Various Ways To Learn Linux User Activity

There are various ways that we can do related to user activity on linux systems that we maintain, it is usually important for systems that use linux-do (multiuser).
Okay, here are the things that I normally use:


1. Once ssh, straight clay last login, IP seen there where the last time you log onto our system:Last login: Tue May 26 21:32:17 2010 from 125.166.xxx.xxx
2. View active user by using the w or who# W01:28:49 up 3 days, 12:04, 2 users, load average: 0.00, 0.00, 0.00USER TTY FROM LOGIN @ IDLE WHAT JCPU PCPUandri pts / 0 01:25 0.00s 0.14s 125.166.xxx.xxx 0.00swdki pts / 1 1:26 2:35 118.98.xxx.xxx 0.10s 0.10s-bash

 # Whoandri pts / 0 2010-05-30 01:25 (125.166.xxx.xxx)dki pts / 1 2010-05-30 01:26 (118.98.xxx.xxx)

 3. It could also ps aux# Ps aux | grep bash | grep ptsandri 9297 0.0 0.0 6324 3636 pts / 0 Ss 01:25 0:00-bashdki 9371 0.0 0.0 6320 3576 pts / 1 Ss + 01:26 0:00-bash
4. See the most recent activities of all users with lastlog# LastlogUsername Port From Latestroot ** Never logged in **daemon ** Never logged in **bin ** Never logged in **sys ** Never logged in **sync ** Never logged in **games ** Never logged in **man ** Never logged in **lp ** Never logged in **mail ** Never logged in **news ** Never logged in **uucp ** Never logged in **proxy ** Never logged in **www-data ** Never logged in **backup ** Never logged in **list ** Never logged in **irc ** Never logged in **gnats ** Never logged in **nobody ** Never logged in **libuuid ** Never logged in **syslog ** Never logged in **landscape ** Never logged in **bind ** Never logged in **sshd ** Never logged in **dki pts / 1 118.98.xxx.xxx Sun May 30 01:26:01 +0700 2010mysql ** Never logged in **postfix ** Never logged in **ProFTPD ** Never logged in **ftp ** Never logged in **vmail ** Never logged in **clamav ** Never logged in **amavis ** Never logged in **andri pts / 0 125.166.xxx.xxx Sun May 30 01:25:46 +0700 2010disdukcapil ** Never logged in **statd ** Never logged in **manapar ** Never logged in **
5. Can also use assistive tools such as finger, but must be installed first.# FingerLogin Name Tty Idle Login Time Office Office Phoneandri Andri Nawawi pts / 0 May 30 01:25 (125.166.xxx.xxx)Establishments dki pts / 1 10 May 30 01:26 (118.98.xxx.xxx)
If it turns out there is a suspicious look, can see a user's activities by using the command history:# History
Then what else huh? Mmm, if you want a list of users and clay / that is in the system, can use the command:# Cat / etc / passwd# Cat / etc / group
or# Getent passwd# Getent group
;-) Hopefully Helpful