How to check commands run by a user in Linux

Auditing commands run by a user helps reconstruct configuration changes, confirm administrative actions, and spot unexpected activity on multi-user Linux systems.

Interactive shells record typed commands in per-user history files, while privileged commands executed through sudo are logged by the authentication logging pipeline and written to files such as /var/log/auth.log on Ubuntu and Debian.

Shell history is user-controlled and may be incomplete or altered, and auth logs only capture commands that went through sudo and are retained until log rotation removes them, so combine history files, auth logs, and a live process snapshot when building an activity timeline.

Steps to check commands run by a user with shell history, grep, and ps in Linux:

Identify the account home directory and login shell to choose the correct history file.
```
$ getent passwd user
user:x:1001:1001::/home/user:/bin/bash
```
bash commonly writes to ~/.bash_history, zsh to ~/.zsh_history, and fish to ~/.local/share/fish/fish_history.
View recent commands from the user's bash history file.
```
$ sudo -iu user -- bash -c 'tail -n 10 ~/.bash_history'
#1767945154
sudo -l
#1767945155
sudo systemctl status ssh
#1767945156
sudo journalctl -u ssh --since "2 hours ago"
#1767945157
ss -tulpn
#1767945158
ps auxf
```
Adjust the history file path to match the login shell, and note that history is typically flushed on shell exit and may omit entries based on HISTCONTROL settings.

Render bash history with human-readable timestamps when the history file includes epoch markers.

$ sudo -iu user -- bash -c 'HISTTIMEFORMAT="%F %T "; history -r ~/.bash_history; history | tail -n 5'
    1  2026-01-09 07:52:34 sudo -l
    2  2026-01-09 07:52:35 sudo systemctl status ssh
    3  2026-01-09 07:52:36 sudo journalctl -u ssh --since "2 hours ago"
    4  2026-01-09 07:52:37 ss -tulpn
    5  2026-01-09 07:52:38 ps auxf

Timestamped history lines are stored as #<epoch-seconds> entries in ~/.bash_history.

Filter sudo commands for the user in the system authentication log.

$ sudo grep "sudo:.*user" /var/log/auth.log | tail -n 5
2026-01-12T07:29:28.637559+00:00 host.example.net sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=1001)
2026-01-12T07:29:28.639106+00:00 host.example.net sudo: pam_unix(sudo:session): session closed for user root
2026-01-12T07:29:28.639689+00:00 host.example.net sudo: pam_unix(sudo-i:session): session closed for user user

On RHEL and CentOS, check /var/log/secure instead of /var/log/auth.log.

Search rotated auth logs for older sudo entries.

$ sudo zgrep -h "sudo:.*user" /var/log/auth.log* | tail -n 5
2026-01-12T07:29:28.675638+00:00 host.example.net sudo:     root : PWD=/ ; USER=root ; COMMAND=/usr/bin/grep sudo:.*user /var/log/auth.log
2026-01-12T07:29:28.675680+00:00 host.example.net sudo: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0)
2026-01-12T07:29:28.676318+00:00 host.example.net sudo: pam_unix(sudo:session): session closed for user root

List commands currently running under the account to confirm live activity.

$ ps -u user -o pid,tty,stat,etime,args -ww
  PID TT       STAT     ELAPSED COMMAND
 1435 ?        S          00:12 tail -f /dev/null
 1436 ?        S          00:12 sleep 300

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.