Monitoring User Activity on the System

Monitoring user activity is part of the sysadmin's duties and an essential task in tracking how system resources are being used. The w command tells the sysadmin who is logged in, where he is logged in, and what he is doing. No one can hide from the super user. The w command can be followed by a specific user's name to show only that user.

The ac command provides information about the total connect time of a user measured in hours. It accesses the /var/log/wtmp file for the source of its information. The ac command proves most useful in shell scripts to generate reports on operating system usage for management review. Note that you have to install the acct package using either synaptic or apt-get

Interestingly, a phenomenon known as timewarp can occur in which an entry in the wtmp files jumps back into the past and ac shows unusual amounts of time accounted for users Although this can be attributed to some innocuous factors having to do with the system clock, it is worthy of investigation by the sysadmin because it can also be the result of a security breach.

The last command searches through the /var/iog/wtmp file and lists all the users logged in and out since that file was first created. The user reboot exists so that you might know who has logged in since the last reboot. A companion to last is the command lastb, which shows all failed, or bad, logins. It is useful for determining whether a legitimate user is having trouble or a hacker is attempting access.


The accounting system on your computer keeps track of usage user statistics and is kept in the current /var/iog/wtmp file. That file is managed by the init and login processes. If you want to explore the depths of the accounting system, use the GNU info system: info accounting.


Was this article helpful?

0 0

Post a comment