look at the createTimestamp
(or possibly whenCreated
) attributes of their corresponding LDAP entry:
ldapsearch -LLL -x -H ldaps://ldap.example.com -s sub \
-b dc=example,dc=com 'uid=username' createTimestamp whenCreated
Solution 4
$ chage -l fred
Checks password change date.
Related videos on Youtube
Comments
-
Renganathan Selvaraju over 1 year
For compliance purposes there is the need to fetch information regarding local (user and non-user) accounts creation date on UNIX machines.
Is there any way (even if it's not the most reliable or accurate method) for collecting that kind of information?
For instance, as an alternative, I went searching for
home
directory creation date (for user accounts), but I discovered that for POSIX-compliant systems timestamps for file creation are not available.-
Admin almost 10 yearsAs a crude approximation, I think your best bet is to do some forensic digging in
/var/log/auth.log
(you may need to look in the rotated logs as well:/var/log/auth.log.1
,/var/log/auth.log.2.gz
,...). This will give you a clue as to the first date the user account authenticated. This will not work for system users, though, and will also fail if the accounts were created a longer time ago than yoursyslog
's log rotation period. -
Admin almost 10 yearsthis specific information is not stored anywhere by default. but you can try checking modification date of
/home/user
-
-
Gilles 'SO- stop being evil' over 9 years
ls -ld /home/username/
gives the home directory's modification time, which is not likely to be useful given that this time is updated whenever a file is added or removed in the home directoy. -
user1182474 over 5 years+1: Compared to the other answers, with exception of the audit logs (that doesn't have to be available) and LDAP (that does not refer to a local account), we don't have any reliable methods to determine the creation dates, just a bunch of attributes to look at to get some idea. This is one of them and on my system it actually turned out to be the most accurate (people simply didn't change passwords), although only with the precision of days.