To monitor sudo activity in real-time on your LabEx VM (or any Ubuntu/Debian system), you can use the tail command with the -f (follow) flag.
Run the following command in your terminal:
sudo tail -f /var/log/auth.log | grep sudo
How this works:
sudo: You need root privileges to read the system authentication logs.tail -f: The-fstands for "follow." It keeps the file open and prints new lines to your screen as they are written to the file in real-time./var/log/auth.log: This is the specific file where Linux stores all security-related events, including logins andsudousage.| grep sudo: This pipes the output to thegreptool so that you only see lines containing the word "sudo," filtering out other noise (like SSH logins or cron jobs).
Try it out!
- Open a second terminal window in your environment.
- In the first window, run the monitoring command above.
- In the second window, perform a
sudoaction (likesudo ls). - Watch the first window—you will immediately see a log entry appearing that looks something like this:
May 24 10:15:01 labex sudo: labex : TTY=pts/0 ; PWD=/home/labex/project ; USER=root ; COMMAND=/usr/bin/ls
Alternative for modern systems:
If your system uses systemd (which most modern distros do), you can also use journalctl:
sudo journalctl -fu sudo
-f: Follow the log.-u sudo: Filter only for the sudo unit/service.
This is a great way to maintain accountability and see exactly what users like joker are doing with their new administrative powers!