Unix Useradd - Audit list of users added to system

Question

I would like to understand how could I pull out a list of users that have been added with certain privileges to a Unix system over a certain period of time.

Now, I understand one way to go about would be to check for creation of home directories of the specific users, but I understand users could be created with specific already existing directories as their home directory. In which case we may not be able to pull the exact time of creation of the users to the system.

You wouldn't be able to know the creation time of the home directory anyway, unless you're running one of the rare unix variants that track file creation dates (mainly OSX). — Gilles 'SO- stop being evil', Aug 07 '14 at 21:29

score 1 · Answer 1 · answered Aug 07 '14 at 12:43

1

You can use awk to filter out new users from /var/log/secure as follows:-

awk '/new\ user/ {gsub(/,|name=/,"",$8); print $1, $2, $3, $8}' /var/log/secure

Note: Debian systems (I believe) use /var/log/auth.log instead.

answered Aug 07 '14 at 12:43

garethTheRed

33,289
4
92
101

Unix Useradd - Audit list of users added to system

1 Answers1