Is there a way to determine which user ran a command in bash history?
It seems like you want greater auditing on your system in general, however in relation to Bash and history, you can enable time-stamping. This in conjunction with last command and a tailored grep should help in determining which specific user executed the crime. er, command.
- enable History timestamp.
From GNU's Bash page:
If this variable is set and not null, its value is used as a format string for strftime to print the time stamp associated with each history entry displayed by the history builtin. If this variable is set, time stamps are written to the history file so they may be preserved across shell sessions. This uses the history comment character to distinguish timestamps from other history lines.
Reference on formatting the time string
- Use last command
Last will show user login/logout times. This will narrow your search down to a few users.
- grep the specific users matched above for the specific command.
something like:
grep "command" /home/{user_a,user_b}/.history
note, the history file will have additional data for the timestamp, however it will still be very readable in text.
- create a Bash function to perform all the above
Create a function, histuser() which will take one argument: a command name, and do the above searches returning the name of the specific user. If you want this done email me. I'm easy, but not cheap.
Related videos on Youtube
SSH_Noob
Updated on September 18, 2022Comments
-
SSH_Noob over 1 year
We work on CentOS servers available to over a hundred employees via SSH, each with their own login. Running a normal
history
bash command shows all of the commands ran by all of the employees, however it does not specify which employee the command was run by. Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?-
Spiff about 9 yearsWhere did you get the idea that bash's
history
command shows all of the commands run by all of the users on the system? It only shows the current user's history. -
tripleee about 6 yearsIf you have multiple persons logging into the same user account, the trivial fix is to create a personal account for each. If they need to run something with specific privileges,
sudo
allows for that, and also implements auditing if you want that.
-
-
Giacomo1968 about 9 yearsThat just shows the bash history for a user. It does not search for a command. The question is, “Is it possible to have history show not only the bash command that was run, but also which SSH user it was run by?”