How to Check Sudo History in Linux

Check Sudo History Reading Featured

When sharing your computer with others, and you’ve granted them sudo access, it’s prudent to monitor how they’re using it. Thankfully, it’s easy to check out sudo history. Let’s see how.

The Authentication Log

Plenty of Linux services keep logs to help in troubleshooting problems. Thankfully, among other things, it also keeps a detailed list of precisely the information we seek in this article. In this list, you can check out who and when issued which command using sudo. To find this information, if you’re using a distribution based on Debian or Ubuntu, enter the following inro your favorite terminal:

Check Sudo History Nano Authlog

In other distributions the location may vary. This information could be at “/var/log/secure” or “/var/log/audit/audit.log.” You can find this log file’s location by checking the sudoer’s file. This, too, may be found in a different spot depending on the distribution. Usually, you’ll find it at “/etc/sudoers.” Open it with your favorite text editor and search for the logfile entry. Its value is where the file we’re seeking lies, so, remix the command above to check yours instead.

Making Sense of Chaos

The log file will contain a ton of entries that probably aren’t of interest. You could scroll and scroll through it or use your text editor’s find function to locate every use of sudo.

Check Sudo History Reading Authlog

It’s better, though, if you use grep instead. This way, you can filter the log’s contents based on a simple query. To find all sudo entries in it, use:

Remember to update the log’s path to the correct one for your distribution.

Check Sudo History Filter With Grep

This command will display the results directly in your terminal.

Check Sudo History Filtered Results

If you prefer to have them in file format, add such a redirect after the command, like:

When you check it out, you’ll find a series of entries that contain the date, time, computer name, and command used.

Normal Bash

If you’re just looking for all commands typed in the terminal, you can check out the “.bash_history” file located in the Home folder. You could, for example, enter the following in a terminal:

This will show you all the commands you (or other users) run in the terminal.

Now that you know how to check the sudo history, you can also disable the sudo password if you are the only user of your PC or how to get the sudo password to show up as an asterisk.

Related:

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.