1

I'd like to be able to watch the history of a user, but in real time. My first thought was to use tail -f to track whatever file updates the history. Is this possible? Or, is there a better alternative to see real-time commands?

The specific scenario I'm in is where I and another engineer are sudo'd to the same user -- as this user, I'd like to see commands executed by this user.

MrDuk
  • 1,597
  • Not easy unless the other user is cooperating (which they probably will in your case). – muru Mar 02 '18 at 10:25

2 Answers2

5

The history on ~/.bash_history gets written on log out, not before. If you want this, it has already been answered here:

If you want to make sure that they're always written immediately, you can put that command into your PROMPT_COMMAND variable:

export PROMPT_COMMAND='history -a'

After this you can make a tail -f $HISTFILE or tail -f ~/.bash_history, if the $HISTFILE environment variable is not set (the default location is ~/.bash_history, but it might change) and will see the commands getting added to the history file in real time.

Community
  • 1
Tux
  • 283
  • This assumes that HISTFILE is unset or set to that particular filename. Using $HISTFILE would be better (testing whether it's set first, or setting it). – Kusalananda Mar 02 '18 at 10:27
  • I edited the answer, now it should cover most cases – Tux Mar 02 '18 at 10:31
0

You could use either psacct(somewhat dated) or auditd(much more flexible) to monitor what processes a user runs. Auditd can be set up right away and it'll start logging user executions, although it's a complicated system.

jsbillings
  • 24,406