2
We work on CentOS servers available to over a hundred employees via SSH, each with their own login. Running a normal history bash command shows all of the commands ran by all of the employees, however it does not specify which employee the command was run by. Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?
SSH_Noob
Posted 2015-02-02T20:34:09.060
Reputation: 29
1
It seems like you want greater auditing on your system in general, however in relation to Bash and history, you can enable time-stamping. This in conjunction with last command and a tailored grep should help in determining which specific user executed the crime. er, command.
From GNU's Bash page:
If this variable is set and not null, its value is used as a format string for strftime to print the time stamp associated with each history entry displayed by the history builtin. If this variable is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish timestamps from other history lines.
Reference on formatting the time string
Last will show user login/logout times. This will narrow your search down to a few users.
something like:
grep "command" /home/{user_a,user_b}/.history
note, the history file will have additional data for the timestamp, however it will still be very readable in text.
Create a function, histuser() which will take one argument: a command name, and do the above searches returning the name of the specific user. If you want this done email me. I'm easy, but not cheap.
Daniel
Posted 2015-02-02T20:34:09.060
Reputation: 932
0
You can try this
cat /home/user_you_are_looking_for/.bash_history
Unnikrishnan
Posted 2015-02-02T20:34:09.060
Reputation: 1 193
3of course, thats assuming they didnt delete their history – Keltari – 2015-02-02T20:50:16.913
That just shows the bash history for a user. It does not search for a command. The question is, “Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?” – JakeGould – 2015-02-02T20:58:55.717
0
According to this answer on the “Unix & Linux Stack Exchange” site you could use getent to roll through each user’s home directory and search for a command/pattern in that output:
getent passwd |
cut -d : -f 6 |
sed 's:$:/.bash_history:' |
xargs -d '\n' grep -H -e "[command/pattern you are looking for]"
Or you could use grep to search all bash history’s like this:
grep -e "[command/pattern you are looking for]" /home/*/.bash_history
JakeGould
Posted 2015-02-02T20:34:09.060
Reputation: 38 217
6Where did you get the idea that bash's
historycommand shows all of the commands run by all of the users on the system? It only shows the current user's history. – Spiff – 2015-02-02T21:20:55.713If you have multiple persons logging into the same user account, the trivial fix is to create a personal account for each. If they need to run something with specific privileges,
sudoallows for that, and also implements auditing if you want that. – tripleee – 2018-04-16T06:05:12.700