User creation on Linux Redhat

Question

Is there anyway one can determine when a user was created on Linux? I know of a couple of things one can do,but it's an unreliable way of doing it. The first option is checking when the home directory was created,running the command ls -ld /home/user to see the time stamp. Then there is the option of checking the bash_profile or bash_logout : ls -l /home/user/.bash_profile and ls -l /home/.bash_logout. Please assist me with a more reliable way to do this!

Answer 1

Fedora, which is pretty RedHatty, seems to log the use of useradd, even when invoked by root (rather than via sudo, which would of course also leave logs):

[root@anni log]# useradd foo
[root@anni log]# tail /var/log/secure
Sep 13 16:15:15 anni useradd[17621]: new group: name=foo, GID=502
Sep 13 16:15:15 anni useradd[17621]: new user: name=foo, UID=502, GID=502, home=/home/foo, shell=/bin/bash

How long you keep old copies of /var/log/secure is a matter for you and your logrotate config.

Answer 2

AFAIK, by default, Linux doesn't record the creation date.

Answer 3

You could monitor /var/log/secure for useradd entries:

Sep 13 17:11:08 *** useradd[27220]: new group: name=test, GID=515
Sep 13 17:11:08 *** useradd[27220]: new user: name=test, UID=514, GID=515, home=/home/test, shell=/bin/bash

Of course if the user is created in other ways (e.g., by editing /etc/passwd directly) you will be out of luck.

You could always monitor changes in /etc/passwd by storing a copy and at every check compare it with the old copy.

Answer 4

I don't know about the user creation time, but the first user login would be in /var/log/auth.log. Presumably the user logs in immediately after its user is created to setup his/her password. Anything in user's home directory is not reliable, as the user is able to overwrite it.