Hello,
Recently found some extra accounts on our teaching server at this point in the year which should not be on there anymore (or in the first place). User accounts on this server change every 1/3 of a year and 20-80 user accounts are deleted and created each change over.
Is there an easy way to find out who made a specific account? Or at least a date?
If not, which log file is user creation typically sent to?
Thanks in advance for your help.
On 07/23/2012 05:06 AM, gumbicus wrote:
> our teaching server
determine the date the new account was added with
passwd -S [userID]
then inspect /var/log/messages on that date to learn which individual
used sudo to take on root powers and run the useradd command
it would show up kinda like this:
[DATE/TIME etc] sudo: [userID] : <snip> COMMAND=/sbin/useradd <snip>
of course, that assumes there is only one individual with the root
password and all other “administrators” are granted permissions via
sudo, done exactly that way so that it is possible to track who does
what, as administrator…
that is, if several individuals have the root password then any of them
could sit down at any terminal and log in as root, and there would be
no record of which root password holder it might have been…unless
the organization controls physical access…and, there is a log of who
is granted physical access to each terminal…in that case it is
possible to learn who logged into any terminal as root or as a user…
on the other hand, if there are several individual with the root
password, and if the one adding the new user logged in with their user
account first, and then used su to become root, then you could see in
/var/log/messages who had done that prior to the accounts being added, like:
[DATE/TIME etc] su: (to root) [userID] on /dev/pts/x
and the following log entry like
[DATE/TIME etc] shadow[numbers]: new account added - etc etc
–
dd
On 2012-07-23 05:06, gumbicus wrote:
> Is there an easy way to find out who made a specific account? Or at
> least a date?
Check the dates of the home directory of those users. The user data is just a line in
“/etc/passwd”, and date is not an entry there. The files in the home directory, if any, might
tell you something about them. Knowing that date, you can have a look at the log
(/var/log/messages) around that date.
> If not, which log file is user creation typically sent to?
Activity by “root” is not logged. If you routinely use “sudo”, then that activity is logged.
There are some logs that might register when a user logs in (see lastlog command). Check also
sa, ac…
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
gumbicus wrote:
> Is there an easy way to find out who made a specific account? Or at
> least a date?
> If not, which log file is user creation typically sent to?
If YaST was used then it may be worth checking its logs.
The date is in “/etc/shadow” (an encoded date of the last password change). See #2 on how to access that date.
On 2012-07-23 17:36, nrickert wrote:
>
> robin_listas;2475978 Wrote:
>> The user data is just a line in “/etc/passwd”, and date is not an entry
>> there.
>
> The date is in “/etc/shadow” (an encoded date of the last password
> change). See #2 on how to access that date.
You mean “passwd -S ID?” That’s not creation date, it is password change date.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 07/23/2012 08:38 PM, Carlos E. R. wrote:
> You mean “passwd -S ID?” That’s not creation date, it is password change date.
true, the user can reset the date by changing his/her password…
just like the user can change every file in his/her /home to a newer date…
so, afaik, there is no definitive method of learning exactly when a new
user is added…but, there are lots of clues and your look in the
/home is one place and look at passwd -S is another…i knew both places
and should have given both…there may be others, and there may be a
definitive, authoritative spot (that neither the user NOR a person with
administrative permission and up to no good could use to hide her tracks)…
but, i don’t know where that record is kept…
i DO know there are many good reasons to not give the root password to
everyone who can spell root.
–
dd
On 2012-07-23 22:11, dd@home.dk wrote:
> On 07/23/2012 08:38 PM, Carlos E. R. wrote:
>> You mean “passwd -S ID?” That’s not creation date, it is password change date.
>
> true, the user can reset the date by changing his/her password…
>
> just like the user can change every file in his/her /home to a newer date…
Or the home be restored from backup and the dates of directories are not kept. It happened to
me. Both actions do not intend to hide tracks, they are simple results of normal actions.
> so, afaik, there is no definitive method of learning exactly when a new user is added…but,
> there are lots of clues and your look in the /home is one place and look at passwd -S is
> another…i knew both places and should have given both…there may be others, and there may be
> a definitive, authoritative spot (that neither the user NOR a person with administrative
> permission and up to no good could use to hide her tracks)…
Yes, that’s the idea, find clues. The earlier date is posibly the real one, if there is some
other collateral.
> i DO know there are many good reasons to not give the root password to everyone who can spell
> root.
Absolutely.
And again, keeping track of root actions does not necessarily mean bad actions.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
Am 23.07.2012 05:06, schrieb gumbicus:
> Is there an easy way to find out who made a specific account? Or at
> least a date?
Your problem is simply that by default a standard linux distribution has
no tracking of information about user creation enabled in any form.
For that you need either an extra audit tool (no clue which exists) or
to avoid that problem for the future you can switch to use LDAP for
that. With LDAP you can query who created which user when and with that
many users you describe changing so often it may be worth the trouble to
look into it and learn it and implement it on your systems.
–
PC: oS 12.1 x86_64 | i7-2600@3.40GHz | 16GB | KDE 4.8.4 | GeForce GT 420
ThinkPad E320: oS 12.1 x86_64 | i3@2.30GHz | 8GB | KDE 4.8.4 | HD 3000
eCAFE 800: oS 12.1 i586 | AMD Geode LX 800@500MHz | 512MB | KDE 3.5.10
Thanks guys! found the creator