When sharing your computer with others, and you’ve granted them sudo access, it’s prudent to monitor how they’re using it. Thankfully, it’s easy to check out sudo history. Let’s see how.
The Authentication Log
Plenty of Linux services keep logs to help in troubleshooting problems. Thankfully, among other things, it also keeps a detailed list of precisely the information we seek in this article. In this list, you can check out who and when issued which command using sudo. To find this information, if you’re using a distribution based on Debian or Ubuntu, enter the following into your favorite terminal:
sudo nano /var/log/auth.log
In other distributions the location may vary. This information could be at “/var/log/secure” or “/var/log/audit/audit.log.” You can find this log file’s location by checking the sudoer’s file. This, too, may be found in a different spot depending on the distribution. Usually, you’ll find it at “/etc/sudoers.” Open it with your favorite text editor and search for the logfile entry. Its value is where the file we’re seeking lies, so, remix the command above to check yours instead.
Making Sense of Chaos
The log file will contain a ton of entries that probably aren’t of interest. You could scroll and scroll through it or use your text editor’s find function to locate every use of sudo.
It’s better, though, if you use
grep instead. This way, you can filter the log’s contents based on a simple query. To find all sudo entries in it, use:
sudo grep sudo /var/log/auth.log
Remember to update the log’s path to the correct one for your distribution.
This command will display the results directly in your terminal.
If you prefer to have them in file format, add a redirect after the command:
sudo grep sudo /var/log/auth.log > sudolist.txt
When you check it out, you’ll find a series of entries that contain the date, time, computer name, and command used.
If you’re just looking for all commands typed in the terminal, you can check out the “.bash_history” file located in the Home folder. You could, for example, enter the following in a terminal:
sudo nano /home/USERNAME/.bash_history
This will show you all the commands you (or other users) run in the terminal.
With that, another way of looking at what sudo did is by using systemd’s journalctl. In that, this is a system logging program that comes with every Linux distribution that uses systemd.
These include not only Debian and Ubuntu but also other popular distributions such as Arch Linux and Fedora. As such, journalctl can be a helpful utility if you are already constantly switching between systemd-based Linux distributions.
Knowing that, using journalctl to look at the sudo logs is incredibly easy. First, you need to log in to either the root user or an account with superuser privileges.
Run the following command to view all of the logs for the sudo program:
sudo journalctl -e /usr/bin/sudo
Doing this will, in turn, tell the journalctl program to look at the sudo program, search for all of the journal entries and then print all of the logs that mention sudo. From there, journalctl will pipe all of that information to the system pager where you can easily scroll through the whole history of sudo-related logs.
From here, journalctl will then highlight all of the instances that a user invoked a sudo command. As discussed above, this can be helpful if you are trying to fix a multi-user system and you want to know who ran privileged commands when.
Knowing all of that, it is also possible to read your system’s sudo logs through a dedicated interface that came with your desktop environment. Doing it this way reduces the amount of complexity and commands that you need to learn in order to monitor your system.
One important thing to note is that these programs will always be included in a basic installation of a desktop environment. However, Linux distributions often create custom builds that do not contain these smaller utilities. As such, you will need to first check whether these tools are already installed in your system.
In order to start using the program, you will need to first open the Application Menu. From there, you can then type “Logs” to search for the GNOME Log Utility.
Once open, the program will present a number of tabs where you can check the log for a particular aspect of your system. In order to check for your sudo logs you will need to click “Security”.
This will, in turn, print all of the latest security information for your machine. This includes all of the processes that ran with root privileges regardless if it is using sudo or not. From here, you can then press the Magnifying Glass icon on the top right corner of the window to initiate a search on all of these log entries.
With that, you can type the word “sudo” to tell GNOME Logs that you only want to see the commands and processes that were ran through sudo.
KSystemLog is the default logging utility for distributions such as Kubuntu 21.10, 22.04 and Manjaro KDE, all of which use the KDE Plasma environment for their desktop. Similar to GNOME Log, it is also a fully-featured program that can provide an extensive view of your machine.
With that, using KSystemLog to look at your system’s sudo history is incredibly easy. First, you need to open the Applications Launcher by clicking the Plasma icon on the lower left corner of your screen.
From there, you can then type “KSystemLog” at the launcher’s search bar. This will, in turn, search for the utility and run it as soon as you press Enter.
Once done, KSystemLog will immediately display a log for the programs that are currently running in the system. From here, you can then type “sudo” on the Filter bar to only look at all the logs that came from sudo.
MATE System Log
Lastly, MATE System Log is a minimal GUI log program that comes by default in MATE-based distributions. Unlike the previous GUI loggers, it only provides a simple file browser for all the system logs available in the machine. As such, MATE System Log can look daunting for a beginner to properly use.
Despite that, using this program to view your sudo history log is relatively straightforward. In order to get started, you need to first open your Application Menu by clicking the Menu button located on your desktop’s upper left corner.
From there, you can then focus on the Search Bar and type “Log File Viewer”. This will tell MATE to look for the system log program and run it.
Once done, the MATE System Log program will list all the current logs available in your system. With that, the last thing that you need to do to view your sudo history is to click “auth.log”.
As described above, this is the log file that takes note of all the sudo related commands that ran in your system. In my case, it showed that I ran recently ran a system update on my system through sudo.
Frequently Asked Questions
Is it possible to only show the latest sudo log entries from journalctl?
Yes! It is possible to only show a limited amount of logs from journalctl. This can be especially helpful if you are maintaining a heavily-used machine and you only want to know the last few sudo-related logs. You can run the following command in your terminal:
sudo journalctl --lines=10 -e /usr/bin/sudo
Doing this will tell journalctl that you only want it to display the last 10 sudo-related entries that it logged while it is running.
It is also possible to only display time-specific logs from journalctl. This command will tell journalctl to only print all the sudo-related logs that were committed between yesterday and today:
sudo journalctl --since=yesterday --until=today -e /usr/bin/sudo
I am not using Bash, is it still possible to look at my sudo history?
This will largely depend on the shell that you are currently using. For the most part, however, every system shell should be able to produce a running history of all the commands that you ran in your machine.
For example, the history file for Debian-based systems are often labelled as “.history”. As such, you can open this file instead of the default “.bash_history”
KSystemLog asks and denies my password when I open it, is my copy broken?
By default, KSystemLog will attempt to open itself with elevated privileges. This, in turn, allows it to not only display logs but also manage the processes that are currently running in the system.
Because of that, KSystemLog will always try to run itself as the root user when you open it for the first time. In order to achieve that, however, it first needs to know your root account’s password.
Despite that, it is still possible to use KSystemLog without providing any root privileges. To do that, you can press the “Ignore” button when KSystemLog asks for any elevated privileges.
Image credit: Unsplash
Our latest tutorials delivered straight to your inbox