📅 2016-Sep-28 ⬩ ✍️ Ashwin Nanjappa ⬩ 🏷️ log, sudo ⬩ 📚 Archive
I recently discovered that a user on a server had accidentally killed my program. Many users, including me, on this server have sudo permissions. So, I guess the kill was carried out by using sudo. How to find out who is the killer?
Thankfully, all actions taken under sudo are logged in the /var/log/auth.log
file. You will find entries of this form:
Sep 26 08:31:26 foobar-machine sudo: joe : TTY=pts/1 ; PWD=/home/joe/scripts ; USER=root ; COMMAND=/usr/sbin/openvpn --daemon --config foobar.ovpn
Sep 26 08:31:26 foobar-machine sudo: pam_unix(sudo:session): session opened for user root by joe(uid=0)
Sep 26 08:31:27 foobar-machine sudo: pam_unix(sudo:session): session closed for user root
You can see that all pertinent information is available in the log: who ran the command, what command and when.
Tried with: Ubuntu 16.04