Is there a way to determine which user ran a command in bash history?

command-line bash ssh command-history
20,473

It seems like you want greater auditing on your system in general, however in relation to Bash and history, you can enable time-stamping. This in conjunction with last command and a tailored grep should help in determining which specific user executed the crime. er, command.

  1. enable History timestamp.

From GNU's Bash page:

HISTTIMEFORMAT

If this variable is set and not null, its value is used as a format string for strftime to print the time stamp associated with each history entry displayed by the history builtin. If this variable is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish timestamps from other history lines.

Reference on formatting the time string

  1. Use last command

Last will show user login/logout times. This will narrow your search down to a few users.

  1. grep the specific users matched above for the specific command.

something like:

grep "command" /home/{user_a,user_b}/.history

note, the history file will have additional data for the timestamp, however it will still be very readable in text.

  1. create a Bash function to perform all the above

Create a function, histuser() which will take one argument: a command name, and do the above searches returning the name of the specific user. If you want this done email me. I'm easy, but not cheap.

Share:
20,473

Related videos on Youtube

SSH_Noob
Author by

SSH_Noob

Updated on September 18, 2022

Comments

  • SSH_Noob
    SSH_Noob over 1 year

    We work on CentOS servers available to over a hundred employees via SSH, each with their own login. Running a normal history bash command shows all of the commands ran by all of the employees, however it does not specify which employee the command was run by. Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?

    • Spiff
      Spiff about 9 years
      Where did you get the idea that bash's history command shows all of the commands run by all of the users on the system? It only shows the current user's history.
    • tripleee
      tripleee about 6 years
      If you have multiple persons logging into the same user account, the trivial fix is to create a personal account for each. If they need to run something with specific privileges, sudo allows for that, and also implements auditing if you want that.
  • Giacomo1968
    Giacomo1968 about 9 years
    That just shows the bash history for a user. It does not search for a command. The question is, “Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?”

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

scripting MySQL from BASH over SSH
How to detect x2go idle sessions?
Making a .sh script to check if SSH connection exists and if not then connect
how to use expect with bash
Permission denied when trying to run a script that uses 'sshpass'
SSH remote command execute stays without disconnect when finished execute?
Shell script to SSH into another server and execute a script there
Can one access an open terminal on the computer via SSH?
SSH session freezes after some time
Run script on shell login for all users