Unix administration - Who executed this command

Author

Who executed this command

Manu

2005-12-21, 5:57 pm

Hi All,

I've to find who executed a particular commad on a linux machine.
Current setup is multiple users may login with same user id, through
telnet.

In other words, I would like to know who executed which command on a
machine at a later point.

My primitive knowledge doesn't go beyond the list of commands executed
in a shell.

Kindly help me.

Thanks & Regards,
Manu

Dave Hinz

2005-12-21, 5:57 pm

On 21 Dec 2005 09:26:17 -0800, Manu <manogna_z@yahoo.com> wrote:
> Hi All,
>
> I've to find who executed a particular commad on a linux machine.
> Current setup is multiple users may login with same user id, through
> telnet.

Shared accounts are bad. Telnet is insecure.

> In other words, I would like to know who executed which command on a
> machine at a later point.

If it's not in 'history', you've got nothing to go on. Even with it in
history, your options are limited.

> My primitive knowledge doesn't go beyond the list of commands executed
> in a shell.

I would suggest looking at timestamps, to see who was logged in at the
time whatever happened,happened. From there, use 'last' to see where
they logged in from, if that's available.

Going forward, install 'sudo' (it's probably already there), which gives
specific logging of who/what/when. You can keep the "shared" account,
just don't let people actually log in to it. They can say "run this as
user that", and sudo will log where they were when they did what they do
as that user.

> Kindly help me.

You may have exactly nothing solid to work on this time. Install sudo
so you have something, next time. It's great for "OK, why did what just
happened, happen?" type troubleshooting, for those times when the system
does exactly what it was told, rather than what you wanted to tell it to
do.