Viewing user behavior in Linux is not only a job for network administrators, but also a basic skill for developers. Why is that? Because sometimes other colleagues are doing something very resource-intensive, such as compiling a large program, the server may slow down and affect our normal operation. At this point, we can use the method described in this article, find the colleague, beat him up, can resume normal use of the server.
Who am I?
“Who am I? Where have I come from? Where am I going?” Three big questions of philosophical classics. Also, at work, sometimes we switch accounts so often that we can’t remember which user we’re cutting to. In this case, you need to know who is currently logged in. We can use whoAMI to see this.
[alvin@VM_0_16_centos ~]$ whoami
alvin
Copy the code
Who is currently logged into the system?
There are usually only a few servers in a company, and programmers tend to work on these servers. We can use the who command to see which users are currently logged in to the server.
[alvin@VM_0_16_centos ~]$who alvin PTS /0 2018-12-09 07:25 (116.199.***.***) root PTS /1 2018-12-09 11:05 (116.199. * * *. * * *) alvin PTS / 2 his 2018-12-09 (116.199. * * *. * * *) harry PTS / 3 2018-12-09 11:06 (116.199. * * *. * * *) Kate PTS / 4 2018-12-09 11:08 (116.199. * * *. * * *) alvin PTS / 5 2018-12-09 11:53 (116.199. * * *. * * *)Copy the code
In the display result, the first column is the user name; The second column is the connected terminal, where TTY represents the monitor and PTS represents the remote connection. The third column is the time of landing.
There’s a little bit more information here, but what if we just want to know who’s online and how to do it? Just use the users command to view it.
[alvin@VM_0_16_centos ~]$ users
alvin alvin alvin harry kate root
Copy the code
What are the people who log into the system doing?
Knowing who’s logged into the system, we can further investigate what they’re doing. The w command is used to display the names of the users who have logged in to the system and what they are doing. The information used for this command is obtained from the /var/run/utmp file.
[alvin@VM_0_16_centos ~]$ w 16:25:54 up 29 days, 6:05, 6 users, load average: 0.00, 0.01, 0.05 USER TTY FROM login@idle JCPU PCPU WHAT Alvin PTS /0 116.199.***.** 07:25 2.00s 0.11s 0.00s W root PTS /1 116.199.***.** 11:05 5:20m 0.04s 0.04s -bash Alvin PTS /2 116.199.***.** 11:05 5:20m 0.04s 0.04s SSHD: Alvin [Priv] Harry PTS /3 116.199.***.** 11:06 4:33m 18.08s 18.06s Watch Date Kate PTS /4 116.199.***.** 11:08 4:33m 10.51s 10.48s top alvin PTS /5 116.199.***.** 11:53 4:32m 0.02s 0.02s -bashCopy the code
The first line is the same as the result of the uptime command, which shows the current time, system running time, current number of login users, and average load.
Starting from the second line, a table is formed with eight columns, showing what each user is doing and the system resources occupied by the user.
USER: displays the login USER account name. If the user logs in again, the account will appear again. TTY: Terminal through which the user logs in. FROM: displays where the user logs in to the system. login@ : stands for LOGIN AT, indicating the time when you LOGIN to the system. IDLE: indicates the IDLE time of a user. The time starts from the end of the user's last task. JCPU: A terminal code that indicates the CPU time consumed by all processes and tasks associated with this terminal during a certain period of time. PCPU: indicates the CPU time consumed after the tasks in the WHAT domain are executed. WHAT: Indicates the current taskCopy the code
If we just want to see what a user is currently doing, we can simply follow the user name after w:
[alvin@VM_0_16_centos ~]$ w alvin 16:34:21 up 29 days, 6:14, 6 users, load average: 0.00, 0.01, 0.05 USER TTY FROM login@idle JCPU PCPU WHAT Alvin PTS /0 116.199.***.** 07:25 5.00s 0.12s 0.06s SSHD: Alvin [priv] alvin PTS /2 116.199.***.** 11:05 5:28m 0.04s 0.05s SSHD: Alvin [priv] alvin PTS /5 116.199.***.** 11:53 4:40m 0.02s 0.02s -bashCopy the code
How do I know the information about current and past users?
