Linux View/Manage the current logged-in user and user action history __linux

reproduced from: http://www.cnblogs.com/gaojun/archive/2013/10/24/3385885.html first, view and manage the currently logged-on user

1. Use the W command to view the process information that the logged-in user is using,the W command to display the names of the users who have logged on to the system, and what they are doing. The information used by this command originates from the/var/run/utmp file. The information output from the W command includes: User name user's machine name or the time of the TTY number remote host address user logon system Idle time (not much) time spent (jcpu time) of a process attached to a TTY (terminal) The current process time (pcpu time) The user is currently using the command

W
23:04:27 up,  7:51,  3 users,  load average:0.04, 0.06, 0.02
USER TTY from              login@< C12/>idle   jcpu   pcpu WHAT
Ramesh   pts/0 10.1.80.56 22:57    8.00s  0.05s  0.01s Sshd:ramesh [Priv]
Jason    pts/1    10.20.48          23:01    2:53   0.01s  0.01s- Bash
John     pts/2    10.1.80.7         23:04    0.00s  0.00s  0.00s W

In addition, you can use who am I to view the users and processes using the command, and use who to view all logged in user process information, which is similar to the view commands;

2, use the Pkill force to quit the logged in user

Use Pkill to end the process of the current logged-on user, forcing the user to log out, using the W command;

First: Use W to view the currently logged-on user, note the logon process terminal number as shown in TTY

Second: Use pkill–9-t pts/1 to end the user login for the PTS/1 process (depending on the IP address or host number of from) Two, view the operation history of all logged-in users

In the Linux system environment, whether the root users or other users only access to the system after the entry operation we can through the command history to view the history, but if a server many people landing, one day because someone mistakenly operation deleted important data. This is meaningless by viewing the history (Command: History) (because history is only valid for logged-in users, even if the root user cannot get other users histotry history). Is there any way to achieve the historical record by recording the IP address and the user name after the login? Answer: Yes.

By adding the following code inside the Vi/etc/profile, you can implement: (enter VI press I into insert mode.) Press ESC to cancel insert mode after entering the following code, press: Enter command input WQ save exit

ps1= "' WhoAmI ' @ ' hostname ':" ' [$PWD] '

History

user_ip= ' who-u am I 2>/dev/null| awk ' {print $NF} ' |sed-e ' s/[()]//g '

If ["$USER _ip" = "]

Then

User_ip= ' hostname '

Fi

if [!-d/tmp/dbasky]

Then

Mkdir/tmp/dbasky

chmod 777/tmp/dbasky

Fi

if [!-d/tmp/dbasky/${logname}]

Then

Mkdir/tmp/dbasky/${logname}

chmod 300/tmp/dbasky/${logname}

Fi

Export histsize=4096

dt= ' Date ' +%y-%m-%d_%h:%m:%s '

Export histfile= "/tmp/dbasky/${logname}/${user_ip} Dbasky. $DT"

chmod 600/tmp/dbasky/${logname}/*dbasky* 2>/dev/null

Source/etc/profile use script to take effect

Exit user, log in again

The above script creates a new Dbasky directory at the system's/TMP, records all the users and IP addresses (filenames) of the logged on system, and whenever the user logs in/exits to create the corresponding file that preserves the history of the user during the logon period, this method can be used to monitor the security of the system.

Root@zsc6:[/tmp/dbasky/root]cat 10.1.80.47 dbasky.2013-10-24_12:53:08

View the root operation command history from the 10.1.80.47 login at 12:53:08