How to check commands run by a user in Linux

When an account owns a suspicious change, a failed deployment, or an unexpected service restart, the command trail has to come from more than one place. Saved shell history shows interactive commands, sudo logs show privileged commands, and the process table shows commands still running under the account.

Interactive shells write history to files under the user's home directory. Bash commonly uses ~/.bash_history, Zsh uses ~/.zsh_history, and fish uses ~/.local/share/fish/fish_history. Bash can store timestamp markers when HISTTIMEFORMAT is configured, but a plain history file may only prove command order.

Privileged commands need a second check in sudo or authentication logs because shell history can be disabled, delayed until shell exit, edited, or cleared. sudo normally records the command it directly starts, not commands typed later inside a root shell or editor escape, so treat each source as one timeline clue and corroborate important entries before acting on the account.

Steps to check commands run by a user in Linux:

  1. Identify the account home directory and login shell.
    $ getent passwd alice
    alice:x:1001:1001::/home/alice:/bin/bash

    Replace alice with the account being checked. The home directory and shell identify the likely history file.

  2. Read the saved Bash history file for the account.
    $ sudo cat /home/alice/.bash_history
    #1767945154
    sudo -l
    #1767945155
    sudo systemctl status ssh
    #1767945156
    sudo journalctl -u ssh --since "2 hours ago"
    #1767945157
    ss -tulpn
    #1767945158
    ps auxf

    Use the path from the previous step. A shell may write history only when it exits, and settings such as HISTCONTROL or HISTIGNORE can omit entries.

  3. Render Bash history timestamps when epoch markers are present.
    $ sudo bash -c 'HISTTIMEFORMAT="%F %T "; set -o history; history -r /home/alice/.bash_history; history'
        1  2026-01-09 07:52:34 sudo -l
        2  2026-01-09 07:52:35 sudo systemctl status ssh
        3  2026-01-09 07:52:36 sudo journalctl -u ssh --since "2 hours ago"
        4  2026-01-09 07:52:37 ss -tulpn
        5  2026-01-09 07:52:38 ps auxf

    Bash stores timestamped history as #<epoch-seconds> lines before the command. If those markers are absent, use the file order without assigning exact times.

  4. List sudo command lines for the user in the active authentication log.
    $ sudo grep 'sudo:    alice :' /var/log/auth.log
    2026-01-12T07:29:21.101000+00:00 server01 sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/systemctl status ssh
    2026-01-12T07:29:34.155000+00:00 server01 sudo:    alice : TTY=pts/0 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/journalctl -u ssh --since 2 hours ago

    Ubuntu and Debian commonly use /var/log/auth.log. Many Red Hat-family systems use /var/log/secure, and systemd hosts may also expose the same events through journalctl.
    Related: How to check authentication logs in Linux

  5. Search rotated authentication logs for older sudo command lines.
    $ sudo zgrep 'sudo:    alice :' /var/log/auth.log.*
    /var/log/auth.log.1:2026-01-11T22:14:03.301000+00:00 server01 sudo:    alice : TTY=pts/1 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/ss -tulpn
    /var/log/auth.log.2.gz:2026-01-10T19:42:55.412000+00:00 server01 sudo:    alice : TTY=pts/2 ; PWD=/home/alice ; USER=root ; COMMAND=/usr/bin/ps auxf

    Rotated files may be compressed or uncompressed. Search the log family that matches the host's authentication log path.

  6. List commands currently running under the account.
    $ ps -u alice -o pid,tty,stat,etime,args -ww
      PID TT       STAT     ELAPSED COMMAND
      331 ?        Sl         00:18 tail -f /dev/null
      332 ?        S          00:18 sleep 300

    If local /proc permissions hide other users' process arguments, rerun the same command with sudo.
    Related: How to view processes by user in Linux