Solved

AIX account creation date

Posted on 2004-10-14
5
2,425 Views
Last Modified: 2013-11-17
Hi All,

What command would i use to find out when an account was created on a AIX box... thanks in advance.
0
Comment
Question by:mrorange
5 Comments
 
LVL 20

Expert Comment

by:tfewster
Comment Utility
AFAIK, there is no definitive way - Tho' the order in /etc/passwd may give you a clue. Or check smitty logs, if you have a _long_ history...

But if you `cd` to the users home directory and do `ls -lrt`, it will show you the earliest modified file in that directory; Chances are that that is the .profile (and maybe also a .cshrc) that was created when the userid was created. If both types of startuop file are there, I'll bet the one they don't use has nevert been modified

What's the problem? Are you trying to track a hacker, or just find out who created the user?
0
 
LVL 1

Author Comment

by:mrorange
Comment Utility
Hi tfewster im, looking for some auditable records for certain user accounts.....  

In Linux I would have done a lsome thing like:-
ls -l --time=ctime --time-style=full-iso
on the users home directory...

I was hoping AIX would have some sort of similar command... Guess I may have to try different methods to get an idea of when the account was created....
0
 
LVL 20

Expert Comment

by:tfewster
Comment Utility
That seems to be equivalent to ls -lc;  However, both show the last modification time of the _inode_ (rather than the _contents_ of the file [in the case of a directory, the contents are the entries in the directory]) and it is unreliable; A chmod on the directory will modify the inode, as will a number of other operations.  (See http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/files/aixfiles/inode.h.htm  for the struture of a inode)

Maybe one of the AIX gurus can suggest another approach, from the auditing angle...
0
 
LVL 2

Expert Comment

by:warba
Comment Utility
I believe if you have auditing enabled, then you make reference to one of the auditable events described in /etc/security/audit/events.
In your case I think you are interested in:
*       mkuser
        USER_Create = printf "%s %s"

This gets added to a group set in /etc/security/audit/config and then auditing (if enabled) picks this up and can report on these events.

You can tell if you system is running auditing by executing
/usr/sbin/audit  query

If auditing is not currently enabled, then the best you can do is to turn it on now and you will have the information for the future, but anything that has happened in the past is not available.

Hope that explains it for you,
Warren.
0
 
LVL 61

Accepted Solution

by:
gheist earned 50 total points
Comment Utility
In default configuration AIX do not require changing passwords, so /etc/security/user file contains all account creaation times in epoch format
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now