Skip to Content

New way to Find User Account Creation date in Linux

By: Author David Cao

Posted on Last updated:

0 Comments

Categories Linux

We can utilize the “auditd” service to check when a user account was created. Let’s introduce auditd service first.

The auditd service in Linux is a robust auditing framework. It is designed to track and record various system events and activities, providing administrators with detailed logs and audit trails for system security, compliance, and troubleshooting purposes.

Auditd captures a wide range of system events, including file system changes, user login/logout activities, process creations and terminations, configuration file modifications, and much more. These events are recorded in audit logs for later analysis.

The audit logs generated by auditd are stored in the /var/log/audit/ directory by default.

Audit service in Linux logs various system activities, including user account creation.

Administrators can define custom audit rules to specify which events and actions should be monitored and logged. This flexibility allows organizations to tailor auditing to their specific security and compliance needs.

While audit logging can introduce some overhead, auditd is designed to minimize its impact on system performance, allowing for effective monitoring without significantly slowing down the system.

Steps to get the user creation time using auditd service

Here’s how you can do it:

1. Enable Auditd (if not already enabled):
Make sure the “auditd” service is running and enabled to log system events. You can start and enable it using the following commands:

sudo systemctl start auditd
sudo systemctl enable auditd

2. Search the Audit Log:
Use the “ausearch” command to search the audit log for events related to user account creation. You can filter the events by looking for the “useradd” or “adduser” command. Replace “username” with the username you want to investigate:

sudo ausearch -m ADD_USER -ts today | grep username

  • -m ADD_USER: Filters for user account creation events.
  • -ts today: Specifies the time range to search for, which you can customize.
  • grep username: Filters the results to show only events related to the specified username.

3. View the Audit Log Entries:

The output will display entries related to the user account creation, including the timestamp. You can view the timestamp in the output.

4. Convert Timestamp to Human-Readable Date (Optional):

To convert the timestamp to a more human-readable date and time, you can use the “date” command with the “-d” option:
date -d @timestamp

Let’s see one example.

sudo ausearch -m ADD_USER -ts today | grep howtouselinux

type=ADD_USER msg=audit(1695694083.179:236791): pid=559897 uid=0 auid=385552 ses=11298 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="howtouselinux" exe="/usr/sbin/useradd" hostname=howtouselinux.com addr=? terminal=pts/0 res=success'UID="root" AUID="unknown(385552)"

Here is the break down.

type=ADD_USER: Indicates the type of audit event. In this case, it’s an event related to adding a user account.

msg=audit(1695694083.179:236791): Contains the timestamp of the event. The number before the colon (1695694083.179) represents the seconds since the Unix epoch, while the number after the colon (236791) is a sequence number for the event.

pid=559897: Represents the Process ID (PID) of the process that generated the event. In this case, it’s 559897.

uid=0: Denotes the User ID (UID) of the user who initiated the action. A UID of 0 typically corresponds to the “root” user, which is the superuser with administrative privileges.

auid=385552: Indicates the Audit User ID (AUID) of the user who initiated the action. It is assigned a numeric value (385552) and is used for auditing purposes.

ses=11298: Represents the Session ID (SES) associated with the event. It helps track the sequence of events within a user session.

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023: Provides information about the security context of the process that initiated the action. It includes details such as the security label and context of the process.

The command date –date=@timestamp is used to convert a Unix timestamp, which is a numeric representation of a specific date and time, into a human-readable date and time format.

date --date=@1695694083
Tue Sep 26 02:08:03 GMT 2023

This will provide you with the date and time when the user account was created.

Please note that the availability of audit logs and the specific events recorded may vary depending on your Linux distribution and configuration. Additionally, you may need root or sudo privileges to access and search the audit logs.

