Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to view the user's behavior under Linux. The article is very detailed and has certain reference value. Interested friends must read it!

Viewing user behavior under Linux is not just something that administrators should do, but also one of the basic skills developers should have. Why? Because sometimes other colleagues are doing something that consumes resources, such as compiling large programs, which may cause the server to become slow and affect our normal operation. At this time, we can use the method described in this article to find out that colleague, beat him up, and restore the normal use of the server.

Who am I?

"Who am I? Where do I come from? Where am I going?" Three problems of philosophy classics. Similarly, at work, sometimes we often switch accounts, sometimes forgetting which user to switch to. At this point, you need to know what the user currently logged in is. We can use whoami to check.

[alvin@VM_0_16_centos ~]$ whoami alvin

Who is currently logged into the system?

There are usually only a few servers in a company, and program apes generally work on these servers. We can use the who command to see which users are currently logged on to the server.

[alvin@VM_0_16_centos ~]$ who alvin pts/0 2018-12-09 07:25 (116.199.***.***) root pts/1 2018-12-09 11:05 (116.199.***.***) alvin pts/2 2018-12-09 11:05 (116.199.***.***) harry pts/3 2018-12-09 11:06 (116.199.***.***) kate pts/4 2018-12-09 11:08 (116.199.***.***) alvin pts/5 2018-12-09 11:53 (116.199.***.***)

In the display results, the first column is the user name; the second column is the connected terminal, tty is the display, pts is the remote connection; and the third column is the login time.

There's a little more information here, but what if we just want to know who's online? Just use the users command to view it.

[alvin@VM_0_16_centos ~]$ users alvin alvin alvin harry kate root

What are all the people logged into the system doing?

Knowing who logged into the system, we can investigate further what they're doing. The w command is used to display the names of users who are logged in to the system and what they are doing. This command uses information from the/var/run/utmp file.

[alvin@VM_0_16_centos ~]$ w 16:25:54 up 29 days, 6:05, 6 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alvin pts/0 116.199.***.** 07:25 2.00s 0.11s 0.00s w root pts/1 116.199.***.** 11:05 5:20m 0.02s 0.02s -bash alvin pts/2 116.199.***.** 11:05 5:20m 0.04s 0.05s sshd: alvin [priv] harry pts/3 116.199.***.** 11:06 4:33m 18.08s 18.06s watch date kate pts/4 116.199.***.** 11:08 4:33m 10.51s 10.48s top alvin pts/5 116.199.***.** 11:53 4:32m 0.02s 0.02s -bash

The first line is actually the same as the result of the uptime command, indicating in turn: the current time, the system running time, the current number of logged users of the system, and the average load.

From the second row, a table is formed, with a total of 8 columns, which respectively show what each user is doing and the system resources occupied by the user.

USER: Displays the login user account name. If the user logs in repeatedly, the account will appear repeatedly.

TTY: Terminal used by the user to log in. FROM: Shows where the user logged into the system.

LOGIN@: means LOGIN AT, indicating the time of logging into the system.

IDLE: user idle time, from the end of the user's last task, start counting time.

JCPU: A terminal code to distinguish, indicating that in a certain period of time, all processes related to the terminal task consumed CPU time.

PCPU: CPU time spent after execution of tasks in the WHAT domain.

WHAT: Indicates the currently executed task

If we just want to see the current behavior of a user, we can simply follow w with the username:

[alvin@VM_0_16_centos ~]$ w alvin 16:34:21 up 29 days, 6:14, 6 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alvin pts/0 116.199.***.** 07:25 5.00s 0.12s 0.06s sshd: alvin [priv] alvin pts/2 116.199.***.** 11:05 5:28m 0.04s 0.05s sshd: alvin [priv] alvin pts/5 116.199.***.** 11:53 4:40m 0.02s 0.02s -bash

How do I know the information about current and past users logged into the system?

Some people are more cunning and refuse to admit that they have done something wrong. However, in Linux, each user's login information is recorded, so that the responsibility to find the relevant person is based.

The last command can be used to display the history of a particular user logging into the system. If no parameters are specified, historical information for all users is displayed. By default, this information (the information displayed) will come from the/var/log/wtmp file. The output of this command contains the following columns of information:

user name

tty Equipment No.

History Login Time Date

Logout Time Date

total work hours

[alvin@VM_0_16_centos ~]$ last alvin pts/5 116.199.***.** Sun Dec 9 11:53 still logged in kate pts/4 116.199.***.** Sun Dec 9 11:08 still logged in harry pts/3 116.199.***.** Sun Dec 9 11:06 still logged in alvin pts/2 116.199.***.** Sun Dec 9 11:05 still logged in root pts/1 116.199.***.** Sun Dec 9 11:05 still logged in alvin pts/0 116.199.***.** Sun Dec 9 07:25 still logged in alvin pts/0 116.199.***.** Sat Dec 8 20:42 - 23:10 (02:28) alvin pts/0 119.33.***.** Mon Dec 3 20:50 - 23:51 (1+03:01) alvin pts/0 119.33.***.** Thu Nov 29 20:20 - 22:45 (02:24) alvin pts/0 223.104.***.** Thu Nov 29 06:46 - 07:00 (00:14) alvin pts/0 223.104.***.** Wed Nov 28 20:45 - 22:27 (01:42) alvin pts/1 14.25.***.*** Sun Nov 25 19:50 - 21:09 (01:18) alvin pts/0 119.33.***.** Sun Nov 25 16:32 - 21:40 (05:07)

If we only want to see a person's history, we can follow the corresponding username with last:

[alvin@VM_0_16_centos ~]$ last alvin alvin pts/5 116.199.***.** Sun Dec 9 11:53 still logged in alvin pts/2 116.199.***.** Sun Dec 9 11:05 still logged in alvin pts/0 116.199.***.** Sun Dec 9 07:25 still logged in alvin pts/0 116.199.***.** Sat Dec 8 20:42 - 23:10 (02:28) alvin pts/0 119.33.***.** Mon Dec 3 20:50 - 23:51 (1+03:01) alvin pts/0 119.33.***.** Thu Nov 29 20:20 - 22:45 (02:24) alvin pts/0 223.104.***.** Thu Nov 29 06:46 - 07:00 (00:14) alvin pts/0 223.104.***.** Wed Nov 28 20:45 - 22:27 (01:42)

Kick out the bad guys

Through the above several commands, we can roughly know the behavior of some users. If we want to kick out the bad guys, we can use the pkill -u command.

pkill -u alvin

However, this command is dangerous and may cause a system restart, so it is not recommended. It is safer to use the pkill command.

[alvin@VM_0_16_centos ~]$ sudo pkill -kill -t pts/3 #harry User has been kicked [alvin@VM_0_16_centos ~]$ w 17:04:37 up 29 days, 6:44, 5 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alvin pts/0 116.199.102.65 07:25 5.00s 0.12s 0.00s w root pts/1 116.199.102.65 11:05 5:59m 0.02s 0.02s -bash alvin pts/2 116.199.102.65 11:05 5:59m 0.04s 0.05s sshd: alvin [priv] kate pts/4 116.199.102.65 11:08 5:12m 11.94s 11.91s top alvin pts/5 116.199.102.65 11:53 5:10m 0.02s 0.02s -bash The above is "How to view user behavior under Linux" All the contents of this article, thank you for reading! Hope to share the content to help everyone, more relevant knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.