View/Manage current logged in user and user operation history under Linux

First, view and manage the currently logged in user

1. Use the W command to view the process information that the logged-on user is using,and the W command to display the names of the users who have logged in to the system and what they are doing. The information used by this command originates from the/var/run/utmp file. The information for the W command output includes:

• User name

• User's machine name or TTY number

• Remote Host Address

• Time the user logged on to the system

• Idle time (little effect)

• The time taken to attach to the TTY (terminal) process (jcpu time)

• Time spent by current process (pcpu time)

• Commands that the user is currently using

W

15:09:01 up 4:55, 2 users, load average:0.11, 0.06, 0.05

USER TTY from [email protected] IDLE jcpu PCPU

Root tty1:0 10:14 4:55m 5.93s 5.93s/usr/bin/xorg:0-br-verbose-audit 4-auth/var/run/gdm/auth-for-gdm-qugs

Root pts/0 desktop-hml9g7j. 10:21 0.00s 1.30s 0.00s W

In addition, you can use who am I to view the users and processes using the command, using who to view all logged-in user process information, these viewing commands are similar;

2. Use P

Second, view the operation history of all logged-in users

In the Linux system environment, whether it is the root user or other users only after logging on the system with the access to the operation we can see history through the command, but if a server many people landing, one day because someone mistakenly operation deleted the important data. It doesn't make sense to look at the history (Command: Historical) at this time (because history is only valid for the logged-on user, even if the root user does not have access to other user histotry histories). Is there any way to achieve history by logging the IP address and a user name after login? Answer: Yes.

This can be achieved by adding the following code to the/etc/profile:

# #修改登录命令提示符

ps1= "' WhoAmI ' @ ' hostname ': ' [$PWD] '

History

user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g "

If ["$USER _ip" = ""]

Then

User_ip= ' hostname '

Fi

if [!-d/log/loginlog]

Then

Mkdir-p/log/loginlog

chmod 777/log/loginlog

Fi

if [!-d/log/loginlog/${logname}]

Then

Mkdir/log/loginlog/${logname}

chmod 300/log/loginlog/${logname}

Fi

Export histsize=4096

dt= ' Date ' +%y-%m-%d_%h:%m:%s "'

Export histfile= "/log/loginlog/${logname}/${user_ip}_loginlog. $DT"

chmod 600/log/loginlog/${logname}/*loginlog* 2>/dev/null

Source/etc/profile use script to take effect

Quit user, sign in again

The above script in the System/TMP to create a new loginlog directory, logging all logged in the system user and IP address (file name), each time the user login/exit creates the corresponding file, the file save this period of user login period of operation history, This method can be used to monitor the security of the system.

Kill forces the logged on user to quit

Using Pkill can end the process of the currently logged on user, thereby forcing the user to log out, the use can be combined with the W command;

First: Use W to view the currently logged on user, and note the login process terminal number shown in the TTY

Second: User login with pkill–9-t pts/1 end PTS/1 process (can be judged by the IP address or host number of the From)

This article is from the "Lonely No Color" blog, please be sure to keep this source http://tenderness.blog.51cto.com/8855468/1954370

View/Manage current logged in user and user operation history under Linux