ubuntu下如何查看用户登录及用户操作相关信息

 注:参考http://www.tuicool.com/articles/ia67Bj

在ubuntu下如何查看相关用户登录历史,用户操作历史,进行系统的日志跟踪和分析,以便发现系统登录问题,进行安全策略防护呢?

 作为一个玩Linux的,你需要了如执掌,坐拥ROOT账号,运筹帷幄千里之外!

 ubuntu下的一些命令提供了很好的管理手段方法,较好地满足这些需求。

 

  • 使用who命令查看当前用户登录状况
root@chaosju-ThinkPad-SL410:/home/chaosju# who
chaosju  :0           2015-05-21 12:50 (:0)
chaosju  pts/1        2015-05-21 12:54 (:0)
  • 使用last命令查看最近登录情况。

        如下所示,last命令列出最近一段时间的用户登录时间及ip记录。(单独执行last指令,它会读取位于/var/log目录下,名称为wtmp的文件,并把该给文件的内容记录的登入系统的用户名单全部显示出来)

root@chaosju-ThinkPad-SL410:/home/chaosju# last
chaosju  pts/1        :0               Thu May 21 12:54   still logged in   
chaosju  :0           :0               Thu May 21 12:50   still logged in   
reboot   system boot  3.13.0-32-generi Thu May 21 12:49 - 13:18  (00:28)    
chaosju  pts/27       :0               Wed May 20 23:46 - down   (00:16)    
chaosju  tty1                          Wed May 20 23:38 - down   (00:25)    
zx       pts/27       10.210.96.78     Wed May 20 23:18 - 23:26  (00:08)    
chaosju  pts/29       10.210.96.78     Wed May 20 23:17 - 23:17  (00:00)    
chaosju  pts/27       10.210.96.78     Wed May 20 23:15 - 23:17  (00:02)    
chaosju  pts/28       :0               Wed May 20 23:08 - down   (00:54)    
chaosju  pts/27       10.210.96.78     Wed May 20 22:59 - 23:13  (00:14)
  • 使用lastlog命令查看各个用户登录情况
root@chaosju-ThinkPad-SL410:/home/chaosju# lastlog 
用户名           端口     来自             最后登陆时间
root                                       **从未登录过**
daemon                                     **从未登录过**
bin                                        **从未登录过**
sys                                        **从未登录过**
sync                                       **从未登录过**
games                                      **从未登录过**
man                                        **从未登录过**
lp                                         **从未登录过**
mail                                       **从未登录过**
news                                       **从未登录过**
uucp                                       **从未登录过**

lastlog命令列出了各个用户的登录情况,如果没有登录过,则显示Never logged in,如果有登录历史,则显示出ip及登录时间。

  • 查看/var/log/auth.log文件,分析用户登录及行为。
root@chaosju-ThinkPad-SL410:/home/chaosju#  cat /var/log/auth.log |more

     1  May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session opened for user root by (uid=0)
     2  May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session closed for user root
     3  May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
     4  May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec[14880]: chaosju: Executing command [USER=root] [TTY=unknown] [CWD=/home/chaosju] [COMMAND=/usr/lib/update-notifier/package-system-locked]
     5  May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session opened for user root by (uid=0)
     6  May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session closed for user root
     7  May 19 11:38:10 chaosju-ThinkPad-SL410 polkitd(authority=local): Unregistered Authentication Agent for unix-session:c2 (system bus name :1.64, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
     8  May 19 11:38:11 chaosju-ThinkPad-SL410 gnome-keyring-daemon[2263]: g_dbus_connection_real_closed: Remote peer vanished with error: Underlying GIOStream returned 0 bytes on an async read (g-io-error-quark, 0). Exiting.
     9  May 19 11:38:12 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm:session): session closed for user chaosju
    10  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
    11  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so
    12  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
    13  May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: New session c3 of user lightdm.
    14  May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: Linked /tmp/.X11-unix/X0 to /run/user/112/X11-display.
    15  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
    16  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so
    17  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "chaosju"
    18  May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session opened for user root by (uid=0)
    19  May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session closed for user root
    20  May 19 13:17:01 chaosju-ThinkPad-SL410 CRON[4394]: pam_unix(cron:session): session opened for user root by (uid=0)

如上所示,通过查看auth.log,可以分析出用户尝试登录情况,以及退出历史;

  • 查看 /home/{username}/.bash_history,可以查看用户的操作记录
root@chaosju-ThinkPad-SL410:/home/chaosju#   cat /home/chaosju/.bash_history |less

sudo apt-add-repository ppa:paolorotolo/android-studio
sudo apt-get update
sudo apt-get install android-studio
ls
cd 下载
ls
cd android-studio/
ls
cd bin/
ls
sudo ./studio.sh 
find / -android-studio
find /-android-studio
find . -android-studio
dpkg -L 
dpkg -L  android-studio 
/usr/share/doc/android-studio/
ls
cd /usr/share/doc/android-studio/
ls
dpkg -L  android-studio 
apt-file list android-studio
cd 下载
ls
cd android-studio/
ls
cd bin 
ls
vim idea.properties
ls
gedit idea.properties~

 

posted @ 2015-05-21 13:25  败八  阅读(6579)  评论(0编辑  收藏  举报