How do I know from which IP address a command was executed in SLES 11

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.



Is there anyway to do this in SLES? 11 specifically even if it's with SSH.










share|improve this question



















  • 1





    In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

    – Sokel
    Aug 30 '16 at 20:43















1















I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.



Is there anyway to do this in SLES? 11 specifically even if it's with SSH.










share|improve this question



















  • 1





    In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

    – Sokel
    Aug 30 '16 at 20:43













1












1








1








I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.



Is there anyway to do this in SLES? 11 specifically even if it's with SSH.










share|improve this question
















I'm new to SLES and I need to know what IP address executed a command.
I've searched and all I came across this but I do not have /var/log/auth.log or /var/log/secure. I don't know if it has to be SSH only.
I do know how to view the history of an user (.bash_history) but it doesn't saves the IP address, just the command.



Is there anyway to do this in SLES? 11 specifically even if it's with SSH.







logs command-history sles






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 20 '17 at 10:04









Community

1




1










asked Aug 30 '16 at 18:46









SplendoniaSplendonia

1086




1086







  • 1





    In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

    – Sokel
    Aug 30 '16 at 20:43












  • 1





    In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

    – Sokel
    Aug 30 '16 at 20:43







1




1





In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

– Sokel
Aug 30 '16 at 20:43





In situations like this, you have to do investigative work. You need to look at the last command and determine who logged in, and go from there. Unless you specifically setup the system in that manner, you cannot log bash history that way unless you create your own aliases and functions. You may want to view cisecurity.org's website and find SLES benchmarks and read up on auditd for this case.

– Sokel
Aug 30 '16 at 20:43










1 Answer
1






active

oldest

votes


















0














An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.



It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.



Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run
lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.






share|improve this answer























  • Sorry, I meant the IP of the user that executed the command.

    – Splendonia
    Aug 31 '16 at 16:25











  • @Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

    – Gilles
    Aug 31 '16 at 16:39










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f306746%2fhow-do-i-know-from-which-ip-address-a-command-was-executed-in-sles-11%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.



It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.



Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run
lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.






share|improve this answer























  • Sorry, I meant the IP of the user that executed the command.

    – Splendonia
    Aug 31 '16 at 16:25











  • @Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

    – Gilles
    Aug 31 '16 at 16:39















0














An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.



It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.



Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run
lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.






share|improve this answer























  • Sorry, I meant the IP of the user that executed the command.

    – Splendonia
    Aug 31 '16 at 16:25











  • @Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

    – Gilles
    Aug 31 '16 at 16:39













0












0








0







An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.



It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.



Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run
lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.






share|improve this answer













An IP address doesn't execute a command. Commands are always executed by a program that runs locally. Normally the relevant forensic information regarding who ran a command is the user who ran this program.



It is possible to trace back a command to a server that listens for input over the network, e.g. find that some command was launched from a session that was created by an SSH server process and then find what remote machine that server process is listening to. If the command is executed in a terminal, then this information can be obtained by checking which terminal the command is executed in and running who to see which user is executing this command and where they logged in from. After the fact, the association between time, user terminal and IP address can be accessed with last.



Individual commands are not logged by default. If you want to do that, you have to set it up. An easy, low-overhead way is with process accounting: install acct, make sure that the service is enabled, and then each individual command (but not its argument) is logged. Run
lastcomm to see the log associating commands, times and terminals. You can then cross the information with the IP addresses reported by last.







share|improve this answer












share|improve this answer



share|improve this answer










answered Aug 31 '16 at 1:55









GillesGilles

536k12810821600




536k12810821600












  • Sorry, I meant the IP of the user that executed the command.

    – Splendonia
    Aug 31 '16 at 16:25











  • @Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

    – Gilles
    Aug 31 '16 at 16:39

















  • Sorry, I meant the IP of the user that executed the command.

    – Splendonia
    Aug 31 '16 at 16:25











  • @Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

    – Gilles
    Aug 31 '16 at 16:39
















Sorry, I meant the IP of the user that executed the command.

– Splendonia
Aug 31 '16 at 16:25





Sorry, I meant the IP of the user that executed the command.

– Splendonia
Aug 31 '16 at 16:25













@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

– Gilles
Aug 31 '16 at 16:39





@Splendonia I know, and as I explain, that concept is not well-defined. A user could be logged in from different IP addresses. You can make the link if you can associate the command with a particular terminal.

– Gilles
Aug 31 '16 at 16:39

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f306746%2fhow-do-i-know-from-which-ip-address-a-command-was-executed-in-sles-11%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?