In Unix based systems, is there a log file
that stores user's executed command(s)?
Logs – User’s Executed Commands Log File
command historylogsmonitoring
Related Solutions
Using the shell built-in set -x
is probably the cheap-and-dirty way to do this. In shell scripts you will often see a line like:
#set -x
Which someone left behind by just commenting it out. I think you could use that at the interactive command line, but you may not like what it does there.
If your users use bash, you can use an /etc/bash.bash_logout script to save an extra copy of the history in time-stamped format.
For example, I wrote the following to provide an audit-trail of who did what and when (on a server with multiple sudo users), and also to preserve history in case the machine was broken into:
#! /bin/bash
# /etc/bash.bash_logout
#
# Time-stamped bash history logging
# by Craig Sanders <cas@taz.net.au> 2008
#
# This script is public domain. Do whatever you want with it.
exec >& /dev/null
# LOGDIR must already exist and must be mode 1777 (same as /tmp)
# put it somewhere easily overlooked by script-kiddies. /var/log
# is a bad location because slightly-brighter-than-average SK's will
# often 'rm -rf /var/log' to cover their tracks.
LOGDIR='/var/tmp/.history'
[ -d "$LOGDIR" ] || exit 0
# Get current user name and who they logged in as.
CNAME=$(id -u -n)
LNAME=$(who am i | awk '{print $1}')
NAME="$LNAME--$CNAME"
# Get the TTY
TTY=$(tty)
# get the hostname and ip they logged in from
# short (non-fqdn) hostname:
RHOST_NAME=$(who -m | awk '{print $5}' | sed -r -e 's/[()]|\..*//g')
# or full hostname:
#RHOST_NAME=$(who -m | awk '{print $5}' | sed -r -e 's/[()]//g')
# if no RHOST_NAME, then login was on the console.
echo "$RHOST_NAME" | grep -q '[:/]' && RHOST_NAME="console"
# get the IP address
RHOST_IP=$(who -m --ips | awk '{print $5}')
echo "$RHOST_IP" | grep -q '[:/]' && RHOST_IP="console"
RHOST=$(echo "$RHOST_NAME--$RHOST_IP")
WHERE="$RHOST--$TTY"
WHERE=$(echo "$WHERE" | sed -e 's/\//-/g' -e 's/^-//')
# Filenames will be of the form:
# $LOGDIR/cas--root--localhost--127.0.0.1---dev-pts-1
# Ugly, but useful/informative. This example shows I logged in as cas
# from localhost, sudo-ed to root, and my tty was /dev/pts/1
HISTLOG="$LOGDIR/$NAME--$WHERE"
# Optionally rotate HISTLOG on each logout, otherwise new history
# sessions just get appended.
#[ -e "$HISTLOG" ] && savelog -l -c 21 -q $HISTLOG > /dev/null 2>&1
# Log some easily parseable info as a prelude, including the current
# history settings (an unusual HISTFILE or zero HISTSIZE setting is
# suspicious and worthy of investigation)
cat <<__EOF__ >> "$HISTLOG"
### TIME ### $(date +'%a,%Y-%m-%d,%H:%M:%S')
### FROM ### $RHOST_NAME,$RHOST_IP,$TTY
### USER ### $LNAME,$CNAME
### WHOM ### $(who -m)
### HIST ### $HISTFILE,$HISTSIZE
__EOF__
# Setting HISTTIMEFORMAT seems to be buggy. bash man page says it uses
# strftime, but all it seems to care about is whether it's set or not -
# 'history -a' always uses seconds since epoch, regardless of what it is
# set to.
HISTTIMEFORMAT="%s"
history -a "$HISTLOG"
# Now write history as normal (this seems buggy too. bash used to always
# write $HISTFILE anyway, but now it won't do it if you've already run
# 'history -a')
unset HISTTIMEFORMAT
history -w
Best Answer
Given that you want to track all user commands, you should look at the
acct
package on your system (on some systems this is also called "process accounting" orpsacct
). Then after it's been turned on, you can run thelastcomm
command to show what programs have been run, by whom, when and for how long. From Google, search "linux acct" for more details.http://beginlinux.com/blog/2010/01/monitoring-user-activity-with-psacct-or-acct/
http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html