Indicators of compromise - PSJoshi/Notes GitHub Wiki

Tracking user login activities

User logins and sudo access are tracked in multiple places:

    /var/log/wtmp (logins only, use the "last" command to view)
    /var/log/secure
    /var/log/audit/audit.log

If these have all been rotated away, try looking in /var/mail/root. There's a nightly job on RHEL that summarizes log entries from the previous 24 hours-- including user logins, sudo, and package installs. Often root's mail just collects forever in the local system mailbox and you can find months of data here.

Another possibility is to track .bash_history