When sharing your computer with others, and you’ve granted them sudo access, it’s prudent to monitor how they’re using it. Thankfully, it’s easy to check out sudo history. Let’s see how.
The Authentication Log
Plenty of Linux services keep logs to help in troubleshooting problems. Thankfully, among other things, it also keeps a detailed list of precisely the information we seek in this article. In this list, you can check out who and when issued which command using sudo. To find this information, if you’re using a distribution based on Debian or Ubuntu, enter the following inro your favorite terminal:
In other distributions the location may vary. This information could be at “/var/log/secure” or “/var/log/audit/audit.log.” You can find this log file’s location by checking the sudoer’s file. This, too, may be found in a different spot depending on the distribution. Usually, you’ll find it at “/etc/sudoers.” Open it with your favorite text editor and search for the logfile entry. Its value is where the file we’re seeking lies, so, remix the command above to check yours instead.
Making Sense of Chaos
The log file will contain a ton of entries that probably aren’t of interest. You could scroll and scroll through it or use your text editor’s find function to locate every use of sudo.
It’s better, though, if you use
grep instead. This way, you can filter the log’s contents based on a simple query. To find all sudo entries in it, use:
Remember to update the log’s path to the correct one for your distribution.
This command will display the results directly in your terminal.
If you prefer to have them in file format, add such a redirect after the command, like:
When you check it out, you’ll find a series of entries that contain the date, time, computer name, and command used.
If you’re just looking for all commands typed in the terminal, you can check out the “.bash_history” file located in the Home folder. You could, for example, enter the following in a terminal:
This will show you all the commands you (or other users) run in the terminal.