How to view command history of another user in Linux?












26















How can I view the command history of another user?



I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history but I can't see commands of that user_name when they were doing sudo.



Is there a way to view all command executed by one user?










share|improve this question















migrated from stackoverflow.com Jul 11 '11 at 23:51


This question came from our site for professional and enthusiast programmers.














  • 1





    Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

    – ring bearer
    Jul 11 '11 at 21:50






  • 8





    "I am an admin on my machine."

    – Kerin
    Jul 11 '11 at 21:52
















26















How can I view the command history of another user?



I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history but I can't see commands of that user_name when they were doing sudo.



Is there a way to view all command executed by one user?










share|improve this question















migrated from stackoverflow.com Jul 11 '11 at 23:51


This question came from our site for professional and enthusiast programmers.














  • 1





    Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

    – ring bearer
    Jul 11 '11 at 21:50






  • 8





    "I am an admin on my machine."

    – Kerin
    Jul 11 '11 at 21:52














26












26








26


13






How can I view the command history of another user?



I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history but I can't see commands of that user_name when they were doing sudo.



Is there a way to view all command executed by one user?










share|improve this question
















How can I view the command history of another user?



I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history but I can't see commands of that user_name when they were doing sudo.



Is there a way to view all command executed by one user?







linux administration command-history






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 16 '17 at 15:03









bertieb

5,592112442




5,592112442










asked Jul 11 '11 at 21:44









Sean NguyenSean Nguyen

3452510




3452510




migrated from stackoverflow.com Jul 11 '11 at 23:51


This question came from our site for professional and enthusiast programmers.









migrated from stackoverflow.com Jul 11 '11 at 23:51


This question came from our site for professional and enthusiast programmers.










  • 1





    Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

    – ring bearer
    Jul 11 '11 at 21:50






  • 8





    "I am an admin on my machine."

    – Kerin
    Jul 11 '11 at 21:52














  • 1





    Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

    – ring bearer
    Jul 11 '11 at 21:50






  • 8





    "I am an admin on my machine."

    – Kerin
    Jul 11 '11 at 21:52








1




1





Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

– ring bearer
Jul 11 '11 at 21:50





Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.

– ring bearer
Jul 11 '11 at 21:50




8




8





"I am an admin on my machine."

– Kerin
Jul 11 '11 at 21:52





"I am an admin on my machine."

– Kerin
Jul 11 '11 at 21:52










7 Answers
7






active

oldest

votes


















23














On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.



On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.






share|improve this answer


























  • Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

    – Mitch
    Feb 1 '16 at 21:41








  • 2





    Try /var/log/secure instead.

    – Kerin
    Feb 3 '16 at 16:19











  • Works perfectly! Just put in an edit request on your answer

    – Mitch
    Feb 3 '16 at 17:21



















2














Just tested the following, and it worked like a charm.



sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history





share|improve this answer





















  • 1





    S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

    – Michael Thompson
    Feb 18 '16 at 18:58



















1














If the user issued a command as in sudo somecommand, the command will appear in the system log.



If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.






share|improve this answer



















  • 1





    Where is the system log?

    – Garrett
    May 17 '14 at 1:05



















0














Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html



But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.



Greetings from Germany,
Daniel Leschkowski






share|improve this answer































    0














    # zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.



    Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki






    share|improve this answer































      0














      use below command



      sysdig -c spy_users


      if sysdig not installed, install here






      share|improve this answer































        -1














        The logic applies to many other objectives.

        And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?



        #!/bin/ksh
        last |head -10|awk '{print $1}'|
        while IFS= read -r line
        do
        su - "$line" -c 'tail .sh_history'
        done


        Here is the script.






        share|improve this answer

























          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f309434%2fhow-to-view-command-history-of-another-user-in-linux%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          7 Answers
          7






          active

          oldest

          votes








          7 Answers
          7






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          23














          On Debian-based operating systems, doing
          tail /var/log/auth.log | grep username
          should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.



          On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.






          share|improve this answer


























          • Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

            – Mitch
            Feb 1 '16 at 21:41








          • 2





            Try /var/log/secure instead.

