Code Yarns ‍👨‍💻
Tech BlogPersonal Blog

Log of sudo commands

📅 2016-Sep-28 ⬩ ✍️ Ashwin Nanjappa ⬩ 📚 Archive

I recently discovered that a user on a server had accidentally killed my program. Many users, including me, on this server have sudo permissions. So, I guess the kill was carried out by using sudo. How to find out who is the killer?

Thankfully, all actions taken under sudo are logged in the /var/log/auth.log file. You will find entries of this form:

Sep 26 08:31:26 foobar-machine sudo:   joe : TTY=pts/1 ; PWD=/home/joe/scripts ; USER=root ; COMMAND=/usr/sbin/openvpn --daemon --config foobar.ovpn
Sep 26 08:31:26 foobar-machine sudo: pam_unix(sudo:session): session opened for user root by joe(uid=0)
Sep 26 08:31:27 foobar-machine sudo: pam_unix(sudo:session): session closed for user root

You can see that all pertinent information is available in the log: who ran the command, what command and when.

Tried with: Ubuntu 16.04