When an account owns a suspicious change, a failed deployment, or an unexpected service restart, the command trail has to come from more than one place. Saved shell history shows interactive commands, sudo logs show privileged commands, and the process table shows commands still running under the account.
Interactive shells write history to files under the user's home directory. Bash commonly uses ~/.bash_history, Zsh uses ~/.zsh_history, and fish uses ~/.local/share/fish/fish_history. Bash can store timestamp markers when HISTTIMEFORMAT is configured, but a plain history file may only prove command order.
Privileged commands need a second check in sudo or authentication logs because shell history can be disabled, delayed until shell exit, edited, or cleared. sudo normally records the command it directly starts, not commands typed later inside a root shell or editor escape, so treat each source as one timeline clue and corroborate important entries before acting on the account.
Related: How to check authentication logs in Linux
Related: How to view processes by user in Linux
Related: How to investigate a Linux intrusion
$ getent passwd alice alice:x:1001:1001::/home/alice:/bin/bash
Replace alice with the account being checked. The home directory and shell identify the likely history file.
$ sudo cat /home/alice/.bash_history #1767945154 sudo -l #1767945155 sudo systemctl status ssh #1767945156 sudo journalctl -u ssh --since "2 hours ago" #1767945157 ss -tulpn #1767945158 ps auxf
Use the path from the previous step. A shell may write history only when it exits, and settings such as HISTCONTROL or HISTIGNORE can omit entries.
$ sudo bash -c 'HISTTIMEFORMAT="%F %T "; set -o history; history -r /home/alice/.bash_history; history'
1 2026-01-09 07:52:34 sudo -l
2 2026-01-09 07:52:35 sudo systemctl status ssh
3 2026-01-09 07:52:36 sudo journalctl -u ssh --since "2 hours ago"
4 2026-01-09 07:52:37 ss -tulpn
5 2026-01-09 07:52:38 ps auxf
Bash stores timestamped history as #<epoch-seconds> lines before the command. If those markers are absent, use the file order without assigning exact times.
$ sudo grep 'sudo: alice :' /var/log/auth.log 2026-01-12T07:29:21.101000+00:00 server01 sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl status ssh 2026-01-12T07:29:34.155000+00:00 server01 sudo: alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -u ssh --since 2 hours ago
Ubuntu and Debian commonly use /var/log/auth.log. Many Red Hat-family systems use /var/log/secure, and systemd hosts may also expose the same events through journalctl.
Related: How to check authentication logs in Linux
$ sudo zgrep 'sudo: alice :' /var/log/auth.log.* /var/log/auth.log.1:2026-01-11T22:14:03.301000+00:00 server01 sudo: alice : TTY=pts/1 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/ss -tulpn /var/log/auth.log.2.gz:2026-01-10T19:42:55.412000+00:00 server01 sudo: alice : TTY=pts/2 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/ps auxf
Rotated files may be compressed or uncompressed. Search the log family that matches the host's authentication log path.
$ ps -u alice -o pid,tty,stat,etime,args -ww PID TT STAT ELAPSED COMMAND 331 ? Sl 00:18 tail -f /dev/null 332 ? S 00:18 sleep 300
If local /proc permissions hide other users' process arguments, rerun the same command with sudo.
Related: How to view processes by user in Linux