Find all deleted users

Latest response

I'm looking for a way to track down, and create a list of, deleted users? Those responsible for the task typically utilize the User Manager gui. However, I can't be certain that it has always been used.

What files/databases should be searched to find this information?

Responses

Hi Sean,

What users are you talking about? Red Hat Enterprise Linux users with command line access, for I do not know what User Management gui you are referring to.

Is this part of the web console also known as Cockpit?

If some one is using the userdel command of Linux you need to log shell commands to track these activities.

I do not use the web console enough to know if it logs the activities.

Regards,

Jan Gerrit

Hi Jan. An example of that gui can be found here .

If possible, I would like to compile info on any user that was ever deleted from the system.

Hi Sean,

Be aware that some of use do not use RHEL 6.x anymore.

the system-config-* rpms are almost all removed in RHEL 8

I would have to find out how the Gnome user manager works, I do not use it myself.

Maybe the fastest way is to open a support case of type information request.

Regards,

Jan Gerrit Kootstra

Thank you, Jan. We opened a case.

you're welcome Sean.

Would appreciate it if you share the outcome with the community here.

Glad to.

Support was prompt and helpful, and provided the following:

|| Find deleted users

Whenever user is created or deleted its entry is logged in /var/log/secure & /var/log/audit/audit.log

For example: adduser test userdel -r test grep userdel /var/log/secure

Sep 1 11:12:57 ipa1 userdel[9407]: delete user 'test' Sep 1 11:12:57 ipa1 userdel[9407]: removed group 'test' owned by 'test' Sep 1 11:12:57 ipa1 userdel[9407]: removed shadow group 'test' owned by 'test'

grep userdel /var/log/audit/audit.log

type=DEL_GROUP msg=audit(1598973177.060:2681): pid=9407 uid=0 auid=0 ses=346 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-group grp="test" acct="test" exe="/usr/sbin/userdel" hostname=ipa1.example.local addr=? terminal=pts/0 res=success'

type=GRP_MGMT msg=audit(1598973177.060:2682): pid=9407 uid=0 auid=0 ses=346 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=delete-shadow-group grp="test" acct="test" exe="/usr/sbin/userdel" hostname=ipa1.example.local addr=? terminal=pts/0 res=success'

That is right Sean. If you wish to get such logs separated, so it would be easy to track then you may add this entry into "/etc/rsyslog.conf" file and then get the rsyslog daemon reloaded:

if $programname == 'userdel' & $syslogseverity <= '6' and ($msg startswith "delete user") then /var/log/userdel.log

So, whenever a user gets removed the corresponding message gets logged in "/var/log/userdel.log" file as shown below:

[root@test ~]# useradd test123
[root@test ~]# echo 123|passwd --stdin test123
Changing password for user test123.
passwd: all authentication tokens updated successfully.
[root@test ~]# userdel test123
[root@test ~]# tail -1 /var/log/userdel.log
Aug 22 02:46:54 test userdel[4909]: delete user 'test123'

I hope this helps apart from what Jan & support team has told you before.