Yesterday in my post on numeric userids instead of usernames, I touched briefly the problem of recovering the username if you only know the userid it once had. Today I would like to show you another option which may be available to you when it comes to recovering the usernames of removed users by their userid.
Both useradd and userdel commands keep logs in many Unix-like systems. This means that every newly created user gets the whole procedure documented in appropriate logs with lines similar to this (it’s an Ubuntu example, /var/log/auth.log file):
Similarly, deleting a file doesn’t go unnoticed neither:
So, there’s a chance that by simply going through /var/log/auth.log you will find the userid of a local Unix user which was recently removed. But the reason I won’t say “there’s a really good chance” is because most of the logs in /var/log are rotated on a weekly and monthly basis, and this means the information about new users created or deleted may not be there at the time you go looking for it – anyone who was added or deleted more than few months ago will not show up.
Similar to Ubuntu, you can find recent user management activity logged in RHEL system, in /var/log/secure file.
useradd will produce something link this:
… while userdel will document its actions with the following:
Based on the information above, all you have to do is something like this:
This is bound to return you a list of all the recently added users.
Similarly, use a command like this to find out if any users were recently removed:
Hope this helps! Enjoy!