Exploring more about user creation in auditd log

Here are the logs which are related to user creation.

type=ADD_GROUP msg=audit(1695694083.176:236787): pid=559897 uid=0 auid=385552 ses=11298 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="howtouselinux" exe="/usr/sbin/useradd" hostname=howtouselinux.com addr=? terminal=pts/0 res=success'UID="root" AUID="unknown(385552)"
type=ADD_USER msg=audit(1695694083.179:236791): pid=559897 uid=0 auid=385552 ses=11298 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-user acct="howtouselinux" exe="/usr/sbin/useradd" hostname=howtouselinux.com addr=? terminal=pts/0 res=success'UID="root" AUID="unknown(385552)"
type=PATH msg=audit(1695694083.326:236869): item=0 name="/home/howtouselinux" inode=2097301 dev=fd:06 mode=040000 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PATH msg=audit(1695694083.326:236870): item=0 name="/home/howtouselinux" inode=2097301 dev=fd:06 mode=040000 ouid=50305 ogid=50306 rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="howtouselinux" OGID="howtouselinux"
type=USER_MGMT msg=audit(1695694083.326:236871): pid=559897 uid=0 auid=385552 ses=11298 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-home-dir id=50305 exe="/usr/sbin/useradd" hostname=howtouselinux.com addr=? terminal=pts/0 res=success'UID="root" AUID="unknown(385552)" ID="howtouselinu"
type=PATH msg=audit(1695694083.326:236874): item=0 name=(null) inode=2097302 dev=fd:06 mode=0100600 ouid=50305 ogid=50306 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="howtouselinux" OGID="howtouselinux"
type=PATH msg=audit(1695694083.327:236877): item=0 name=(null) inode=2097303 dev=fd:06 mode=0100600 ouid=50305 ogid=50306 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="howtouselinux" OGID="howtouselinux"
type=PATH msg=audit(1695694083.327:236879): item=0 name=(null) inode=2097304 dev=fd:06 mode=0100600 ouid=50305 ogid=50306 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="howtouselinux" OGID="howtouselinux"
type=PATH msg=audit(1695694083.327:236882): item=0 name=(null) inode=16797847 dev=fd:04 mode=0100000 ouid=50305 ogid=12 rdev=00:00 obj=unconfined_u:object_r:mail_spool_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="howtouselinux" OGID="mail"

The provided code consists of multiple log entries from an audit log file, each recording a different system event or action. Here’s a summary of each log entry:

ADD_GROUP Event:

Type: ADD_GROUP
Timestamp: 1695694083.176
Description: This entry records the addition of a user group with the name “howtouselinux.” The action was performed by the “root” user using the “/usr/sbin/useradd” command. The result of the operation was successful.

ADD_USER Event:

Type: ADD_USER
Timestamp: 1695694083.179
Description: This entry records the addition of a user account with the name “howtouselinux.” Similar to the previous entry, it was initiated by the “root” user using the “/usr/sbin/useradd” command, and the operation was successful.

PATH Event (1st):

Type: PATH
Timestamp: 1695694083.326
Description: This log entry is related to a path event. It pertains to the “/home/howtouselinux” directory, providing details about its inode, permissions, ownership, and more. The owner is “root.”

PATH Event (2nd):

Type: PATH
Timestamp: 1695694083.326
Description: Another path event related to the “/home/howtouselinux” directory. This entry includes information about permissions and ownership, with the owner listed as “howtouselinux.”

USER_MGMT Event:

Type: USER_MGMT
Timestamp: 1695694083.326
Description: This event is associated with user management. It records the addition of a home directory for the user with the ID “50305.” The operation was executed by the “root” user using the “/usr/sbin/useradd” command and was successful.

PATH Events (3rd, 4th, 5th):

Type: PATH
Timestamps: 1695694083.326, 1695694083.327 (multiple entries)
Description: These entries are path events related to various objects, such as files or directories. They provide information about permissions, ownership, and object types. The owner is consistently listed as “howtouselinux.”

Each log entry in this code snippet represents a specific system event, such as user and group management, file system actions, and permission changes. These events are recorded by the Linux audit system for auditing and security monitoring purposes.

By Author David Cao

Posted on Last updated:

Categories Linux