On traditional Unix and Unix-like systems, the first and only user that exists on a new installation is called root. You use the root account to log in and create secondary “normal” users. After this initial interaction, you are expected to log in as a normal user. Running your system as a normal user is a self-imposed restriction that protects you from making stupid mistakes. We mentioned below are the steps to check sudo Command Usage on Linux.

Steps to check sudo Command Usage on Linux

Authentication Log

Many Linux services keep logs to help with troubleshooting. Fortunately, one of them keeps a detailed list with exactly the information we are looking for in this article. In this list, you can look up who ran which command with sudo and when. To find this information, if you are using a Debian or Ubuntu based distribution, type the following into your favorite terminal: For other distributions, the location may vary. This information can be located in “/var/log/secure” or “/var/log/audit/audit.log”. You can find the location of this log file by checking the sudoer file. This can also be found in a different location depending on your distribution. Usually you will find it under “/etc/sudoers”. Open the file with your favorite text editor and look for the logfile entry. The file you are looking for is there. So modify the above command to check your file instead.

Making Sense of Chaos

The log file will contain a lot of entries that are probably not of interest. You can browse and scroll through it or use the search function of your text editor to find any use of sudo. Step 1: It’s better, though, if you use grep instead. This way, you can filter the log’s contents based on a simple query. To find all sudo entries in it, use: Step 2: Remember to update the log’s path to the correct one for your distribution. Step 3: If you prefer to have them in file format, add a redirect after the command: Step 4: When you check it out, you’ll find a series of entries that contain the date, time, computer name, and command used.

Normal Bash

If you are just looking for all the commands entered in the terminal, you can look in the “.bash_history” file in the Home folder. For example, you could type the following into a terminal: This will show you all the commands you (or other users) run in the terminal.

Journalctl

Step 1: Another way to find out what sudo has done is to use journalctl from systemd. This is a system logging utility that comes with every Linux distribution that uses systemd. Step 2: This includes not only Debian and Ubuntu, but also other popular distributions such as Arch Linux and Fedora. Thus, journalctl can be a helpful utility if you are already constantly switching between systemd-based Linux distributions. Step 3: With this knowledge, it is incredibly easy to use journalctl to view the sudo logs. First, you need to log in as either the root user or an account with superuser privileges. Step 4: Run the following command to view all of the logs for the sudo program:

GUI-specific Programs

Knowing all this, you can also read your system’s sudo logs through a special interface that came with your desktop environment. This way you’ll reduce the complexity and the number of commands you need to learn to monitor your system. An important point is that these programs are always included in a basic installation of a desktop environment. However, Linux distributions often create their own builds that do not include these smaller utilities. Therefore, you must first check if these tools are already installed in your system.

GNOME Log

The GNOME Log utility is the default graphical system logger for distributions that use the GNOME desktop environment. This includes Ubuntu 21.10, 22.04 as well as Fedora 36. Step 1: In order to start using the program, you will need to first open the Application Menu. From there, you can then type “Logs” to search for the GNOME Log Utility. Step 2: Once open, the program will present a number of tabs where you can check the log for a particular aspect of your system. In order to check for your sudo logs you will need to click “Security”. Step 3: This will, in turn, print all of the latest security information for your machine. This includes all of the processes that ran with root privileges regardless if it is using sudo or not. From here, you can then press the Magnifying Glass icon on the top right corner of the window to initiate a search on all of these log entries. Step 4: With that, you can type the word “sudo” to tell GNOME Logs that you only want to see the commands and processes that were ran through sudo.

Final Words

We hope you like our article on how to review sudo Command Usage on Linux. The Linux command sudo stands for Super User Do. Generally, it is used as a prefix of some commands that the super user is allowed to execute. When we prefix the command along with other commands, this command is executed with high privileges. In other words, it allows the user with the appropriate privilege to run a command like other users like the superuser. This is equivalent to the “run as administrator” option in Windows.

How to check sudo Command Usage on Linux - 56How to check sudo Command Usage on Linux - 64How to check sudo Command Usage on Linux - 33How to check sudo Command Usage on Linux - 66