Linux show all user history

How to check user’s login history in Linux?

Linux is a multi-user operating system and more than one user can be logged into a system at the same time.

For some reason, you may be required to check login history to identify those who have logged into the system recently or within a certain period of time.

This can be done in multiple ways and we will show you how to check the user login history in detail using the last command in this article. However, we will also provide you with a summary of the other commands.

It contains a bunch of useful information about the user such as user name, name of the terminal connected, source IP (from which IP address the user has accessed the system), date, time and how long the user has been logged into the system.

It will help us to analyze certain types of issues. For example, if some files are removed at a particular time and we can enquire the users who logged into the system during that time for first-level troubleshooting.

All source files are located in the following location and these are binary files that cannot be viewed in any text editor.

• /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
• /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. The last command uses this file to display the information.
• /var/log/btmp: It contains bad login attempts.

Alternatively, user login information can be verified using the aureport tool, which generates summary reports of the user’s login history.

What is last command?

last command searches the user information from the ‘/var/log/wtmp’ file and displays a list of all users who have logged in and out since the file was created.

What is lastb command?

lastb command is the same as last command, by default it shows the log of the file ‘/var/log/btmp’ file, which contains all bad login attempts.

Difference between pts and tty

You may have seen pts and tty values in the who command output and the below explanation will show the difference between them.

• A tty stands for TeleTYpe is a native terminal device (It could be a server/system console).
• A pty (pseudo terminal device) is a terminal device that is emulated by another program such as putty, xterm or screen, etc,.

1) Checking login history of all logged users in Linux

Run the ‘last’ command without any arguments to view the history of all the successful login in the system.

If it has a lot of values, use less or more command to view them page wise.

# last -15 daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in reboot system boot 3.10.0-957.el7.x Tue Apr 2 23:50 - 00:03 (00:13) daygeek pts/1 192.168.1.6 Sat Mar 30 10:05 - 00:18 (14:13) reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03 - 00:03 (3+20:00) ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08)

2) Checking login history for a particular user

If you want to see the history of a particular user, use the below command. Replace ‘user_name’ with the desired username you want to verify.

# last user_name # last daygeek daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in daygeek pts/0 192.168.1.6 Tue Apr 2 06:02 - 06:02 (00:00) daygeek pts/1 daygeek-y700 Thu Mar 28 02:27 - 05:27 (03:00) daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29) daygeek pts/1 192.168.1.6 Tue Mar 19 02:37 - crash (7+18:58) daygeek pts/0 192.168.1.6 Tue Mar 19 02:36 - 02:45 (00:09) daygeek pts/1 192.168.1.6 Mon Mar 18 16:21 - 16:22 (00:00)

3) How to check login history for a particular period in Linux?

If you want to verify who has been logged into the system for a particular period of time, use the following format.

# last -F | grep -E 'Mar ([ 1-9]|11|29|30)' | grep 2019 daygeek pts/0 192.168.1.6 Sat Mar 30 04:14:54 2019 - Sat Mar 30 11:21:57 2019 (07:07) reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03:20 2019 - Wed Apr 3 00:09:13 2019 (3+20:05) ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 2019 - Fri Mar 29 04:30:25 2019 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 2019 - Fri Mar 29 02:10:50 2019 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 2019 - Fri Mar 29 02:10:30 2019 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 2019 - Fri Mar 29 02:10:01 2019 (00:08) daygeek pts/1 192.168.1.6 Fri Mar 29 01:48:21 2019 - crash (1+02:14) root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01) daygeek pts/0 192.168.1.6 Tue Mar 19 02:36:14 2019 - Tue Mar 19 02:45:25 2019 (00:09) reboot system boot 3.10.0-957.el7.x Tue Mar 19 02:33:54 2019 - Wed Apr 3 00:09:13 2019 (14+21:35)

If you want to verify that a given user has been logged into the system for a period of time, use the following format.

# last -F root | grep -E 'Mar ([ 1-9]|17|23|30)' | grep 2019 root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01) root pts/0 192.168.1.6 Tue Mar 19 02:45:46 2019 - Tue Mar 19 02:46:09 2019 (00:00) root pts/1 192.168.1.3 Mon Mar 18 18:29:18 2019 - Mon Mar 18 18:29:25 2019 (00:00) root pts/1 192.168.1.3 Mon Mar 18 16:22:53 2019 - Mon Mar 18 16:23:06 2019 (00:00) root pts/3 192.168.1.7 Mon Mar 18 16:21:38 2019 - Mon Mar 18 16:21:40 2019 (00:00) root pts/0 192.168.1.6 Fri Mar 15 01:45:10 2019 - down (00:01)

4) Checking login history based on a terminal connected

If you want to check the users based on the terminal connected. Use the following format.

# last pts/2 ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08) daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29) user2 pts/2 192.168.1.6 Mon Mar 18 16:03 - 18:29 (02:26) daygeek pts/2 192.168.1.6 Mon Mar 4 08:40 - 08:40 (00:00)

5) How to check bad login history in Linux?

lastb command is used to check the user’s bad login history in Linux. It can also be used to view details from their archived files.

