0

Im logged in a Linux CentOS via ssh. There is a process that has been running for some time and i can find its PID via

htop

plus fn+f4 and typing the name of the file that spawned the process or

ps -aux | grep <file_that_spawned_the_process>

Both methods show me that the user that spawned the process is <Some_User>, however i am pretty sure that it was <Some_Other_User> via

sudo -u <Some_User> ./<file_that_spawned_the_process>

I want to find out who is <Some_Other_User>, if there is some other user at all. Finding out from which machine (I.P.) did he log into the CentOS host would also be appreciated.

I read all .bash_history from all users but couldnt find anything that suggested usage of sudo su <Some_Other_User>. I found some answers like this but it doesnt seem to be what im looking for. Does anyone have any suggestions? Everything i found is about either finding out which is my original user or about finding out which user (not original) spawned a process, but a combination of both doesnt seem trivial to me.

Improve this question

1 Answer 1

Reset to default
0

You could use pstree -u ...

This should show you the uid transitions. I just did a test against a box, launching top via su - user2 -c top ....

 |-sshd-+-sshd---sshd(user2)---bash---screen | `-sshd---sshd(user1)---sudo(root)---su---top(user2)
Improve this answer
3
  • Curious... i ran it with every process started by the <Some_User> and it just returned something like ProcessName(SomeUser)─┬─caRepeater └─158*[{ProcessName}] Should this necessarily mean that my suspicions are wrong? Commented Apr 29, 2022 at 13:02
  • Just to be clearer, the suspicions i meant were about the process being initialized by another "disguised" user via sudo -u Commented Apr 29, 2022 at 13:11
  • Off the top of my head I can't think of a way to NOT have some_other_user show up in the chain of the pstree output. If they have full sudoers access to the box, and you don't ship audit-logs off to a machine where they don't they might have used other methods and cleaned up their trails, though. E.g. doing what you describe via an at command and then remove the lines where they switched user from the logs. Commented Apr 29, 2022 at 23:16

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.