10
3
There is a server which is accessed by many users using ssh. I am trying to figure out which user executed a certain command.
I can know the list of users currently accessing server using who
Also I will know the list of command executed using history.
But how to know which user executed a command like cp file1.sh file2.sh in the server?
The user has already executed the command and logged out
Manu K Mohan
Posted 2013-03-07T12:55:42.870
Reputation: 211
4
Each new user connecting spawns a new sshd session with a specific PID. You could use pstree to print which commands are inherited from which sshd session, and then cross check this PID in /var/log/auth.log.
Example (anonymized): I logged in to a remote server with 3 simultaneous sessions, with the same remote user. I now want to find out from which IP the client came that ran the command watch date.
$ pstree -p | grep watch
| |-sshd(15243)---sshd(15342)---bash(15343)---watch(15450)
$ sudo grep 15243 /var/log/auth.log
Mar 7 15:37:29 XXXXXXXXXX sshd[15243]: Accepted publickey for XXXXXXXXXX from 12.34.56.78 port 48218 ssh2
Mar 7 15:37:29 XXXXXXXXXX sshd[15243]: pam_unix(sshd:session): session opened for user XXXXXXXXXX by (uid=0)
Mar 7 15:37:44 XXXXXXXXXX sudo: XXXXXXXXXX : TTY=pts/7 ; PWD=/home/XXXXXXXXXX ; USER=root ; COMMAND=/bin/grep 15243 /var/log/auth.log
pstree -p shows that the watch command is inherited from sshd with PID 15243. greping for this PID in /var/auth/auth.log shows that it was IP 12.34.56.78 that started this session. Therefore this is also the user that started watch.
As for finding history for specifically this user, it cannot be done from what I can see when all remote users are using the same local SSH user. Also, it can easily be spoofed/inactivated/etc., so it's not really reliable. If it is saved to the history file, then you could just look for the cp command and look backwards in the file, but if it is not there, then there is not much to do.
Daniel Andersson
Posted 2013-03-07T12:55:42.870
Reputation: 20 465
1
You can add this two lines to /etc/profile or /etc/bashrc in order to log all commands executed by bash:
whoami="$(whoami)@$(echo $SSH_CONNECTION | awk '{print $1}')"
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local3.debug "$whoami [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'
This will use syslog to record every executed command along with the user who did and it's IP address in a format like this:
Jan 8 08:43:49 xpto local3.debug root: root@192.168.x.y [29385]: ls -al [0]
Additionally you can add the line below to your syslog configuration ( /etc/syslog.conf ) to redirect the local3 messages to a specific file.
local3.* /var/log/prompt.log
Filipe
Posted 2013-03-07T12:55:42.870
Reputation: 113
Now it is syslog-ng as improvement and the config file is /etc/syslog-ng/syslog-ng.conf. – Timo – 2018-02-04T13:30:37.070
1
You could use snoopy for this.
You would have to configure it to log custom environmental variable (SSH_CLIENT) by specifying IP=%{env:SSH_CLIENT} in the definition of log message format (./configure flag or configurable in snoopy.ini since 2.x version).
Disclosure: Snoopy maintainer here.
Bostjan Skufca
Posted 2013-03-07T12:55:42.870
Reputation: 101
0
Assuming that you are using bash, history will only show you YOUR command line history. By default, it reads ~/.bash_history for the history. Note that this can be changed (though highly unlikely) by doing something like HISTFILE=/home/userFoo/.my_alt_history.
Assuming that you are root on the box, you could scan through all of the user's directories and read their histories to see who is running that command.
user1146334
Posted 2013-03-07T12:55:42.870
Reputation: 101
Oh, and if they are being nefarious, they could easily wipe this command from their history. If they are actively on the box running the command, you could see it with ps -aux | grep "cp file1.sh file2.sh" – None – 2013-03-07T13:12:30.287
All the users is remotely accessing to the same username of the server using ssh. I want to know which IP has accessed to this user and and executed the command. – Manu K Mohan – 2013-03-07T13:38:31.897
It's not a good policy to have lots of users sharing a username and password. – pjc50 – 2013-03-07T13:56:21.010
It says this error
grep: /var/log/auth.log: No such file or directory:-( – Manu K Mohan – 2013-03-08T09:34:19.623@ManuKMohan: You haven't stated which system you are on. Under RHEL/Fedora/Scientific Linux/etc., the relevant file is
/var/log/secure. – Daniel Andersson – 2013-03-08T10:47:10.683Anderson I am using Ubuntu – Manu K Mohan – 2013-03-13T05:31:52.557
@ManuKMohan: If
– Daniel Andersson – 2013-03-13T07:21:25.820/var/log/auth.log.1, etc., exist, then try them in order to see if they contain the info. Afterwards, restartrsyslog(sudo service rsyslog restart) and see if it starts populatingauth.log, which it should already be doing. SSHD logs to/var/log/auth.logby default in Ubuntu, so unless you have explicitly changed logging targets via/etc/ssh/ssd_configor/etc/syslog.conf(you can check to which file theauthlevel is logged here), it should be there. If not: something is up :-) .