- How to check user’s login history in Linux?
- What is last command?
- What is lastb command?
- Difference between pts and tty
- 1) Checking login history of all logged users in Linux
- 2) Checking login history for a particular user
- 3) How to check login history for a particular period in Linux?
- 4) Checking login history based on a terminal connected
- 5) How to check bad login history in Linux?
- Method-2: Checking login history using the log files
- Method-3: Checking login history using lastlog command
- Как посмотреть историю команд всех пользователей в Linux?
How to check user’s login history in Linux?
Linux is a multi-user operating system and more than one user can be logged into a system at the same time.
For some reason, you may be required to check login history to identify those who have logged into the system recently or within a certain period of time.
This can be done in multiple ways and we will show you how to check the user login history in detail using the last command in this article. However, we will also provide you with a summary of the other commands.
It contains a bunch of useful information about the user such as user name, name of the terminal connected, source IP (from which IP address the user has accessed the system), date, time and how long the user has been logged into the system.
It will help us to analyze certain types of issues. For example, if some files are removed at a particular time and we can enquire the users who logged into the system during that time for first-level troubleshooting.
All source files are located in the following location and these are binary files that cannot be viewed in any text editor.
- /var/run/utmp: It contains information about the users who are currently logged onto the system. Who command is used to fetch the information from the file.
- /var/log/wtmp: It contains historical utmp. It keeps the users login and logout history. The last command uses this file to display the information.
- /var/log/btmp: It contains bad login attempts.
Alternatively, user login information can be verified using the aureport tool, which generates summary reports of the user’s login history.
What is last command?
last command searches the user information from the ‘/var/log/wtmp’ file and displays a list of all users who have logged in and out since the file was created.
What is lastb command?
lastb command is the same as last command, by default it shows the log of the file ‘/var/log/btmp’ file, which contains all bad login attempts.
Difference between pts and tty
You may have seen pts and tty values in the who command output and the below explanation will show the difference between them.
- A tty stands for TeleTYpe is a native terminal device (It could be a server/system console).
- A pty (pseudo terminal device) is a terminal device that is emulated by another program such as putty, xterm or screen, etc,.
1) Checking login history of all logged users in Linux
Run the ‘last’ command without any arguments to view the history of all the successful login in the system.
If it has a lot of values, use less or more command to view them page wise.
# last -15 daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in reboot system boot 3.10.0-957.el7.x Tue Apr 2 23:50 - 00:03 (00:13) daygeek pts/1 192.168.1.6 Sat Mar 30 10:05 - 00:18 (14:13) reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03 - 00:03 (3+20:00) ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08)
2) Checking login history for a particular user
If you want to see the history of a particular user, use the below command. Replace ‘user_name’ with the desired username you want to verify.
# last user_name # last daygeek daygeek pts/0 192.168.1.6 Wed Apr 3 00:02 still logged in daygeek pts/0 192.168.1.6 Tue Apr 2 06:02 - 06:02 (00:00) daygeek pts/1 daygeek-y700 Thu Mar 28 02:27 - 05:27 (03:00) daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29) daygeek pts/1 192.168.1.6 Tue Mar 19 02:37 - crash (7+18:58) daygeek pts/0 192.168.1.6 Tue Mar 19 02:36 - 02:45 (00:09) daygeek pts/1 192.168.1.6 Mon Mar 18 16:21 - 16:22 (00:00)
3) How to check login history for a particular period in Linux?
If you want to verify who has been logged into the system for a particular period of time, use the following format.
# last -F | grep -E 'Mar ([ 1-9]|13|29|30)' | grep 2019 daygeek pts/0 192.168.1.6 Sat Mar 30 04:14:54 2019 - Sat Mar 30 11:21:57 2019 (07:07) reboot system boot 3.10.0-957.el7.x Sat Mar 30 04:03:20 2019 - Wed Apr 3 00:09:13 2019 (3+20:05) ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 2019 - Fri Mar 29 04:30:25 2019 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 2019 - Fri Mar 29 02:10:50 2019 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 2019 - Fri Mar 29 02:10:30 2019 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 2019 - Fri Mar 29 02:10:01 2019 (00:08) daygeek pts/1 192.168.1.6 Fri Mar 29 01:48:21 2019 - crash (1+02:14) root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01) daygeek pts/0 192.168.1.6 Tue Mar 19 02:36:14 2019 - Tue Mar 19 02:45:25 2019 (00:09) reboot system boot 3.10.0-957.el7.x Tue Mar 19 02:33:54 2019 - Wed Apr 3 00:09:13 2019 (14+21:35)
If you want to verify that a given user has been logged into the system for a period of time, use the following format.
# last -F root | grep -E 'Mar ([ 1-9]|14|27|30)' | grep 2019 root pts/0 192.168.1.3 Tue Mar 19 02:49:09 2019 - Tue Mar 19 02:50:25 2019 (00:01) root pts/0 192.168.1.6 Tue Mar 19 02:45:46 2019 - Tue Mar 19 02:46:09 2019 (00:00) root pts/1 192.168.1.3 Mon Mar 18 18:29:18 2019 - Mon Mar 18 18:29:25 2019 (00:00) root pts/1 192.168.1.3 Mon Mar 18 16:22:53 2019 - Mon Mar 18 16:23:06 2019 (00:00) root pts/3 192.168.1.7 Mon Mar 18 16:21:38 2019 - Mon Mar 18 16:21:40 2019 (00:00) root pts/0 192.168.1.6 Fri Mar 15 01:45:10 2019 - down (00:01)
4) Checking login history based on a terminal connected
If you want to check the users based on the terminal connected. Use the following format.
