Jump to content

Audit Commands Linux Users used

Cowboy Denny

Recommended Posts

When you maintain a linux based operating system that is locked down (so you can not install helpful tools to help you track events) you have to get creative so I created this script (its real ugly but works) that looks at every user in the /etc/passwd file and checks bash_history for commands and in this case I also check what commands on the F5 they may have run.

It may be helpful for you or not..  it doesn't cost you anything (unless you want to donate a tasty beverage to me for all my hard work)

Create a script (example auditcmds.sh)


#### Created By: Dennis Hosang
#### Script gathers audit information for users
#### Version 1.0 2022.04.14

outfile=/var/tmp/DJ/audit/auditcmdsOutput_$(date +%Y%m%d).txt

echo "User audit on $HOSTNAME"."$(date +%Y%m%d)" > $outfile
while IFS=: read -r f1 f2 f3 f4 f5 f6 f7
    echo "........ start $f1 ($f5) ........" >> $outfile
    echo "User $f1 use $f7 shell and stores files in $f6 directory." >> $outfile
    echo "***** User $f1 tmsh-history *****" >> $outfile
    cat /home/$f1/.tmsh-history-$f1 >> $outfile
    echo "***** User $f1 bash_history *****" >> $outfile
    cat /home/$f1/.bash_history >> $outfile
    echo "........ done $f1 ($f5) ........" >> $outfile
    echo " " >> $outfile
done < /etc/passwd

It's pretty self explanatory but once you create this file you can simply run

bash auditcmds.sh

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...