Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
is there a user creation date
- Thread starter Birbone
- Start date
Annihilannic
MIS
Not as a general rule, unless you have additional auditing or your OS (which one, by the way?) logs user creation in the system logs, and even then the data may only be retained for a relatively short period.
You may be able to do some detective work by examining the oldest files in the users' home directories, but that would be tedious, fiddly, inaccurate and not very useful for an audit.
Annihilannic.
You may be able to do some detective work by examining the oldest files in the users' home directories, but that would be tedious, fiddly, inaccurate and not very useful for an audit.
Annihilannic.
Are you just looking for accounts that are no longer in use, expired, passwd age, etc? I have to do similar SOX auditing, though, all the info I need is generally in the /etc/shadow and /etc/passwd files. Account age doesn't happen to be one of the things I look for, though. Password age may give you what you want, though.
- Thread starter
- #4
I'm runnning on AIX systems but have also received a call from an HP-UX admin being asked for the same SOX requested item.
We're good to go on the security audit side of this, but their listing this as a change management control failure because we can not provide an auditable "create" date on a user account to prove it wasn't done prior to receiving the approval.
It's not too big of a deal because we have a valid response since that functionality is not part of the UNIX OS. They just don't like that answer even though it is coming from multiple sources.
-B
We're good to go on the security audit side of this, but their listing this as a change management control failure because we can not provide an auditable "create" date on a user account to prove it wasn't done prior to receiving the approval.
It's not too big of a deal because we have a valid response since that functionality is not part of the UNIX OS. They just don't like that answer even though it is coming from multiple sources.
-B
It may not be enabled by default, but the Audit subsystem can track user_create information.
If you're not interested in using Audit, you can update /usr/lib/security/mkuser.sys with your own logging.
Here's an example entry in /usr/lib/security/mkuser.sys:
echo $(date)" "$(logname)" "$2" "$1 >> /path/to/log/mk_user.log
This places the date, the account name that created the new account, the new account name, and the home directory of the new account into a file named mk_user.log
This only works if the mkuser command is invoked from CLI or smit; it does not work if /etc/passwd is manually edited.
hope this helps.
If you're not interested in using Audit, you can update /usr/lib/security/mkuser.sys with your own logging.
Here's an example entry in /usr/lib/security/mkuser.sys:
echo $(date)" "$(logname)" "$2" "$1 >> /path/to/log/mk_user.log
This places the date, the account name that created the new account, the new account name, and the home directory of the new account into a file named mk_user.log
This only works if the mkuser command is invoked from CLI or smit; it does not work if /etc/passwd is manually edited.
hope this helps.
Hi,
I am going through a similar Sox audit ..but my environment is running hp-ux 11 ..is there anything similar for me to findout the user creation date for a given month ...need to compile all user create eg. Nov 1-30.
Thank you in Advance,
Liz
I am going through a similar Sox audit ..but my environment is running hp-ux 11 ..is there anything similar for me to findout the user creation date for a given month ...need to compile all user create eg. Nov 1-30.
Thank you in Advance,
Liz
Annihilannic
MIS
No, because no such date is stored. Only three dates are stored for each directory or file:
[ul][li]last accessed date, [/li]
[li]last modified date, and [/li]
[li]last change of file status information.[/li][/ul]
Sometimes the latter matches with the creation date, but there are many events which can cause it to be updated.
Annihilannic.
[ul][li]last accessed date, [/li]
[li]last modified date, and [/li]
[li]last change of file status information.[/li][/ul]
Sometimes the latter matches with the creation date, but there are many events which can cause it to be updated.
Annihilannic.
- Status
Similar threads
- Locked
- Question