Hi,
This is a tricky one.
From history output the below command gives something that I consider an acceptable solution.
history | awk ' { print $2 } ' | sort | uniq -c
It does not account for command typed differently but clearly identical such as mv and /usr/bin/mv, it will falsely count variable assignation such NAMES='John Smith', it will clobber HERE commands spead on several lines, and piped commands on one line, ... And it supposes that history output has not been customized so that the command is just preceded with the command number.
Regards,
Tshimanga
TM, that's certainly a fantastic attempt that
you've made However, your beautiful construct
appears to only be providing me with executable
files that have been run for a single user - the
user that runs your command.
I'm looking for a command that will display/list
ALL executable files that have ever been run
on my Linux system.
Thank you for what you did provide. That will
be a very nice addition to my knowledgebase!
Run the following commands:
sudo aureport --start this-year -x | grep "^[0-9]." | awk '{print $4}' | sort | uniq -c
The breakdown of commands is:
aureport - produces a report about executables for the specified time period. You can set this date to the date of the setup of the host machine.
grep "^[0-9]." - finds all the lines that begin with a number, to avoid empty lines, comments and headers.
awk '{print $4}' - prints the name of the executables that have been run on each line.
sort - sorts the lines in order
uniq -c - counts the occurences of unique lines.
The output will produce a list of executables and the number of times they have been run for the specified time period. In this example; the current year:
(edited output)
648 /usr/bin/su
8328 /usr/bin/sudo
89 /usr/bin/systemctl
My output does seem to have some anomalies, though. For example; grep only shows as being run once. This is incorrect as it was run many times when working on this solution.
So, some further work is required on this problem!
Hi @Ad_astra,
This is one is good.
I have run the below command on one of my Rocky Linux 9.2 VM, and I have realized that it does not include some commands that I know I had run as root. Commands such as dnf, mv, cp that clearly appear on root history.
aureport --start 05/15/23 13:00:00 -x | grep '^[0-9].' | awk ' { print $4 } ' | sort | uniq -c
With 2023-05-16 13:20:13.854662000 +0100 being the birth of / obtained with command "stat /".
Maybe @Trevor can just post his solution.
Regards,
Tshimanga
Hi
I've also found that using the --comm option, instead of -x, lists commands that have been run. Although, there does seem to be some duplication of the same commands/binaries that are shown using -x.
Regards
Hello
Will there be an answer posted to this question?
Thanks
Hello Ad_astra,
Here's a little hint: Look at something related to the Linux Audit daemon.
If you don't wish to explore this, and would rather that I just provide you
the answer, I'm happy to accommodate.
Hi @Trevor,
What I give here is my own opinion.
I feel as if we have shown interest in the topic and provided few attempts.
Obvisously those attempts clear seem incomplete.
At this stage, I will like to see your solution.
Regards,
Tshimanga
Hi
Thanks for the hint.
The only thing I can think of is setting the audit demon to log system calls via the logging rules:
auditctl -a exit,always -S execve
This would log commands and arguments.
Regards
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.