3

I logged into a server as root and did w, this let me see that a user was editing a file.

someuser  pts/5    10.117.0.53      14:03    3:25   1.20s  1.14s vi somefile.py

Then I disconnected, and reconnected as root again later. I did a w again but this time it showed something different.

someuser  pts/5    10.117.0.53      14:03    5:20   0.20s  0.02s sshd: someuser [priv]

I can tell from the other fields that this is the same user, but this time what they're doing is hidden.

Why did it become hidden? How do I see what they're doing?

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
LINUX G33NYUS
  • 716
  • 1
  • 12
  • 22
  • It looks as if the user just has a lingering SSH connection running. Why don't you email them and ask? – Kusalananda Feb 08 '18 at 20:03
  • I believe that's their ssh connection (a tunnel perhaps?), it may depend on the *nix version, I've seen some poor implementations of `w` , showing disconnected users, non-existing processes etc. Try a `ps -t pts/5` to see if they have other processes attached to that terminal. – XrXca Feb 08 '18 at 20:08
  • There was a question here a few weeks ago (I can't find it now) about how `w` decides what command to show. It's heuristic. – Mark Plotnick Feb 08 '18 at 20:17
  • It's https://unix.stackexchange.com/questions/408719/ . – JdeBP Feb 08 '18 at 20:56

3 Answers3

5

If a user is using bash, you can add to his /etc/bash.bashrc:

readonly PROMPT_COMMAND='history -a >(logger -t "commandlog $USER[$PWD] $SSH_CONNECTION")'

This will log all the user commands to syslog.

I would configure syslogto forward the logs to a locked down central syslog server, so in case of hacking or a rogue sysadmin, they would not be able to tamper with evidence.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
3

If auditd is enabled on the system, you can view the audit logs to see the command activity of users. This is a great resource that sysadmins regularly use when trying to forensically troubleshoot issues that might have been caused by other users actions with regard to the system.

James Leroy Siegel Jr
  • 31
  • 1
1

You can try something simple like peeking at the users history file. This assumes that the user's shell is bash. 

cat /home/someuser/.bash_history
Stephen Fox
  • 33
  • 4