Some people are crafty and refuse to admit wrongdoing. In Linux, however, each user’s login information is logged, so that the responsibility of finding the relevant person is established.
The last command is used to display the history of a specific user’s login to the system. If no parameter is specified, historical information about all users is displayed. By default, this information (the information displayed) will come from the /var/log/wtmp file. The command output contains the following columns:
-
The user name
-
Tty device number
-
Historical login time date
-
Logout time date
-
Total working hours
[alvin@VM_0_16_centos ~]$last Alvin PTS /5 116.199.. Sun Dec 9 11:53 Still logged in Kate PTS /4 116.199.. Sun Dec 9 11:08 Still Logged in Harry PTS /3 116.199.. Sun Dec 9 11:06 Still Logged in Alvin PTS /2 116.199.. Sun Dec 9 11:05 Still logged in root PTS /1 116.199.. Sun Dec 9 11:05 Still Logged in Alvin PTS /0 116.199.. Sun Dec 9 07:25 Still Logged in Alvin PTS /0 116.199.. Sat Dec 8 20:42-23:10 (02:28) Alvin PTS /0 119.33.. Mon Dec 3 20:50-23:51 (1+03:01) Alvin PTS /0 119.33.. Thu Nov 29 20:20-22:45 (02:24) Alvin PTS /0 223.104.. Thu Nov 29 06:46-07:00 (00:14) Alvin PTS /0 223.104.. Wed Nov 28 20:45-22:27 (01:42) Alvin PTS /1 14.25.. * Sun Nov 25 19:50-21:09 (01:18) Alvin PTS /0 119.33.*. Sun Nov 25 16:32-21:40 (05:07)
If we only want to see a person’s history, we can use the username after last:
[alvin@VM_0_16_centos ~]$Last Alvin Alvin PTS /5 116.199.***.** Sun Dec 9 11:53 Still logged in Alvin PTS /2 ** Sun Dec 9 11:05 still logged in Alvin PTS /0 116.199.***.** Sun Dec 9 07:25 Still logged in Alvin PTS /0 *** Sat Dec 8 20:42-23:10 (02:28) Alvin PTS /0 119.33.***.** Mon Dec 3 20:50-23:51 (1+03:01) Alvin PTS /0 ***.** Thu Nov 29 20:20-22:45 (02:24) Alvin PTS /0 223.104.***.** Thu Nov 29 06:46-07:00 (00:14) Alvin PTS /0 ***.** Wed Nov 28 20:45-22:27 (01:42)Copy the code
Get rid of the bad guys
From these commands, we can get an idea of the behavior of some users. If we want to kick out bad actors, we can use the pkill -u command.
pkill -u alvin
Copy the code
However, this command is dangerous and may cause the system to restart. Therefore, it is not recommended to run this command. It is safer to use the pkill command.
[alvin@VM_0_16_centos ~]$sudo pkill -kill -t PTS /3 # Harry has been booted [alvin@VM_0_16_centos ~]$w 17:04:37 up 29 days, 6:44, 5 users, load average: 0.00, 0.01, 0.05 USER TTY FROM login@idle JCPU PCPU WHAT Alvin PTS /0 116.199.102.65 07:25 5.00s 0.12s 0.00s W root PTS /1 116.199.102.65 11:05 5:59m 0.05s 0.0s-bash alvin PTS /2 116.199.102.65 11:05 5:59m 0.04s 0.05s SSHD: Alvin [Priv] Kate PTS /4 116.199.102.65 11:08 5:12m 11.94s 11.91s Top Alvin PTS /5 116.199.102.65 11:53 5:10m 0.02s 0.02s -bashCopy the code