Solved

AIX account creation date

Posted on 2004-10-14
5
2,466 Views
Last Modified: 2013-11-17
Hi All,

What command would i use to find out when an account was created on a AIX box... thanks in advance.
0
Comment
Question by:mrorange
5 Comments
 
LVL 21

Expert Comment

by:tfewster
ID: 12309806
AFAIK, there is no definitive way - Tho' the order in /etc/passwd may give you a clue. Or check smitty logs, if you have a _long_ history...

But if you `cd` to the users home directory and do `ls -lrt`, it will show you the earliest modified file in that directory; Chances are that that is the .profile (and maybe also a .cshrc) that was created when the userid was created. If both types of startuop file are there, I'll bet the one they don't use has nevert been modified

What's the problem? Are you trying to track a hacker, or just find out who created the user?
0
 
LVL 1

Author Comment

by:mrorange
ID: 12309939
Hi tfewster im, looking for some auditable records for certain user accounts.....  

In Linux I would have done a lsome thing like:-
ls -l --time=ctime --time-style=full-iso
on the users home directory...

I was hoping AIX would have some sort of similar command... Guess I may have to try different methods to get an idea of when the account was created....
0
 
LVL 21

Expert Comment

by:tfewster
ID: 12310866
That seems to be equivalent to ls -lc;  However, both show the last modification time of the _inode_ (rather than the _contents_ of the file [in the case of a directory, the contents are the entries in the directory]) and it is unreliable; A chmod on the directory will modify the inode, as will a number of other operations.  (See http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/inode.h.htm  for the struture of a inode)

Maybe one of the AIX gurus can suggest another approach, from the auditing angle...
0
 
LVL 2

Expert Comment

by:warba
ID: 12313855
I believe if you have auditing enabled, then you make reference to one of the auditable events described in /etc/security/audit/events.
In your case I think you are interested in:
*       mkuser
        USER_Create = printf "%s %s"

This gets added to a group set in /etc/security/audit/config and then auditing (if enabled) picks this up and can report on these events.

You can tell if you system is running auditing by executing
/usr/sbin/audit  query

If auditing is not currently enabled, then the best you can do is to turn it on now and you will have the information for the future, but anything that has happened in the past is not available.

Hope that explains it for you,
Warren.
0
 
LVL 62

Accepted Solution

by:
gheist earned 50 total points
ID: 12318387
In default configuration AIX do not require changing passwords, so /etc/security/user file contains all account creaation times in epoch format
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
FTP on FreeBSD server 2 154
Control Number of Log Files -Perl 7 96
centos commands 6 94
Authenticate using sesu from script 7 118
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question