Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Monitoring User Activity

Monitoring user activity is part of the sysadmin's duties, and an essential part of tracking how system resources are being used. If you have multiple users on your openSUSE system, and especially if you don't, you should become familiar with some of these monitoring tools.

As the all-powerful sysadmin, you can monitor nearly everything your users do on the computer, held back only by the hours in the day. Fortunately for all concerned, even the Bastard Operator From Hell doesn't have time to do this. Any good sysadmin will check in periodically, just to keep the invaders at bay.

Shell Tools for Watching Users

The acct system accounting package is essential to pull together all the commands you'll need to keep tabs on your system. There are a bunch of handy tools there including sa, accton, and lastcomm.

You may need to start the acct service at startup. To do this, log in as SuperUser and type the following:

/etc/init.d/acct start

openSUSE will now track resource usage in the /var/run/utmp and /var/log/wtmp files. You can access these files with the following commands.

The w command will tell the sysadmin who is logged in, where he or she is logged in at, and what they are up to. No one is able to hide from the SuperUser. The w command can be followed by a specific user's name to show only that user—by default, it will show all current users.

The ac command provides information about the total connect time of a user measured in hours. It accesses the /var/log/wtmp file for the source of its information. To generate a list of users with their login hours, type the following:

ac –p

Even if you're a sole user, if you log in and out religiously, you might find this command useful. To get a list of total hours logged in on the system for a calendar day, type the following:

ac -d

The ac command can prove itself most useful in shell scripts when you want to generate reports on operating system usage to show management what OSs your users run.

The last command searches through the /var/log/wtmp file and will list all the users logged in and out since that file was first created. The system user reboot exists so that you might know who has logged in since the last reboot. A companion to last is the lastb command, which shows all failed, or bad, logins. It's useful to determine if a legitimate user is having trouble, or if someone is trying to break into your system. The hoped-for result of lastb is always a message telling you that the btmp log does not exist—meaning there have been not bad/attempted logins.

  • + Share This
  • 🔖 Save To Your Account