Local Account Creation Date

files users date accounts
22,894

Solution 1

Account creation may be logged. Under Linux (if using the common shadow utility suite), useradd makes a log entry under the facility auth.info. This log is typically located in /var/log/secure or /var/log/auth.log (it depends on the distribution).

You can check your backups of /etc/passwd and see which is the youngest backup that doesn't have this account. I use and recommend etckeeper to keep track of changes in /etc, so git annotate /etc/passwd would give me the answer. (Actually git annotate would tell me the last time a user's entry was changed; a bit more digging whose automation is out of scope of this answer would tell me when the entry was added.)

If you lack audit logs, backups and revision history, you'll have to resort to heuristics. A good clue is the file whose inode change time (ctime) is the oldest. This heuristic can lie both ways: if a directory is moved into the user's home, it may contain files with an old ctime (but for them to be older than the user, their uid would have not to be that of the user as a change of uid involves updating the ctime, so you can skip those files that are not owned by the user); conversely, some events can change a file's ctime (e.g. if the whole system was restored from a backup). You can start from the user's home directory (ls -Alctr ~bob | sed -n 2p), which might contain files from /etc/skel that the user has never modified (.bash_logout is a common one), and see if there are older files with find ~bob ! -cnewer ~bob/.bash_logout -user bob. With zsh, run ls -ld ~bob/**/*(Doc[1]u:bob:).

Solution 2

If created and not touched since the user creation you can use the .bash_logout file to determine the date. As root run:

ls -l /home/<username>/.bash_logout

OR, If the user has a home directory, you can check that directory's last modification date:

ls -ld /home/username/

to get only the date you can use awk:

ls -ld /home/username/ | awk '{ print $6,$7,$8 }'

source

Solution 3

For local users, you could look at their home directory birth time for those systems and file systems that record it (Linux, most BSDs, macOS at least). How to do that varies with the system.

For users in LDAP directories, you can look at the createTimestamp (or possibly whenCreated) attributes of their corresponding LDAP entry:

ldapsearch -LLL -x -H ldaps://ldap.example.com -s sub \
  -b dc=example,dc=com 'uid=username' createTimestamp whenCreated

Solution 4

$ chage -l fred

Checks password change date.

Share:
22,894

Related videos on Youtube

Renganathan Selvaraju
Author by

Renganathan Selvaraju

Yet Another Regular Contributor.

Updated on September 18, 2022

Comments

  • Renganathan Selvaraju
    Renganathan Selvaraju over 1 year

    For compliance purposes there is the need to fetch information regarding local (user and non-user) accounts creation date on UNIX machines.

    Is there any way (even if it's not the most reliable or accurate method) for collecting that kind of information?

    For instance, as an alternative, I went searching for home directory creation date (for user accounts), but I discovered that for POSIX-compliant systems timestamps for file creation are not available.

    • Admin
      Admin almost 10 years
      As a crude approximation, I think your best bet is to do some forensic digging in /var/log/auth.log (you may need to look in the rotated logs as well: /var/log/auth.log.1, /var/log/auth.log.2.gz,...). This will give you a clue as to the first date the user account authenticated. This will not work for system users, though, and will also fail if the accounts were created a longer time ago than your syslog's log rotation period.
    • Admin
      Admin almost 10 years
      this specific information is not stored anywhere by default. but you can try checking modification date of /home/user
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 9 years
    ls -ld /home/username/ gives the home directory's modification time, which is not likely to be useful given that this time is updated whenever a file is added or removed in the home directoy.
  • user1182474
    user1182474 over 5 years
    +1: Compared to the other answers, with exception of the audit logs (that doesn't have to be available) and LDAP (that does not refer to a local account), we don't have any reliable methods to determine the creation dates, just a bunch of attributes to look at to get some idea. This is one of them and on my system it actually turned out to be the most accurate (people simply didn't change passwords), although only with the precision of days.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I set a user's default .bashrc file?
What does the "number" in the owner field of files signify in linux?
How can I log file access from users?
How to create a limited user account for SSH
How to remove only files created before a specific date and time
Why there are many guest accounts on my system?
Create sub-directories and organize files by date
Getting files for the current date in Linux?
Keep same file owner for newly created files
Default files in home dir for each user