How to view command history of another user in Linux?
How can I view the command history of another user?
I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history
but I can't see commands of that user_name
when they were doing sudo
.
Is there a way to view all command executed by one user?
linux administration command-history
migrated from stackoverflow.com Jul 11 '11 at 23:51
This question came from our site for professional and enthusiast programmers.
add a comment |
How can I view the command history of another user?
I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history
but I can't see commands of that user_name
when they were doing sudo
.
Is there a way to view all command executed by one user?
linux administration command-history
migrated from stackoverflow.com Jul 11 '11 at 23:51
This question came from our site for professional and enthusiast programmers.
1
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
8
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52
add a comment |
How can I view the command history of another user?
I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history
but I can't see commands of that user_name
when they were doing sudo
.
Is there a way to view all command executed by one user?
linux administration command-history
How can I view the command history of another user?
I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history
but I can't see commands of that user_name
when they were doing sudo
.
Is there a way to view all command executed by one user?
linux administration command-history
linux administration command-history
edited Feb 16 '17 at 15:03
bertieb
5,592112442
5,592112442
asked Jul 11 '11 at 21:44
Sean NguyenSean Nguyen
3452510
3452510
migrated from stackoverflow.com Jul 11 '11 at 23:51
This question came from our site for professional and enthusiast programmers.
migrated from stackoverflow.com Jul 11 '11 at 23:51
This question came from our site for professional and enthusiast programmers.
1
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
8
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52
add a comment |
1
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
8
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52
1
1
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
8
8
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52
add a comment |
7 Answers
7
active
oldest
votes
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
Any clue what this would be on a centos system? My Centos 7 machines don't have a/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
Try/var/log/secure
instead.
– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
add a comment |
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
add a comment |
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
add a comment |
Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany,
Daniel Leschkowski
add a comment |
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki
add a comment |
use below command
sysdig -c spy_users
if sysdig not installed, install here
add a comment |
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f309434%2fhow-to-view-command-history-of-another-user-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
Any clue what this would be on a centos system? My Centos 7 machines don't have a/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
Try/var/log/secure
instead.
– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
add a comment |
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
Any clue what this would be on a centos system? My Centos 7 machines don't have a/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
Try/var/log/secure
instead.
– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
add a comment |
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
edited May 25 '16 at 20:47
themanatuf
1033
1033
answered Jul 11 '11 at 21:51
KerinKerin
34525
34525
Any clue what this would be on a centos system? My Centos 7 machines don't have a/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
Try/var/log/secure
instead.
– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
add a comment |
Any clue what this would be on a centos system? My Centos 7 machines don't have a/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
Try/var/log/secure
instead.
– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
Any clue what this would be on a centos system? My Centos 7 machines don't have a
/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
Any clue what this would be on a centos system? My Centos 7 machines don't have a
/var/log/auth.log
– Mitch
Feb 1 '16 at 21:41
2
2
Try
/var/log/secure
instead.– Kerin
Feb 3 '16 at 16:19
Try
/var/log/secure
instead.– Kerin
Feb 3 '16 at 16:19
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
Works perfectly! Just put in an edit request on your answer
– Mitch
Feb 3 '16 at 17:21
add a comment |
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
add a comment |
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
add a comment |
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
edited Nov 4 '15 at 22:16
Excellll
11.1k74162
11.1k74162
answered Nov 4 '15 at 21:51
TysonTyson
211
211
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
add a comment |
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
1
1
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
S/he's already aware of this command. From the original question: "I can see normal history by viewing /home/user_name/.bash_history but i can't see commands of that "user_name" when they were doing sudo."
– Michael Thompson
Feb 18 '16 at 18:58
add a comment |
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
add a comment |
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
add a comment |
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
answered Jul 11 '11 at 21:52
bdonlanbdonlan
1,28311221
1,28311221
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
add a comment |
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
1
1
Where is the system log?
– Garrett
May 17 '14 at 1:05
Where is the system log?
– Garrett
May 17 '14 at 1:05
add a comment |
Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany,
Daniel Leschkowski
add a comment |
Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany,
Daniel Leschkowski
add a comment |
Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany,
Daniel Leschkowski
Maybe this link has a value to you
: http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany,
Daniel Leschkowski
answered Jul 11 '11 at 21:58
dles
add a comment |
add a comment |
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki
add a comment |
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki
add a comment |
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki
answered Jan 3 '16 at 19:43
AdamKaliszAdamKalisz
40946
40946
add a comment |
add a comment |
use below command
sysdig -c spy_users
if sysdig not installed, install here
add a comment |
use below command
sysdig -c spy_users
if sysdig not installed, install here
add a comment |
use below command
sysdig -c spy_users
if sysdig not installed, install here
use below command
sysdig -c spy_users
if sysdig not installed, install here
answered Jan 16 at 7:16
sachin_ursachin_ur
1012
1012
add a comment |
add a comment |
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
add a comment |
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
add a comment |
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
edited Sep 30 '18 at 16:42
Glorfindel
1,38441220
1,38441220
answered Sep 30 '18 at 16:38
Igor MVIgor MV
11
11
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f309434%2fhow-to-view-command-history-of-another-user-in-linux%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Steal his password :) or by social engineering ..If you are not root, and your account is set up in a way that you can't get go/read other user's home/files you are pretty much restricted.
– ring bearer
Jul 11 '11 at 21:50
8
"I am an admin on my machine."
– Kerin
Jul 11 '11 at 21:52