One of the most critical tasks you have as a system administrator is to monitor your system for any suspicious activity that might indicate a security compromise and act on it. You should evaluate login activity for signs of a security breach, such as multiple failed logins.
To monitor login activity, you can use the following commands:
who
The who command Shows who is currently logged in to the system and information such as the time of the last login. You can use options such as
-H (display column headings)
-r (current runlevel)
-a (display information provided by most options).
For example, entering who -H returns information similar to the following:
# who -H NAME LINE TIME COMMENT user pts/0 2017-12-14 09:58
Similarly the command ‘who -a’ will display output as shown below.
# who -a
system boot 2017-12-14 09:51
LOGIN ttyS0 2017-12-14 09:52 1103 id=tyS0
LOGIN tty1 2017-12-14 09:52 1102 id=tty1
run-level 3 2017-12-14 09:53
user + pts/0 2017-12-14 09:58 . 1164 w
The ‘w‘ command Displays information about the users currently on the machine and their processes. The first line includes information on the current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes.
Below the first line is an entry for each user that displays the login name, the TTY name, the remote host, login time, idle time, JCPU, PCPU, and the command line of the user’s current process. Below is a sample output of the w command.
# w 11:05:37 up 1:14, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user pts/0 09:58 1:04m 0.38s 1.74s login -- user user pts/1 11:05 1.00s 0.03s 0.15s login -- user
The JCPU time is the time used by all processes attached to the tty. It does not include past background jobs, but it does include currently running background jobs. The PCPU time is the time used by the current process, which is named in
the What field. You can use options such as -h (don’t display the header), -s (don’t display the login time, JCPU, and PCPU), and -V (display version information).
finger
The finger command displays information about local and remote system users. By default, the following information is displayed about each user currently logged in to the local host:
1. User’s login name
2. User’s full name
3. Associated terminal name
4. Idle time
5. Login time (and from where)
You can use options such as -l (long format) and -s (short format). For example, entering ‘finger -s’ returns information similar to the following:
# finger -s Login Name Tty Idle Login Time Office Office Phone Host user pts/0 1:18 Dec 14 09:58 user pts/1 Dec 14 11:05
# finger -l Login: user Name: Directory: /home/user Shell: /bin/bash On since Thu Dec 14 09:58 (EST) on pts/0 1 hour 18 minutes idle On since Thu Dec 14 11:05 (EST) on pts/1 1 second idle No mail. No Plan.
last
The last command displays a list of users who logged in and out since the /var/log/wtmp file was created. The last command searches back through the /var/log/wtmp file (or the file designated by the -f option) and displays a list of all users who have logged in (and out) since the file was created. You can specify names of users and TTY’s to show only information for those entries.
You can use options such as -n (where n is the number of lines to display), -a (display the host name in the last column), and -x (display system shutdown entries and runlevel changes).
For example, entering last -ax returns information similar to the following:
# last -ax user pts/0 Sun Dec 17 00:05 still logged in runlevel (to lvl 3) Sun Dec 17 00:04 - 00:09 (00:05) 3.10.0-693.11.1.el7.x86_64 reboot system boot Sun Dec 17 00:03 - 00:09 (00:05) 3.10.0-693.11.1.el7.x86_64 shutdown system down Thu Dec 14 13:05 - 00:03 (2+10:58) 3.10.0-693.11.1.el7.x86_64 user pts/1 Thu Dec 14 11:05 - down (02:00) user pts/0 Thu Dec 14 09:58 - down (03:06)
lastlog
The lastlog command formats and prints the contents of the last login log file (/var/log/lastlog). The login name, port, and last login time are displayed.
Entering the command without options displays the entries sorted by numerical ID. You can use options such as -u login_name (display information for designated user only) and -h (display a one-line help message). If a user has never logged in, the message **Never logged in** is displayed in place of the port and time. For example, entering lastlog returns information similar to the following:
# lastlog Username Port From Latest root pts/0 Sun Dec 17 00:05:43 -0500 2017 bin **Never logged in** daemon **Never logged in** adm **Never logged in** .... chrony **Never logged in** ec2-user **Never logged in** user pts/0 Sun Dec 17 00:05:35 -0500 2017