            – Kerin
            Feb 3 '16 at 16:19











          • Works perfectly! Just put in an edit request on your answer

            – Mitch
            Feb 3 '16 at 17:21
















          23














          On Debian-based operating systems, doing
          tail /var/log/auth.log | grep username
          should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.



          On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.






          share|improve this answer


























          • Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

            – Mitch
            Feb 1 '16 at 21:41








          • 2





            Try /var/log/secure instead.

            – Kerin
            Feb 3 '16 at 16:19











          • Works perfectly! Just put in an edit request on your answer

            – Mitch
            Feb 3 '16 at 17:21














          23












          23








          23







          On Debian-based operating systems, doing
          tail /var/log/auth.log | grep username
          should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.



          On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.






          share|improve this answer















          On Debian-based operating systems, doing
          tail /var/log/auth.log | grep username
          should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.



          On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited May 25 '16 at 20:47









          themanatuf

          1033




          1033










          answered Jul 11 '11 at 21:51









          KerinKerin

          34525




          34525













          • Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

            – Mitch
            Feb 1 '16 at 21:41








          • 2





            Try /var/log/secure instead.

            – Kerin
            Feb 3 '16 at 16:19











          • Works perfectly! Just put in an edit request on your answer

            – Mitch
            Feb 3 '16 at 17:21



















          • Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

            – Mitch
            Feb 1 '16 at 21:41








          • 2





            Try /var/log/secure instead.

            – Kerin
            Feb 3 '16 at 16:19











          • Works perfectly! Just put in an edit request on your answer

            – Mitch
            Feb 3 '16 at 17:21

















          Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

          – Mitch
          Feb 1 '16 at 21:41







          Any clue what this would be on a centos system? My Centos 7 machines don't have a /var/log/auth.log

          – Mitch
          Feb 1 '16 at 21:41






          2




          2





          Try /var/log/secure instead.

          – Kerin
          Feb 3 '16 at 16:19





          Try /var/log/secure instead.

          – Kerin
          Feb 3 '16 at 16:19













          Works perfectly! Just put in an edit request on your answer

          – Mitch
          Feb 3 '16 at 17:21





          Works perfectly! Just put in an edit request on your answer

          – Mitch
          Feb 3 '16 at 17:21













          2














          Just tested the following, and it worked like a charm.



          sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history





          share|improve this answer





















          • 1





            S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

            – Michael Thompson
            Feb 18 '16 at 18:58
















          2














          Just tested the following, and it worked like a charm.



          sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history





          share|improve this answer





















          • 1





            S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

            – Michael Thompson
            Feb 18 '16 at 18:58














          2












          2








          2







          Just tested the following, and it worked like a charm.



          sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history





          share|improve this answer















          Just tested the following, and it worked like a charm.



          sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 4 '15 at 22:16









          Excellll

          11.1k74162




          11.1k74162










          answered Nov 4 '15 at 21:51









          TysonTyson

          211




          211








          • 1





            S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

            – Michael Thompson
            Feb 18 '16 at 18:58














          • 1





            S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

            – Michael Thompson
            Feb 18 '16 at 18:58








          1




          1





          S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

          – Michael Thompson
          Feb 18 '16 at 18:58





          S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."

          – Michael Thompson
          Feb 18 '16 at 18:58











          1














          If the user issued a command as in sudo somecommand, the command will appear in the system log.



          If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.






          share|improve this answer



















          • 1





            Where is the system log?

            – Garrett
            May 17 '14 at 1:05
















          1














          If the user issued a command as in sudo somecommand, the command will appear in the system log.



          If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.






          share|improve this answer



















          • 1





            Where is the system log?

            – Garrett
            May 17 '14 at 1:05














          1












          1








          1







          If the user issued a command as in sudo somecommand, the command will appear in the system log.



          If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.






          share|improve this answer













          If the user issued a command as in sudo somecommand, the command will appear in the system log.



          If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jul 11 '11 at 21:52









          bdonlanbdonlan

          1,28311221




          1,28311221








          • 1





            Where is the system log?

            – Garrett
            May 17 '14 at 1:05














          • 1





            Where is the system log?

            – Garrett
            May 17 '14 at 1:05








          1




          1





          Where is the system log?

          – Garrett
          May 17 '14 at 1:05





          Where is the system log?

          – Garrett
          May 17 '14 at 1:05











          0














          Maybe this link has a value to you
          : http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html



          But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.



          Greetings from Germany,
          Daniel Leschkowski






          share|improve this answer




























            0














            Maybe this link has a value to you
            : http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html



            But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.



            Greetings from Germany,
            Daniel Leschkowski






            share|improve this answer


























              0












              0








              0







              Maybe this link has a value to you
              : http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html



              But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.



              Greetings from Germany,
              Daniel Leschkowski






              share|improve this answer













              Maybe this link has a value to you
              : http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html



              But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.



              Greetings from Germany,
              Daniel Leschkowski







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Jul 11 '11 at 21:58







              dles






























                  0














                  # zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.



                  Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki






                  share|improve this answer




























                    0














                    # zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.



                    Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki






                    share|improve this answer


























                      0












                      0








                      0







                      # zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.



                      Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki






                      share|improve this answer













                      # zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.



                      Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Jan 3 '16 at 19:43









                      AdamKaliszAdamKalisz

                      40946




                      40946























                          0














                          use below command



                          sysdig -c spy_users


                          if sysdig not installed, install here






                          share|improve this answer




























                            0














                            use below command



                            sysdig -c spy_users


                            if sysdig not installed, install here






                            share|improve this answer


























                              0












                              0








                              0







                              use below command



                              sysdig -c spy_users


                              if sysdig not installed, install here






                              share|improve this answer













                              use below command



                              sysdig -c spy_users


                              if sysdig not installed, install here







                              share|improve this answer












                              share|improve this answer



                              share|improve this answer










                              answered Jan 16 at 7:16









                              sachin_ursachin_ur

                              1012




                              1012























                                  -1














                                  The logic applies to many other objectives.

                                  And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?



                                  #!/bin/ksh
                                  last |head -10|awk '{print $1}'|
                                  while IFS= read -r line
                                  do
                                  su - "$line" -c 'tail .sh_history'
                                  done


                                  Here is the script.






                                  share|improve this answer






























                                    -1














                                    The logic applies to many other objectives.

                                    And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?



                                    #!/bin/ksh
                                    last |head -10|awk '{print $1}'|
                                    while IFS= read -r line
                                    do
                                    su - "$line" -c 'tail .sh_history'
                                    done


                                    Here is the script.






                                    share|improve this answer




























                                      -1












                                      -1








                                      -1







                                      The logic applies to many other objectives.

                                      And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?



                                      #!/bin/ksh
                                      last |head -10|awk '{print $1}'|
                                      while IFS= read -r line
                                      do
                                      su - "$line" -c 'tail .sh_history'
                                      done


                                      Here is the script.






                                      share|improve this answer















                                      The logic applies to many other objectives.

                                      And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?



                                      #!/bin/ksh
                                      last |head -10|awk '{print $1}'|
                                      while IFS= read -r line
                                      do
                                      su - "$line" -c 'tail .sh_history'
                                      done


                                      Here is the script.







                                      share|improve this answer














                                      share|improve this answer



                                      share|improve this answer








                                      edited Sep 30 '18 at 16:42









                                      Glorfindel

                                      1,38441220




                                      1,38441220










                                      answered Sep 30 '18 at 16:38









                                      Igor MVIgor MV

                                      11




                                      11






























                                          draft saved

                                          draft discarded




















































                                          Thanks for contributing an answer to Super User!


                                          • Please be sure to answer the question. Provide details and share your research!

                                          But avoid



                                          • Asking for help, clarification, or responding to other answers.

                                          • Making statements based on opinion; back them up with references or personal experience.


                                          To learn more, see our tips on writing great answers.




                                          draft saved


                                          draft discarded














                                          StackExchange.ready(
                                          function () {
                                          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f309434%2fhow-to-view-command-history-of-another-user-in-linux%23new-answer', 'question_page');
                                          }
                                          );

                                          Post as a guest















                                          Required, but never shown





















































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown

































                                          Required, but never shown














                                          Required, but never shown












                                          Required, but never shown







                                          Required, but never shown







                                          Popular posts from this blog

                                          Probability when a professor distributes a quiz and homework assignment to a class of n students.

                                          Aardman Animations

                                          Are they similar matrix