One of the crucial task one have as an administrator is to make sure that there is no suspicious activity on the system that might compromise security.
Monitoring tasks include evaluating login activity for signs of a security breach, such as multiple failed logins.
To monitor login activity, you can use the following six commands.
- who. This command shows who is currently logged intothe system and information such as the time of the last login. You can use options such as -H (display column headings), -r (current runlevel), and -a (display information provided by most options).
For example, entering who -H returns the following:
- w. This command displays information about the users currently on the machine and their processes.
The first line includes information the current time, how long the system has been running, how many users are currently logged on, the system load average for the past 1, 5, and 15 minutes. Below the first line is an entry for each user that displays the login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of the users current process.
You can use options such as -h (don’t display the header), -s (don’t display the login time, JCPU, and PCPU), and -V (display version information)
For example, entering w returns the following:
- finger. This command displays information about local and remote system suers. By default, the following information is displayed about each user logged into the local host: login name, User’s full name, Associated terminal name, Idle time, Login time. You can use the options -l (long format) and -s (short format).
For example, entering finger -s returns the following:
- last. This command displays a listing of the last logged in users. Last searches back through the file /var/log/wtmp (or the file designated by the option -f) and displays a list of all users logged in (and out) since the file was created. You can use options such as -num (where num is the number of lines to display), -a (display the hostname in the last column), and -x (display system shutdown entries and runlevel changes).
For exmample, entering last -ax returns the following:
- lastlog. This command formats and prints the contents of the last log file (/var/log/lastlog). the login name, port, and last login time are displayed. You can use options such as -u login_name (display information for designated users only) and -h (display a one line help message).
For example, entering lastlog returns the following:
- faillog. This command formats and displays the contents of the failure log (/var/log/faillog) and maintains failure counts and limits. You can use options such as -u login_name (display information for designated users only) and -p (display in UID order).
For example, entering faillog returns the following: