Is there a way to determine which user ran a command in bash history?

by SSH_Noob   Last Updated January 13, 2018 15:01 PM

We work on CentOS servers available to over a hundred employees via SSH, each with their own login. Running a normal history bash command shows all of the commands ran by all of the employees, however it does not specify which employee the command was run by. Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?



Answers 3


You can try this

cat /home/user_you_are_looking_for/.bash_history
Unnikrishnan
Unnikrishnan
February 02, 2015 20:44 PM

According to this answer on the “Unix & Linux Stack Exchange” site you could use getent to roll through each user’s home directory and search for a command/pattern in that output:

getent passwd |
cut -d : -f 6 |
sed 's:$:/.bash_history:' |
xargs -d '\n' grep -H -e "[command/pattern you are looking for]" 

Or you could use grep to search all bash history’s like this:

grep -e "[command/pattern you are looking for]" /home/*/.bash_history
JakeGould
JakeGould
February 02, 2015 20:53 PM

It seems like you want greater auditing on your system in general, however in relation to Bash and history, you can enable time-stamping. This in conjunction with last command and a tailored grep should help in determining which specific user executed the crime. er, command.

  1. enable History timestamp.

From GNU's Bash page:

HISTTIMEFORMAT

If this variable is set and not null, its value is used as a format string for strftime to print the time stamp associated with each history entry displayed by the history builtin. If this variable is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish timestamps from other history lines.

Reference on formatting the time string

  1. Use last command

Last will show user login/logout times. This will narrow your search down to a few users.

  1. grep the specific users matched above for the specific command.

something like:

grep "command" /home/{user_a,user_b}/.history

note, the history file will have additional data for the timestamp, however it will still be very readable in text.

  1. create a Bash function to perform all the above

Create a function, histuser() which will take one argument: a command name, and do the above searches returning the name of the specific user. If you want this done email me. I'm easy, but not cheap.

Daniel
Daniel
February 02, 2015 21:28 PM

Related Questions



ZSH / BASH : Delete specific lines from history

Updated April 24, 2018 08:01 AM