Is there a way I can check the date that a linux group was created and/or modified? It would be even better if I could pull the last user to modify the group.
Assuming we're talking local files here (not LDAP) and no additional auditing software, you're pretty much limited to the metadata of /etc/group; you can see when the file was last modified, but not by whom or which group(s) was affected.
Just look in /var/log/secure, I created and modified a group as an example. Please note that the command may not relate to the last session opened, so could be difficult to tell who actually did it: Aug 30 20:38:09 aladdin su: pam_unix(su-l:session): session opened for user root by james(uid=0)
Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/group: name=test, GID=501
Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/gshadow: name=test
Aug 30 20:38:15 aladdin groupadd[2442]: new group: name=test, GID=501
Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/group (group test/501, new gid: 502)
Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/passwd (group test/501, new gid: 502)
And yes, my machine is called aladdin - what of it?
One thing i can recommend you to do is to alter both your groupadd and groupdel, move it somewhere else and create 2 bash scripts that will store the user that summoned it, the time and the command and after that it will call the actual scripts to create the groups or deleted them.
A small sample:
mv /usr/sbin/groupadd /usr/sbin/new_groupadd
Now create a new /usr/sbin/groupadd with the follow content (dont forget to chmod it after youre done):
Well pointed by James Lawrie look in /var/log/secure and all it is rotated files (if the entry is too old already) to find out about when it was last changed, but it will not list if you give users other then root access to add groups.
Assuming we're talking local files here (not LDAP) and no additional auditing software, you're pretty much limited to the metadata of /etc/group; you can see when the file was last modified, but not by whom or which group(s) was affected.
Just look in /var/log/secure, I created and modified a group as an example. Please note that the command may not relate to the last session opened, so could be difficult to tell who actually did it:
Aug 30 20:38:09 aladdin su: pam_unix(su-l:session): session opened for user root by james(uid=0)And yes, my machine is called aladdin - what of it?Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/group: name=test, GID=501
Aug 30 20:38:15 aladdin groupadd[2442]: group added to /etc/gshadow: name=test
Aug 30 20:38:15 aladdin groupadd[2442]: new group: name=test, GID=501
Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/group (group test/501, new gid: 502)
Aug 30 20:39:03 aladdin groupmod[2450]: group changed in /etc/passwd (group test/501, new gid: 502)
You can see the last commands using the
lastcommfor that you must haveacctenabled, by adding the follow to your init script:To create the accounting record file:
One thing i can recommend you to do is to alter both your
groupaddandgroupdel, move it somewhere else and create 2 bash scripts that will store the user that summoned it, the time and the command and after that it will call the actual scripts to create the groups or deleted them.A small sample: mv /usr/sbin/groupadd /usr/sbin/new_groupadd
Now create a new
/usr/sbin/groupaddwith the follow content (dont forget to chmod it after youre done):Create the record file:
Well pointed by James Lawrie look in /var/log/secure and all it is rotated files (if the entry is too old already) to find out about when it was last changed, but it will not list if you give users other then root access to add groups.