How can I view the command history of another user?
I am an admin on my machine. I can see normal history by viewing /home/user_name/.bash_history but I can't see commands of that user_name when they were doing sudo.
Is there a way to view all command executed by one user?
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure instead of /var/log/auth.log.
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
If the user issued a command as in sudo somecommand, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s, sudo su, sudo sh, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history or similar.
# zless /var/log/auth* is your friend here. It opens even the gzipped files. You can jump between those with :n forwards or :p backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10 for instance. Read more about this on the Arch Linux wiki
Maybe this link has a value to you : http://www.sudo.ws/pipermail/sudo-users/2000-March/000052.html
But you should mind that leaving no trace in bash_history is just a matter of starting a command with a space etcpp. The history is a helper, not a logging-tool.
Greetings from Germany, Daniel Leschkowski
The logic applies to many other objectives.
And how to read .sh_history of each user from /home/ filesystem? What if there are thousands of them?
#!/bin/ksh
last |head -10|awk '{print $1}'|
while IFS= read -r line
do
su - "$line" -c 'tail .sh_history'
done
Here is the script.
