Hack 94 Determine Who Is on the System


figs/beginner.gif figs/hack94.gif

As a system administrator, it pays to know what's happening on your systems.

Sure, you spend time reading your logs, but do you take advantage of the other information-gathering utilities available to you? Silently, in the background, your system tracks all kinds of neat information. If you know enough to peek under the system hood, you can get a very good view of what is occurring on the system at any given point in time.

For the experienced hacker, the output from these commands may suggest interesting scripting possibilities.


9.7.1 Who's on First?

Have you ever needed to know who logged into a system and for how long? Use the users command to see who's logged in now:

% users dru biko

Perhaps you prefer to know who is on which terminal. Try who. Here, the H includes column headers and the u shows each user's idle time:

% who -Hu NAME             LINE     TIME         IDLE  FROM             dru              ttyv1    Jan 25 08:59 01:00  biko             ttyv5    Jan 25 09:57   .    dru              ttyp0    Jan 25 09:58 00:02 (hostname)

Feel free to experiment with who's switches to find an output that suits your needs. Here, dru and biko have logged in physically at this system's keyboard using virtual terminals 1 and 5. dru has also logged in over the first psuedoterminal (over the network) from the specified hostname.

To find out what everyone is doing, use w:

% w 10:07AM  up  1:20, 9 users, load averages: 0.02, 0.02, 0.09 USER             TTY      FROM              LOGIN@  IDLE WHAT dru              v1       -                 8:59AM  1:08 pine biko             v5       -                 9:57AM     - w dru              p0       hostname          9:58AM     4 -csh (csh)

If you're just interested in that first line of output, use uptime.


Notice that as a regular user, I was easily able to find out who is logged in, where they are, and what they're currently doing. If you don't want regular users knowing what commands other users are currently running, see [Hack #57] .

9.7.2 When Did That Happen?

You're not limited to finding out what's happening at this particular moment. Use lastlogin to see the most recent time at which each of your users logged in:

% lastlogin dru        ttyv1                   Sun Jan 25 08:59:36 2004  biko       ttyv5                   Sun Jan 25 09:57:18 2004  dlavigne   ttyv6                   Sat Jan 24 09:48:32 2004  dru        ttyp0    hostname       Sun Jan 25 09:58:50 2004  rembackup  ttyp0    hostname       Fri Jan 23 01:00:00 2004

For a slightly different output, last can show who is still logged in:

% last | grep still dru        ttyp0    hostname       Sun Jan 25 09:58   still logged in dru        ttyv1                   Sun Jan 25 08:59   still logged in biko       ttyv5                   Sun Jan 25 09:57   still logged in

Do you need a record of system shutdowns or reboots? The /var/log/wtmp database holds this information. Use last to view the desired statistics:

% last reboot reboot           ~                         Tue Jan 20 15:37 reboot           ~                         Tue Nov 25 07:24 reboot           ~                         Sun Aug  3 09:05 wtmp begins Tue Jul  1 15:27:26 EDT 2003 % last shutdown shutdown         ~                         Wed Dec 24 22:14 wtmp begins Tue Jul  1 15:27:26 EDT 2003

9.7.3 Details, Details

Another option to consider is enabling system accounting, which maintains a database of extremely detailed statistics of every process and subprocess that has been executed on a system.

# touch /var/account/acct # accton /var/account/acct

Note that the accton command will fail if you don't specify the name of the accounting log or if that log doesn't already exist. Also, in a queer case of logic, typing accton with no arguments really turns accounting off.

Once accounting is enabled, use lastcomm to view the contents of /var/account/acct:

% lastcomm lastcomm    -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 man         -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 sh          -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 sh          -F    dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 less        -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 col         -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 groff       -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 grotty      -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 troff       -     dlavigne     ttyv6      0.08 secs Sun Jan 25 11:33 tbl         -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 zcat        -     dlavigne     ttyv6      0.00 secs Sun Jan 25 11:33 cron        -F    root         __         0.00 secs Sun Jan 25 11:33 sh          -     operator     __         0.00 secs Sun Jan 25 11:33 sh          -     operator     __         0.00 secs Sun Jan 25 11:33 dd          -     operator     __         0.00 secs Sun Jan 25 11:33 mv          -     operator     __         0.00 secs Sun Jan 25 11:33 mv          -     operator     __         0.00 secs Sun Jan 25 11:33 mv          -     operator     __         0.00 secs Sun Jan 25 11:33 rm          -     operator     __         0.00 secs Sun Jan 25 11:33 jot         -     operator     __         0.00 secs Sun Jan 25 11:33 accton      -     root         ttyv0      0.00 secs Sun Jan 25 11:32

This comes from a quiet system one minute after enabling accounting. A cron job happened to be running at the time, hence the operator lines. The user dlavigne6 also opened up a manpage during that period. Note all of the processes involved before man actually started.

This command can also show you which processes ended abnormally. Search for the D flag, which indicates that the process dumped core:

% lastcomm | grep -w "D"


Depending upon your security requirements, you may not want users to have access to such detailed information. After all, lastcomm will show every process run by every user. Tightening permissions will fix that:

# chmod 600 /var/account/acct # su dlavigne % lastcomm lastcomm: /var/account/acct: Permission denied

Also, if you're planning on using lastcomm as an extra audit trail, consider changing this file's flags [Hack #56] . You'll also want to have plenty of disk space on the filesystem holding the database.

Finally, to enable system accounting when the system boots, add this line to /etc/rc.conf:

accounting_enable="YES"

9.7.4 See Also

  • man users

  • man who

  • man w

  • man lastlogin

  • man last

  • man lastcomm



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net