# lastb # lastb -f /var/log/btmp-20190402 user1 ssh:notty 192.168.1.6 Fri Mar 29 02:17 - 02:17 (00:00) ladmin ssh:notty 192.168.1.6 Fri Mar 29 02:12 - 02:12 (00:00) user2 ssh:notty 192.168.1.6 Fri Mar 29 02:00 - 02:00 (00:00) user1 ssh:notty 192.168.1.6 Fri Mar 29 01:53 - 01:53 (00:00) daygeekk ssh:notty 192.168.1.6 Tue Mar 19 02:36 - 02:36 (00:00) root ssh:notty 192.168.1.3 Mon Mar 18 18:05 - 18:05 (00:00) root pts/1 Mon Mar 18 16:00 - 16:00 (00:00) root ssh:notty 192.168.1.6 Sun Mar 10 10:15 - 10:15 (00:00) btmp-20190402 begins Sun Mar 10 10:15:14 2020

Execute the following command to suppress the hostname information in the output.

# last -10 -R daygeek pts/0 Wed Apr 3 00:02 still logged in reboot system boot Tue Apr 2 23:50 - 00:29 (00:38) reboot system boot Tue Apr 2 06:00 - 00:29 (18:29) daygeek pts/1 Sat Mar 30 10:05 - 00:18 (14:13) reboot system boot Sat Mar 30 04:03 - 00:29 (3+20:25) ladmin pts/2 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) wtmp begins Fri Feb 15 16:03:13 2020

Display full user and domain names in the output.

Method-2: Checking login history using the log files

Users can manually view the login history from the following log files which containing success, failure and bad login.

• /var/log/secure – Red Hat based systems
• /var/log/auth.log – Debian based systems

Use the below format to check successful login details on RHEL, CentOS, Oracle Linux and Fedora systems.

# cat /var/log/secure-20190331 | grep Accepted | awk '' Mar 29 01:38:41 daygeek Mar 29 01:48:21 daygeek Mar 29 02:01:13 user3 Mar 29 02:10:21 user1 Mar 29 02:10:38 user2 Mar 29 02:19:13 ladmin Mar 30 04:14:54 daygeek Mar 30 10:05:02 daygeek

Use the below format for failed attempts.

# cat /var/log/secure-20190331 | grep Failed | awk '' Mar 29 01:53:48 user1 Mar 29 02:00:43 user2 Mar 29 02:12:58 ladmin Mar 29 02:17:41 user1

Use the below format to check successful and failed login details on Debian and Ubuntu systems.

# cat /var/log/auth.log | grep Accepted | awk '' # cat /var/log/auth.log | grep Failed | awk ''

Method-3: Checking login history using lastlog command

The lastlog command reports the user’s last login information by retrieving the details from the ‘/var/log/lastlog’ file.

# lastlog Username Port From Latest root pts/0 Sat Mar 30 08:04:27 -0500 2020 adm **Never logged in** chrony **Never logged in** qemu **Never logged in** sssd **Never logged in** gdm :0 Tue Apr 2 23:52:49 -0500 2020 gnome-initial-setup **Never logged in** sshd **Never logged in** tcpdump **Never logged in** daygeek pts/0 192.168.1.6 Wed Apr 3 00:02:50 -0500 2020 user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 -0500 2020 cat **Never logged in** user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 -0500 2020 apache **Never logged in** mysql **Never logged in** user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 -0500 2020 ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 -0500 2020

Источник

How can I see all of the bash history?

In this case, the shell can not see the history executed by shell(1), but I want to see all of the bash history in every shell. So my question is how can I see all of the bash history? Does anybody know how to hack? Thank you very much in advance!

5 Answers 5

would also work, although I tend to just use

How to do it when I am working in a virtual environment (venv)? ~/.bash_history shows only the commands outside of the virtual environment.

@Raif — you would need access to the terminal within the virtual environment as the «user» running the app commands (root or the equivalent).

You should look into the histappend shell option and the -a flag to history :

histappend

If set, the history list is appended to the file named by the value of the HISTFILE variable when the shell exits, rather than overwriting the file.

history

-a Append the «new» history lines (history lines entered since the beginning of the current bash session) to the history file.

If you put history -a into your PROMPT_COMMAND , you’ll get an always-up-to-date .bash_history file.

Edit your .bashrc and append this to it’s end:

shopt -s histappend PROMPT_COMMAND="history -n; history -a" unset HISTFILESIZE HISTSIZE=2000 

You can install something like Advanced Shell History, which will log each command to a sqlite3 database. It comes with a tool for querying the database from the command line. https://github.com/barabo/advanced-shell-history

With this setup, you will have a unified view of command history across all sessions. You also get things like command history for the current working directory (or subtree), command exit code, command duration, etc.

Full disclosure: I wrote and maintain the tool.

As several have noted, you need to use shopt -s histappend . Check by running shopt and verifying that histappend is ‘on’.

To ensure that each command (across multiple concurrent shells) appears in the history for each of those shells, add this at the end of your .bashrc file:

# Skip if not an interactive shell if [ -z "$" ]; then return; fi export PROMPT_COMMAND="history -a; history -c; history -r; $" 

-a: appends the new history lines (history lines entered since the beginning of the current Bash session) to the history file.

-c: clears the history list.

-r: reads the current history file and append its contents to the history list.

Run source .bashrc or create new sessions and in several terminal windows enter the comment #Tn in each. Then on one terminal, enter history | tail -N to see the last N lines. You should see all of the comments entered on the different terminals.

It may be helpful to add the following to /etc/profile.d/bashrc.sh in order to get a timestamp on each line of the history:

if [ -z "$" ]; then return; fi export HISTTIMEFORMAT='%F %T ' 

The result looks like this:

 [moi@laBoheme ~]$ history | tail -4 3292 2019-01-22 12:41:25 # T1 3293 2019-01-22 12:41:32 # T2 3294 2019-01-22 12:41:44 # T3 3295 2019-01-22 12:41:50 history | tail -4 

Источник