Solved How to find out any commands issued

[Bostjan]

How to find out any commands issued by ‘built in’ users such as root, toor, operator, shhd, www, … and additional created users such as Alice, Bob, ….? Is there a place where all issued commands are stored?
How to find them out?

 

[SirDice]

Is there a place where all issued commands are stored?

Some shells have a persistent history but other than that, no, it's not stored anywhere.

How to find them out?

Depends on what you're looking for. A solution might be to enable auditing.

Chapter 17. Security Event Auditing

 

[YYY__]

Where is history?

and how do I make it permanent? [\u@r2d2:/root] # set -o Current option settings errexit off noglob off ignoreeof off interactive on monitor on noexec off stdin on xtrace off verbose off vi off emacs on noclobber off allexport off notify off nounset off privileged off trapsasync off physical...

forums.freebsd.org

 

[mer]

OP it sounds like you are looking for something similar to say SELinux? If so I agree with SirDice that enabling auditing would be the right path.

 

[SirDice]

Auditing is cool but will result in a massive amount of logging, you really need to be able to handle (and interpret) that deluge of information. Alternatively, I've been to places that used ttysnoop(8) (Linux) to log everything you did on the command line. You can probably do something similar with watch(8) on FreeBSD.

But as I said, it really depends on what you're looking for.

 

[Bostjan]

Something already happened on the server (I can’t say what). At this point we are just pointing who did what. If we hadn’t turned on logging, we can’t get the needed information? Or is something turned on by default?
Anything would be useful.
Where to look if any logging was enabled?

 

[SirDice]

If we hadn’t turned on logging, we can’t get the needed information?

Doesn't work retroactively, no.

Or is something turned on by default?

No.

Anything would be useful.

A user's history files can be interesting to dissect. Look for .history (tcsh/csh) or .bash_history (bash) in a user's home directory. The sh(1) doesn't have a persistent history, but you may have other shells installed that have been used.

Where to look if any logging was enabled?

Go through everything in /var/log/.