How to view command history of another user in Linux?
Solution 1:
On Debian-based operating systems, doing
tail /var/log/auth.log | grep username
should give you a user's sudo
history. I don't believe there is a way to get a unified command history of a user's normal + sudo commands.
On RHEL-based operating systems, you would need to check /var/log/secure
instead of /var/log/auth.log
.
Solution 2:
Just tested the following, and it worked like a charm.
sudo vim /home/USER_YOU_WANT_TO_VIEW/.bash_history
Solution 3:
use below command
sysdig -c spy_users
if sysdig not installed, install here
Solution 4:
If the user issued a command as in sudo somecommand
, the command will appear in the system log.
If the user spawned a shell with eg, sudo -s
, sudo su
, sudo sh
, etc, then the command may appear in the history of the root user, that is, in /root/.bash_history
or similar.
Solution 5:
# zless /var/log/auth*
is your friend here. It opens even the gzipped files. You can jump between those with :n
forwards or :p
backwards.
Alternatively, you can use # journalctl -f -l SYSLOG_FACILITY=10
for instance. Read more about this on the Arch Linux wiki