Viewing users' system access

Unix/Linux is a multi-user system that was designed to ensure that multiple users can work in parallel. System administrators should always overview their systems and monitor them by regularly running safety checks. The information culled from this activity will allow the sysadmin to find explanations for unusual activity, such as load fluctuations, quickly. If an issue becomes a serious problem, the admin can eliminate the cause to ensure a stable and safe environment for the users.

Previous articles have described programs for bandwidth monitoring, which monitors the network load caused by processes and interfaces. In this article, I'll examine how to monitor users and their activities.

System Users

I'll first look at the users who already exist within the system; specifically those who can regularly log in. Generally speaking, these are officially created users with user privileges. At this level, checking for any unauthorized access is quite simple.

Users access the system via the Unix login with a name and certain settings. These names and settings are laid out in the /etc/passwd file (see the "Users in /etc/password" box).

01 Debian-exim:x:101:103::/var/spool/exim4:/bin/false
02 haldaemon:x:105:109:Hardware abstraction layer,:/var/run/hald:/bin/false
03 gdm:x:106:111:Gnome Display Manager:/var/lib/gdm:/bin/false
04 avahi:x:107:112:Avahi mDNS daemon,:/var/run/avahi-daemon:/bin/false
05 sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
06 saned:x:109:117::/home/saned:/bin/false

Each row describes a user's access privileges based on various fields such as the login name (field 1), the user and/or group ID, his/her password, the user's real name, the user's home directory, and finally, the program that will be automatically run after a successful login (last field). The latter is usually either /bin/sh or /bin/bash used as a login shell.

A list of user accounts can be created by using the all-purpose tool cut . You can use cut to extract each of the first fields of each line of the /etc/passwd file. You cut out individual text fields passing a symbol to use as a separator between the fields and the text field's number in order to separate it from the rest of the data stream.

With the option -d : , the colon acts as the address separator (-d means delimiter ) and -f 1 indicates the first field in each row. Listing 1 displays the results of the call.

$ cut -d : -f 1 /etc/passwd
root
daemon
bin
sys
sync
www-data
test
...

Your list may vary, because it depends both on the users who access the computer and on the programs and services you use. The administrative user root (who has a user ID of 0) always appears first and the www-data user will appear on the list once you have installed a web server, such as Apache, Nginx, or so forth.

All current accounts appear in the list. However, among these, there are also entries for system services that should not have real logins. The usual candidates are exim , sshd , avahi , saned , and also gdm . You can recognize the fact that these "users" have a pretty low user ID.

They also have login shell entries in the form of either /bin/false or /usr/sbin/nologin . If you try to log in as a user on one of these accounts, all you will do is activate the program. If the entry contains /bin/false , for example, you will not get a shell from which you can issue further commands. Instead, you will be sent back to the login prompt.

The awk command in Listing 2 will help you filter out all of the possible users by their user ID from the /etc/passwd file. Note that a regular user ID will always have a value above 1000.

$ awk -F: '$3>999{print $3,$1}' /etc/passwd | sort -n
1000 frank
1001 kurs
1002 test
65534 nobody

The -F: option sets the colon as the delimiter, and the '$3>999{print $3,$1}' parameter evaluates the content of the third test field and checks whether it is a value greater than 999. If so, the contents of the third and first field (user ID and login) are output to stdout. The simple quotation marks in the call stops the shell from evaluating the option itself.

The | (pipe) operator directs awk's output to the sort command, which then sorts the individual lines in ascending order. Because the user IDs are in the first column of the output as numerical values, sort uses the -n flag to order the numerical data in the correct way (10 after 9, for example).

You can use this list to check the home directories, for example. Occasionally, users that no longer exist but have not been deleted will be identified. Home directories of users who actually don't have access should also be suspect; especially if the home directory should be located elsewhere according to /etc/passwd .

Currently Active Users

The list you got from executing Listing 2 will help you, for example, in assessing whether the updated list of users currently logged in to your system is plausible.

The following three standard tools are useful: users , w , and who . The users tool shows a list of user names (Listing 3). If a name is listed more than once, that user, according to the system, currently has many active login sessions. These could be open terminals, for example.

01 $ users
02 esc nasobem pluteus

Listings 4 and 5 show the outputs of w and who and are considerably more detailed. The w output begins with a header, which contains the running time of the system as well as the system time and uptime.