# last pts/2 ladmin pts/2 192.168.1.6 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 192.168.1.6 Fri Mar 29 02:10 - 02:10 (00:00) user3 pts/2 192.168.1.6 Fri Mar 29 02:01 - 02:10 (00:08) daygeek pts/2 192.168.1.6 Thu Mar 28 01:53 - crash (00:29) user2 pts/2 192.168.1.6 Mon Mar 18 16:03 - 18:29 (02:26) daygeek pts/2 192.168.1.6 Mon Mar 4 08:40 - 08:40 (00:00)
5) How to check bad login history in Linux?
lastb command is used to check the user’s bad login history in Linux. It can also be used to view details from their archived files.
# lastb # lastb -f /var/log/btmp-20190402 user1 ssh:notty 192.168.1.6 Fri Mar 29 02:17 - 02:17 (00:00) ladmin ssh:notty 192.168.1.6 Fri Mar 29 02:12 - 02:12 (00:00) user2 ssh:notty 192.168.1.6 Fri Mar 29 02:00 - 02:00 (00:00) user1 ssh:notty 192.168.1.6 Fri Mar 29 01:53 - 01:53 (00:00) daygeekk ssh:notty 192.168.1.6 Tue Mar 19 02:36 - 02:36 (00:00) root ssh:notty 192.168.1.3 Mon Mar 18 18:05 - 18:05 (00:00) root pts/1 Mon Mar 18 16:00 - 16:00 (00:00) root ssh:notty 192.168.1.6 Sun Mar 10 10:15 - 10:15 (00:00) btmp-20190402 begins Sun Mar 10 10:15:14 2020
Execute the following command to suppress the hostname information in the output.
# last -10 -R daygeek pts/0 Wed Apr 3 00:02 still logged in reboot system boot Tue Apr 2 23:50 - 00:29 (00:38) reboot system boot Tue Apr 2 06:00 - 00:29 (18:29) daygeek pts/1 Sat Mar 30 10:05 - 00:18 (14:13) reboot system boot Sat Mar 30 04:03 - 00:29 (3+20:25) ladmin pts/2 Fri Mar 29 02:19 - 04:30 (02:11) user2 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) user1 pts/2 Fri Mar 29 02:10 - 02:10 (00:00) wtmp begins Fri Feb 15 16:03:13 2020
Display full user and domain names in the output.
Method-2: Checking login history using the log files
Users can manually view the login history from the following log files which containing success, failure and bad login.
- /var/log/secure – Red Hat based systems
- /var/log/auth.log – Debian based systems
Use the below format to check successful login details on RHEL, CentOS, Oracle Linux and Fedora systems.
# cat /var/log/secure-20190331 | grep Accepted | awk '' Mar 29 01:38:41 daygeek Mar 29 01:48:21 daygeek Mar 29 02:01:13 user3 Mar 29 02:10:21 user1 Mar 29 02:10:38 user2 Mar 29 02:19:13 ladmin Mar 30 04:14:54 daygeek Mar 30 10:05:02 daygeek
Use the below format for failed attempts.
# cat /var/log/secure-20190331 | grep Failed | awk '' Mar 29 01:53:48 user1 Mar 29 02:00:43 user2 Mar 29 02:12:58 ladmin Mar 29 02:17:41 user1
Use the below format to check successful and failed login details on Debian and Ubuntu systems.
# cat /var/log/auth.log | grep Accepted | awk '' # cat /var/log/auth.log | grep Failed | awk ''
Method-3: Checking login history using lastlog command
The lastlog command reports the user’s last login information by retrieving the details from the ‘/var/log/lastlog’ file.
# lastlog Username Port From Latest root pts/0 Sat Mar 30 08:04:27 -0500 2020 adm **Never logged in** chrony **Never logged in** qemu **Never logged in** sssd **Never logged in** gdm :0 Tue Apr 2 23:52:49 -0500 2020 gnome-initial-setup **Never logged in** sshd **Never logged in** tcpdump **Never logged in** daygeek pts/0 192.168.1.6 Wed Apr 3 00:02:50 -0500 2020 user1 pts/2 192.168.1.6 Fri Mar 29 02:10:22 -0500 2020 cat **Never logged in** user2 pts/2 192.168.1.6 Fri Mar 29 02:10:38 -0500 2020 apache **Never logged in** mysql **Never logged in** user3 pts/2 192.168.1.6 Fri Mar 29 02:01:13 -0500 2020 ladmin pts/2 192.168.1.6 Fri Mar 29 02:19:13 -0500 2020
Как посмотреть историю команд всех пользователей в Linux?
как посмотреть историю введенных команд всех пользователей в системе, не проваливаясь под каждого юзера?
Простой 1 комментарий
Вам привели примеры при условии, если все пользователи знают только стандартный Bash.
Нередко используют и zsh и fish — у них история хранится в других местах.
grep -e «$pattern» /home/*/.bash_history
(при условии, что все пользователи лежат в /home/*)
ну или чтоб знать кто точно
getent passwd | cut -d : -f 6 | sed 's:$:/.bash_history:' | xargs -d '\n' grep -s -H -e "$pattern"
Sha644, ну немного докрутить. Я думаю, что это нужно не для того, чтоб команды из под рута смотреть. а прочих засранцев 🙂
grep -e "$pattern" /home/*/.bash_history /root/.bash_history
при корректном выходе пользователя, его история сохраняется в его домашнем каталоге в .<ШЕЛЛ>_history — например $HOME/.bash_history, $HOME/.ksh_history
ШЕЛЛ>
Файл доступен только пользователю, или суперпользователю.
Следовательно запускайте cat от суперпользователя
sudo cat /home/ЮЗЕР/.bash_history
можно одной командой сразу все (правда эта команда скорее всего бесполезна):