1

I want to know which user executed which command on terminal and when i.e. if any of the user does "rmdir abc" and removes a specific directory , i should know which command he executed and at what time.And i don't want it for a single session, this data should be available to me like we maintain logs, so that i can analyze it for any point of time.

I tried the history command as well and also added time to it but it does not show "Users" of the command and also it is session based ,so it's data does not get appended to ~/.bash_history file unless the session is exited. Also ~/.bash_history does not show time and user so it's not usefull.Can anyone help me please.I just want to see which user executed which command from the moment the system is started and at what time.

Prototype
  • 129
  • What is your end goal? Anything based on simple shell history can be easily circumvented by the user. Perhaps you should be looking at something like pam_tty_audit.so? See for example How do I log every command executed by a user? – steeldriver Oct 07 '19 at 13:36
  • thanks for replying @steeldriver. My ultimate goal is to log data about all commands executed by all users along with timestamp. And if it is possible then i even want to see non-command actions of the users as well , like if they delete a file from UI or any other source and not through command. – Prototype Oct 09 '19 at 04:20

2 Answers2

0

You can check commands that executed by users using sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history

For more you can also check AUTH logs tail /var/log/auth.log | grep username

try this similar question : How to see time stamps in bash history?

CloudNinja
  • 1
  • Thanks for the reply @Sanjay , but like i said history commands work session wise and auth.log will contain information only till specific time period , after that it will be gone.Can you suggest anything else please.Also can you tell me how to read time stamp in ~/.bash_history file – Prototype Oct 07 '19 at 04:48
0

I guess it is in all users own bash history file. You just need to get list of .bash history files and cat them.

cd /home
find |grep .bash_history

outputs :

./gediz/.bash_history

than cat it 

cat ./gediz/.bash_history

You can do it in a for loop 

a=find ...
for i in $a
do
echo $a
cat $i
done

You can make a service or edit rc.local file for ubuntu startup with a while loop which backups all users .bash_history in every loop to a secure location so that even if users delete theirs you will be able to check what has been done.

Gediz GÜRSU
  • 238