Is there a way to find when a user is added in Linux host?

jaipsharma · January 31, 2014, 7:34am

Is there a way/command/script to find when a user is added in linux host?

linuxmanju · January 31, 2014, 8:44am

Check time stamp of his home dir. That should show you the date and time created.

rbatte1 · February 3, 2014, 11:26am

The timestamp of the home-directory will only show the last modification of the directory, which is altered when an object within it (file, sub-directory, pipe etc.) is create/deleted/renamed etc. so just using ls -l ~someuser/ is unreliable.

Going forward, you could intercept the executable /usr/bin/useradd with your own script that writes to either a log file or the syslog. Looking for something that has already happened, you might get lucky if the operative used sudo and that will have been written to the syslog. Of course, it depends how long you keep your syslog.

We have intercepted the call to write logs and we also have a monthly reconciliation of new accounts against requests, so that narrows it down.

Unfortunately, being paranoid after an event does not mean that you can necessarily find the original action.

I hope that this helps,
Robin
Liverpool/Blackburn
UK

jaipsharma · February 4, 2014, 12:46am

Robin,

Thanks for sharing useful piece of information. Would it be possible for you to share a snippet of code to intercept the executable in system logs.

Regards,

Jai

rbatte1 · February 4, 2014, 5:12am

I renamed the executables for useradd, usermod, userdel, passwd, etc. to have suffix .supplied. I then created a script /usr/bin/audit_logger with the below:-

#!/bin/ksh
# This interceptor script simply logs usage to syslog and the return code
#
# The original command is then passed through to the saved version

who am i | read userid PTS rest
/usr/bin/logger "on $PTS as `id -un` running \"$0 $@\""
echo "`date` : $userid as `id -un` running \"$0 $@\"" >> /sec/auditlog
$0.supplied "$@"
RC=$?
/usr/bin/logger "on $PTS as `id -un` finished \"$0 $@\" RC=$RC"
echo "`date` : $userid as `id -un` finished \"$0 $@\" RC=$RC" >> /sec/auditlog
exit $RC

When hard-linked to replace the original names, this writes messages to the syslog and off to the remote syslog collector because we have an entry in /etc/syslog.conf (or /etc/rsyslog.conf )

*.debug           @aaa.bbb.ccc.ddd               # Sends all debug to syslog collector at IP address

I hope that this is useful. It's not too clever, and you will need to check that it is kept in place. It writes to the syslog with the logger command, but because this can be lost when it gets to your normal limits, we have a permanent log file locally too in /sec/auditlog.

As we have recently outsourced our user admin, this is invaluable to tracing what they are doing and why and can be audited to trace back to authorised requests. It's not our preference, but dictated by our parent company, yet we still retain the legal responsibility for the servers and the protection of the sensitive personal and financial data they contain.

The security admin staff are trapped in simple menus to keep them away from the command line.

We have this on AIX, HP-UX & RHEL. If you don't have ksh I'm sure that the conversion to bash will be pretty simple.

Robin