Viewing user accounts and activities on Linux servers

Posted on by Admin
Viewing user accounts and activities on Linux servers

Related Post

$ df -h /home
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda3        14G  7.2G  5.7G  56% /home

Asking who

The who command provides information on which users are currently logged in. In the case below, justme is logged in on the console and has a terminal window open. The other user currently logged in, shs, is logged in over the network. This is why one login shows the terminal ID and the other the IP addressing from where the login connection has been made.

$ who
justme   seat0        2024-02-10 12:30 (login screen)
justme   tty2         2024-02-10 12:30 (tty2)
shs      pts/1        2024-02-10 12:38 (192.168.0.8)

The who output also displays the login date and time. How long each user spends on the server depends on the work that he or she needs to do on the system.

Listing user account details

To list system accounts, you can check out the entries in the /etc/passwd file. This file contains details including the usernames, user numeric IDs (UIDs), user group ID (GIDs), home directories and which shells they use. The query below is only taking looks at the bottom of the /etc/passwd file because that file contains information on nearly 50 system accounts.

$ tail -6 /etc/passwd
shs:x:1001:1001:Sandra H-S:/home/shs:/bin/bash
newuser:x:1002:1002:New Guy:/home/newuser:/bin/bash
george:x:1003:1003:George M:/home/george:/bin/bash
justme:x:1004:1004:Just Me:/home/justme:/bin/bash
brie:x:1005:1005:Brie the Cat:/home/brie:/bin/bash
lola:x:1006:1006:Lola the Dog:/home/lola:/bin/bash

Notice that no passwords are included in the /etc/passwd file in spite of the file having “passwd” as its name. For many years, passwords have been encrypted and maintained in the /etc/shadow file. Notice that the second field for each user in this colon-separated file entry is more than 70 characters long. The remaining fields relate to password aging.

If passwords are not being aged, you will see a string of 9’s in one of the last fields of the /etc/shadow file. For this to make sense, use the command below to determine today’s “date” in the “since the epoch” time:

$ today=$(( $( date "+%s" ) / 86400 ))
$ echo $today
19764

The date the password was last changed and the expiration date shows up near the end of the lines in the /etc/shadow file. Here’s an example in which the password was just recently changed. These are the rightmost fields in the /etc/shadow file for this user.



Source link