GnomeCORE

Stay Secure by Checking Users

A few weeks ago, we talked about creating a shell script that would report daily on the logins to your system. Using the last command, you can take a look at who’s been in your system since the creation of the wtmp file. last, however, isn’t the only quick command to return user information. There are several others that can be useful in providing knowledge about the use of your system. Knowing that normal use is the first step in detecting system intrusions. In other words, you can’t tell what’s abnormal if you don’t first know what’s normal.

finger is a system command that displays all currently logged in users. Once a list is returned, you can finger each user individually by appending the user name to the finger command:

    finger tony
Login: tony       Name: Tony Steidler-Dennison
Directory: /home/tony        Shell: /bin/bash
On since Thu Jun 20 18:27 (CDT) on pts/0 54 minutes 2 seconds idle (messages off)
On since Thu Jun 20 19:15 (CDT) on pts/1 (messages off)
On since Thu Jun 20 18:45 (CDT) on pts/2 11 minutes 33 seconds idle (messages off)
No mail.
No Plan.

who is a quick and simple command that provides a bit more focused information than finger:

tony     pts/0    Jun 20 18:27
tony     pts/1    Jun 20 19:15
tony     pts/2    Jun 20 18:45

who may also contain remote information when the user is logged in from a remote machine. The data for this command is read from the utmp file, a cousin to wtmp used in last.

w is one of the quickest commands in Linux. This command returns a list of logged in users along with a list of what those users are doing:

  7:35pm  up 3 days, 18 min,  3 users,  load average: 0.49, 0.36, 0.37

To reiterate, the real value of these commands is to reach some understanding of the normal usage of your system. That way, you’ll know when it varies from the norm.