How do I know from which IP address a command was executed in SLES 11
Clash Royale CLAN TAG#URR8PPP
I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.
Is there anyway to do this in SLES? 11 specifically even if it's with SSH.
logs command-history sles
edited Mar 20 '17 at 10:04
Community♦
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
add a comment |
I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.
Is there anyway to do this in SLES? 11 specifically even if it's with SSH.
logs command-history sles
edited Mar 20 '17 at 10:04
Community♦
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
1
In situations like this, you have to do investigative work. You need to look at thelastcommand and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.
– Sokel
Aug 30 '16 at 20:43
add a comment |
I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.
Is there anyway to do this in SLES? 11 specifically even if it's with SSH.
logs command-history sles
edited Mar 20 '17 at 10:04
Community♦
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.
Is there anyway to do this in SLES? 11 specifically even if it's with SSH.
logs command-history sles
logs command-history sles
edited Mar 20 '17 at 10:04
Community♦
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
edited Mar 20 '17 at 10:04
Community♦
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
edited Mar 20 '17 at 10:04
Community♦
1
edited Mar 20 '17 at 10:04
Community♦
1
edited Mar 20 '17 at 10:04
Community♦
1
1
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
asked Aug 30 '16 at 18:46
SplendoniaSplendonia
1086
1086
1
In situations like this, you have to do investigative work. You need to look at thelastcommand and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.
– Sokel
Aug 30 '16 at 20:43
add a comment |
1
In situations like this, you have to do investigative work. You need to look at thelastcommand and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.
– Sokel
Aug 30 '16 at 20:43
1
1
In situations like this, you have to do investigative work. You need to look at the
last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.– Sokel
Aug 30 '16 at 20:43
In situations like this, you have to do investigative work. You need to look at the
last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.– Sokel
Aug 30 '16 at 20:43
add a comment |
1 Answer
1
active
oldest
votes
An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.
It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.
Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f306746%2fhow-do-i-know-from-which-ip-address-a-command-was-executed-in-sles-11%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.
It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.
Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
add a comment |
An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.
It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.
Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
add a comment |
An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.
It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.
Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.
It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.
Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
answered Aug 31 '16 at 1:55
GillesGilles
536k12810821600
536k12810821600
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
add a comment |
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
Sorry, I meant the IP of the user that executed the command.
– Splendonia
Aug 31 '16 at 16:25
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.
– Gilles
Aug 31 '16 at 16:39
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f306746%2fhow-do-i-know-from-which-ip-address-a-command-was-executed-in-sles-11%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
In situations like this, you have to do investigative work. You need to look at the
lastcommand and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.– Sokel
Aug 30 '16 at 20:43