 01:51:50 up 49 days,  7:01,  4 users,  load average: 0.12, 0.27, 0.31
USER            TTY             FROM                            LOGIN@                  IDLE            JCPU            PCPU            WHAT
esc             pts/1   mosh-                   00:27                   1:24m   0.00s   0.00s   tmux att
nasobem pts/16  88.72.218.175-  21:06                   2days   0.12s   20:55   mosh-server new -s -c 256 -l LANG=de_
pluteus pts/50  79.171.206.7            18Aug14 37:10m  0.21s   0.01s                   sshd: pluteus [priv]

$ who
esc      pts/1        2014-08-27 00:27 (mosh [2247])
nasobem  pts/16       2014-08-26 21:06 (88.72.218.175 via mosh [10278])
pluteus  pts/50       2014-08-18 09:14 (79.171.206.7)
$

Next to that are the number of users and their average load on the system. Listed underneath are the users and their current system usage. In the second and third columns are the terminals (TTY ) being used and the originating IP address (FROM ).

The mosh- value indicates that an encrypted connection is established with the mosh program [1] [2].

You also see the login time, any idle time, and CPU usage for the past one, five, and 15 minutes. The last column tells you what command the user is running, which can give you a clue as to the kind of activity taking place.

The who command shows the information you can see in Listing 5, which is similar to w , though in a more compact form. You can see the login names, the (pseudo) terminals users are using, the time of login, and finally the IP address the user is connecting from or the program from making the connection. The value in the square brackets indicates the corresponding process number.

The who tool can take the -a option (shows a more verbose output) and the -u option (only shows information for the users that are logged in). In addition to the terminals (tty ), you can also see if the user is accessing the X Window System. Listing 6 shows the output of all activities on a desktop system. Line 2 shows the time the computer was booted. Line 4 shows the change to run level 2 and line 6 shows that an X Window session is running (on display : 0 ).

01 $ who -a
02                                                      2014-08-26 20:46                        240     id=si term=0 exit=0
03                        Systemstart   2014-08-26 20:46
04                        Runlevel 2            2014-08-26 20:46                                last=S
05                                                      2014-08-26 20:46                        2264    id=l2 term=0 exit=0
06 frank        -         tty7                  2014-08-26 20:46                alt     4444    (:0)
07 LOGIN                  tty1                  2014-08-26 20:46                        4291    id=1
08 LOGIN                  tty5                  2014-08-26 20:46                        4295    id=5
09 LOGIN                  tty4                  2014-08-26 20:46                        4294    id=4
10 LOGIN                  tty6                  2014-08-26 20:46                        4296    id=6
11 LOGIN                  tty2                  2014-08-26 20:46                        4292    id=2
12 LOGIN                  tty3                  2014-08-26 20:46                        4293    id=3
13 frank                + pts/0                 2014-08-26 20:46 15:04  4683    (:0)
14 frank                + pts/1                 2014-08-26 20:46 15:04  4683    (:0)
15 frank                + pts/2                 2014-08-26 20:47 15:03  5022    (:0.0)
16 frank                + pts/3                 2014-08-26 21:11 03:34  5022    (:0.0)
17 frank                + pts/4                 2014-08-26 21:19 00:02  5022    (:0.0)
18 frank                + pts/5                 2014-08-27 00:03 02:04  5022    (:0.0)
19 frank                + pts/6                 2014-08-27 01:15 00:56  5022    (:0.0)
20                        pts/7                 2014-08-27 11:11                        0       id=/7 term=0 exit=0
21                        pts/9                 2014-08-27 11:28                        0       id=/9 term=0 exit=0
22 frank                + pts/10                        2014-08-27 10:49                .       5022    (:0.0)
23                        pts/11                        2014-08-27 11:50                        0       id=/11 term=0 exit=0

Lines 7 to 12 show real terminals (activated by using Ctrl+Alt+F1 to F6) waiting for activity. Lines 13 through 23 contain pseudo terminals, two of which have the error codes 0 (lines 20 and 21). Pseudo terminals appear, for example, when you open a terminal window on an X Window interface in which you activated the program xterm . (See the "Capabilities of Zsh" for additional information.)

rechner% watch=(all)
rechner%
test has logged off pts/7 from localhost.
test has logged on pts/7 from localhost.
rechner%