AIX account creation date

Hi All,

What command would i use to find out when an account was created on a AIX box... thanks in advance.
LVL 1
mrorangeAsked:
Who is Participating?
 
gheistCommented:
In default configuration AIX do not require changing passwords, so /etc/security/user file contains all account creaation times in epoch format
0
 
tfewsterCommented:
AFAIK, there is no definitive way - Tho' the order in /etc/passwd may give you a clue. Or check smitty logs, if you have a _long_ history...

But if you `cd` to the users home directory and do `ls -lrt`, it will show you the earliest modified file in that directory; Chances are that that is the .profile (and maybe also a .cshrc) that was created when the userid was created. If both types of startuop file are there, I'll bet the one they don't use has nevert been modified

What's the problem? Are you trying to track a hacker, or just find out who created the user?
0
 
mrorangeAuthor Commented:
Hi tfewster im, looking for some auditable records for certain user accounts.....  

In Linux I would have done a lsome thing like:-
ls -l --time=ctime --time-style=full-iso
on the users home directory...

I was hoping AIX would have some sort of similar command... Guess I may have to try different methods to get an idea of when the account was created....
0
 
tfewsterCommented:
That seems to be equivalent to ls -lc;  However, both show the last modification time of the _inode_ (rather than the _contents_ of the file [in the case of a directory, the contents are the entries in the directory]) and it is unreliable; A chmod on the directory will modify the inode, as will a number of other operations.  (See http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/inode.h.htm  for the struture of a inode)

Maybe one of the AIX gurus can suggest another approach, from the auditing angle...
0
 
warbaCommented:
I believe if you have auditing enabled, then you make reference to one of the auditable events described in /etc/security/audit/events.
In your case I think you are interested in:
*       mkuser
        USER_Create = printf "%s %s"

This gets added to a group set in /etc/security/audit/config and then auditing (if enabled) picks this up and can report on these events.

You can tell if you system is running auditing by executing
/usr/sbin/audit  query

If auditing is not currently enabled, then the best you can do is to turn it on now and you will have the information for the future, but anything that has happened in the past is not available.

Hope that explains it for you,
Warren.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.