We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x
Private

How to check sudo comannd history?

Y I
Y I asked
on
Medium Priority
181 Views
Last Modified: 2019-09-30
How do I check a history of commands executed by sudo?
I checked /home/username/.bash_history file but it contains only commands executed by the user.
I use RedHat 7.4. It's appreciate if I can know how to check sudo command history.
Comment
Watch Question

Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You'll find logins via sudo somewhere like /var/log/auth.log or /var/log/secure or something similar.

Once sudo or su change to a new user, then the commands for that user are logged in a shell history file for the specific user.

So there's no one place you can look for all commands issued under sudo/su for all users.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Also, one other point. To have timestamps associated with history commands, you'll most likely have to change history formatting for all users.

You'll have to do this somewhere like /etc/bashrc, if you require this for all users + any user can still disable this.

Something like...

export HISTTIMEFORMAT="%d/%m/%y %T "

Open in new window


Note: At least bash, likely other shells too, maintain timestamps on all history entries, so using $HISTTIMEFORMAT toggles this info on/off, so in most cases you can toggle this setting on to show time stamps on any command in any history file.

You may also require increasing number of history lines kept...

# Keep all history forever...
export HISTSIZE=0

# Keep last 2000 lines of history
export HISTSIZE=2000

Open in new window

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
David pointed it out that commonly in audit.
Though, sudo -I, sudo -s, subsequent command will be in root's .bash_history.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
You can try the following command:

history
and
sudo history

.bash_history is only the history for bash shell. ksh, csh etc. have different files.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
/var/log/secure is another place to look.
Please note that if you allow a user to run sudo -s -i or an editor or a shell only that command is recorded. after that commands are not logged.

editors often have the option to open a command window (!) a shell.
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Please note that if you allow a user to run sudo -s -i or an editor or a shell only that command is recorded. after that commands are not logged.
They are recorded in the history, only in the context of the new user....
(and not in /var/log... )
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This info was included in my prior comment. My first comment.
Point being if it is in .basj_history or similar to determine who and when made the change could be difficult, I think David included an option to add time stamping,
The events in sevurity for sudo records includes who and what command.
.bash_history has a sequence... If there are two users elevate within a similar timeframe .bash_history ....
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
with ksh the history is shared. So when user X is logged on twice..    both sessions have their commands be added to the history.
(and a shared call back buffer)  makes working semi repetitive tasks "interesting" getting random commands for what you thought of as the previous commend..)
Y I

Author

Commented:
Thank you very much for the valuable insight. I learned a lot from your discussion. Thank you very much for your help.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Glad you got a solution worked out!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.