Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this article "what is the method of Linux user behavior analysis", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "what is the method of Linux user behavior analysis" article.

Finger command

Finger is a convenient command to obtain users' personal data. It allows you to see who is logged in or focus on a single user to see the last time they logged in, where they logged in, how long they have been idle (how long since the command was run), and so on. In this command, we look at the user nemo.

$finger nemo Login: nemo Name: Nemo Demo Directory: / home/nemo Shell: / bin/bash On since Fri Jun 19 12:58 (EDT) on pts/1 from 192.168.0.6 7 minutes 47 seconds idle New mail received Wed Jun 17 18:31 2020 (EDT) Unread since Sat Jun 13 18:03 2020 (EDT) No Plan.

‎ We can see the full name, home directory, and shell of nemo, as well as the latest login and email activity of nemo. This information is included only if the office, office, and home phone numbers are defined in the full name field in the / etc/passwd file. For example: ‎

Nemo:x:1001:1001:Nemo Demo,11540-2222-2222540-333-3333:/home/nemo:/bin/bash.

The above output also indicates that nemo does not have a "plan", but this simply means that the user did not create a .plan file and put some text into it. This is not uncommon. If there are no parameters, finger displays the current login list in the format shown below. You can see when they logged in, which IP address they logged in from, the pseudo terminals in use (such as pts/1), and how long they were idle.

$finger Login Name Tty Idle Login Time Office Office Phone nemo Nemo Demo pts/1 1:24 Jun 19 12:58 (192.168.0.6) shs Sandra Henry-Stocker pts/0 Jun 19 12:57 (192.168.0.60w command

The ‎ w command also shows a clearly formatted list of currently active users, including idle time and what commands the user has recently run. It also shows how long the system has been running on the top line and provides load averages to show how busy the system is. Here, the system is basically idle. ‎

W 14:23:19 up 1 day, 20:24, 2 users, load average: 0.00,0.00,0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT shs pts/0 192.168.0.6 12:57 0.00s 0.14s 0.01s w nemo pts/1 192.168.0.6 12:58 1users 24m 0.03s-bashid command

If you use the id command, you can view the user's numeric ID and user group ID and which user groups the user is a member of. This information is obtained from the / etc/passwd file and / etc/group file. Id with no parameters reports information about your account. ‎

$id uid=1000 (shs) gid=1000 (shs) groups=1000 (shs), 4 (adm), 11 (admin), 24 (cdrom), 27 (sudo), 30 (dip), 46 (plugdev), 118 (lpadmin), 128 (sambashare), 500 (devops) $id nemo uid=1001 (nemo) gid=1001 (nemo) groups=1001 (nemo), 16 (fish) auth.log

You can use commands such as grep to get information from the / var/log/auth.log file. To display recent login activity using auth.log data, you can run the command: ‎

$grep "New session" / var/log/auth.log | awk'{print $1 shs 2 Jun 3 camera 11}'| tail-5 Jun 17 17:22:38 shs. Jun 17 17:58:43 gdm. Jun 17 18:09:58 shs. Jun 19 12:57:36 shs. Jun 19 12:58:44 nemo.last command

The last command is probably best at viewing the most recent logins of all users or one user. Remember one thing: last first shows the most recent activity because this is the information that most administrators are most interested in. ‎

$last | head-5 nemo pts/1 192.168.0.6 Fri Jun 19 12:58 still logged in shs pts/0 192.168.0.6 Fri Jun 19 12:57 still logged in shs pts/0 192.168.0.6 Wed Jun 17 18:10-18:42 (00:32) reboot system boot 5.4.0-37-generic Wed Jun 17 17:58 still running shs pts/2 192.168.0.6 Wed Jun 17 17:22-17Fri Jun 57 $last nemo | head-5 nemo pts/1 192.168.0.6 Fri Jun 19 12:58-16:21 (03:22) nemo pts/2 192.168.0.6 Sat Jun 13 17:49-19:05 (01:16) nemo pts/1 192.168.0.6 Thu Jun 4 17:33-17 nemo pts/1 44 (00 nemo pts/1 10) nemo pts/1 192.168.0.19 Mon May 11 .168.0.19 Tue May 5 12:46-17:49 (05:02) du command

If you run against each directory in / home, the du command reports how much space each user's home directory is using, like this:

$sudo du-sk / home/* 289 / home/dorothy 116 / home/dory 88 / home/eel 28 / home/gino 28 / home/jadep 12764 / home/nemo 732 / home/shark 418046 / home/shs 418046 / home/tadpole

By default, the size of the report is in 1024 bytes.

Ps and history commands

For the currently logged-in user, you can always use commands such as ps-ef | grep ^ nemo to see which commands and processes the user is currently running. To view previously run commands, try looking at the user's history file (such as .bash _ history), but note that users can set up accounts so that certain commands are not captured in the history file, and they can edit those files if they choose to do so. ‎

Count the number of login

If you want to see how many times each user has logged in since the / var/log/wtmp file was last flipped, you can use this command:

$for USER in `Home` > do > cnt= `last $USER | grep ^ $USER | wc-l` # count logins > echo $USER: $cnt # show login count > done

The output would look like this:

Dorothy: 0 dory: 0 eel: 8 gino: 0 jadep: 102 nemo: 39 shark: 50 shs: 105 tadpole: 0

If you want more details, you can create a more complex script to add additional information, such as login details and format.

#! / bin/bash sepline= "=" for USER in `ls / Home`do len= `echo $USER | awk'{print length ($0)}'`# get length of username echo $USER sep= "${sepline:1:$len}" # set separator echo $sep # print separator cnt= `last $USER | grep ^ $USER | wc-l` # count logins echo logins: $cnt # show login count last $USER | grep ^ $USER | head-5 # show most recent logins echo done

The above ‎‎ script ‎‎ limits the data displayed to the last five logins, but you can easily change it. The following is the format of a user's data: ‎

Shs = logins: 105 shs pts/0 192.168.0.6 Fri Jun 19 12:57 still logged in shs pts/0 192.168.0.6 Wed Jun 17 18:10-18:42 (00:32) shs pts/2 192.168.0.6 Wed Jun 17 17:22-17:57 (00:34) shs pts/0 192.168.0.25 Wed Jun 17 17 Fri Jun 20-17 shs pts/1 192.168.0.6 Wed Jun 17 15:19-17:57 (02:38) check for attempts to use sudo

If you want to see who among the users are trying to use sudo and they don't have this permission, you can run a command like this:

$grep "NOT in sudoers" / var/log/auth.log | awk'{print $6} 'nemo

If you try to use sudo without permission to elevate, and the system warns that the user name is not in the sudoers file. The event will be reported, you may know that this log entry is the essence of the report. Unless the administrator tries to find sudo usage violations, they will not be noticed.

The above is the content of this article on "what is the method of Linux user behavior analysis". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more related knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.