Account Created

Linux Ubuntu

Flynn Weeks

Flynn Weeks

February 4, 2022

Enabled by default

Service: syslog

Log type: auth.log

Account creation logs can indicate a suspicious new account that was created in preparation for an attack or someone trying to do things they necessarily shouldn’t. It is also a good idea to know when there may be new users on the network so you are prepared for their activity. This log is required by NIST SP 800-53, HIPAA and PCI DSS regulations.

Compliance

HIPAA

Level: Recommended

URL here

NIST SP 800-53

Level: Recommended

URL here

In order to view this event from the Logs application, select the Security tab and search for user:. Due to the restrictions of the GNOME Logs app, there will likely be several logs that contain “user”, just look for the ones that specify new user: at the beginning.

In order to find the log of a user account creation, enter the command grep "new user" /var/log/auth.log.

View Logs
grep "new user" /var/log/auth.log
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: bash
View Log Pile