Comments on: How to Monitor Linux Commands Executed by System Users in Real-time

By: Aaron Kili

Aaron Kili — Mon, 18 Sep 2017 08:11:56 +0000

In reply to Jor.

@Jor

This is a good question, yes sysdig will still monitor the users activity. But it will show the user as root, this means as a system admin, you need to review logfiles(to be specific files in /var/log/audit/ or /var/log/auth.log) to see users who switched to root the account.

By: Aaron Kili

Aaron Kili — Mon, 18 Sep 2017 07:50:06 +0000

In reply to K0n24d.

@K0n24d

~/.bash_history is only used to view previous commands as clearly stated in the article.

By: Jor

Jor — Sat, 16 Sep 2017 17:28:39 +0000

What happens if the user that has sudo privileges suddenly changes profile and elevates to root profile? ie… ‘sudo su – ‘ at this point the user is in root profile /root . can this sysdig utility still monitor in this case?

By: K0n24d

K0n24d — Sat, 16 Sep 2017 07:54:09 +0000

By default settings the bash_history is only written to when the shell is closed. Moreover starting your command line with a space doesn’t append it to the history. So using the bash history to monitor user activity looks like complete nonsense to me.

By: Aaron Kili

Aaron Kili — Sat, 16 Sep 2017 06:42:18 +0000

In reply to TheOuterLinux.

@TheOuterLinux

This will only help a user watch their own command history, as a sys admin, you would use something like:
#watch -n 1 tail /home/username/.bash_history

But this only allows you to watch one users commands history. Therefore, sysdig as shwon above is still more appropriate for keeping an eye on all users’ command line.