3

I logged into a server as root and did w, this let me see that a user was editing a file.

someuser pts/5 10.117.0.53 14:03 3:25 1.20s 1.14s vi somefile.py

Then I disconnected, and reconnected as root again later. I did a w again but this time it showed something different.

someuser pts/5 10.117.0.53 14:03 5:20 0.20s 0.02s sshd: someuser [priv]

I can tell from the other fields that this is the same user, but this time what they're doing is hidden.

Why did it become hidden? How do I see what they're doing?

Improve this question
4
  • It looks as if the user just has a lingering SSH connection running. Why don't you email them and ask? Commented Feb 8, 2018 at 20:03
  • I believe that's their ssh connection (a tunnel perhaps?), it may depend on the *nix version, I've seen some poor implementations of w , showing disconnected users, non-existing processes etc. Try a ps -t pts/5 to see if they have other processes attached to that terminal. Commented Feb 8, 2018 at 20:08
  • There was a question here a few weeks ago (I can't find it now) about how w decides what command to show. It's heuristic. Commented Feb 8, 2018 at 20:17
  • It's unix.stackexchange.com/questions/408719 . Commented Feb 8, 2018 at 20:56

3 Answers 3

Reset to default
5

If a user is using bash, you can add to his /etc/bash.bashrc:

readonly PROMPT_COMMAND='history -a >(logger -t "commandlog $USER[$PWD] $SSH_CONNECTION")'

This will log all the user commands to syslog.

I would configure syslogto forward the logs to a locked down central syslog server, so in case of hacking or a rogue sysadmin, they would not be able to tamper with evidence.

Improve this answer
0
3

If auditd is enabled on the system, you can view the audit logs to see the command activity of users. This is a great resource that sysadmins regularly use when trying to forensically troubleshoot issues that might have been caused by other users actions with regard to the system.

Improve this answer
1

You can try something simple like peeking at the users history file. This assumes that the user's shell is bash. 

cat /home/someuser/.bash_history
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.