If you are giving Shell access to your web hosting users you might want to check what commands they are using. In cPanel, there is a file in the user’s home directory that keeps the SSH history.
The file is /home/username/.bash_history
The dot in from of the filename means the file is hidden. You can use the cat command to see the file content:
# cat /home/username/.bash_history
root@web [/home/test]# cat .bash_history
#1521029684
exit
#1584542216
ls
#1584542218
w
#1584542219
top
#1584542230
free -m
#1584542234
uptime
#1584542238
cd /
#1584542240
ls
#1584542251
du -sh /home
#1584542267
du -sh /home/test
#1584542281
exit
root@web [/home/test]#
Notice that the .bash_history file is owned by the user, so the user can modify it anytime.
The lines starting with # contain the time (in Unix/Epoch Time format) when the command was run. Below we put a link to a site where you can convert the Unix Time to human-readable time. Or more easily you can use the date command:
root@web [/home/test]# date -d @1584543556
Wed Mar 18 09:59:16 CDT 2020
root@web [/home/test]#
To automatically convert the dates, you can use a command like:
# paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'
This will concatenate the date and command rows and will change the date format. Our file example will be:
# /home/plothost$ paste -sd '#\n' .bash_history | awk -F"#" '{d=$2 ; $2="";print NR" "strftime("%m/%d/%y %T",d)" "$0}'
03/14/18 08:14:44 exit
03/18/20 10:36:56 ls
03/18/20 10:36:58 w
03/18/20 10:36:59 top
03/18/20 10:37:10 free -m
03/18/20 10:37:14 uptime
03/18/20 10:37:18 cd /
03/18/20 10:37:20 ls
03/18/20 10:37:31 du -sh /home
03/18/20 10:37:47 du -sh /home/test
03/18/20 10:38:01 exit
Resources:
Wikipedia Unix Time/Epoch Time
Epoch Time Converter