ubuntu下如何查看用户登录及用户操作相关信息

在ubuntu下如何查看相关用户登录历史，用户操作历史，进行系统的日志跟踪和分析，以便发现系统登录问题，进行安全策略防护呢？

 作为一个玩Linux的，你需要了如执掌，坐拥ROOT账号，运筹帷幄千里之外！

 ubuntu下的一些命令提供了很好的管理手段方法，较好地满足这些需求。

 

• 使用who命令查看当前用户登录状况

root@chaosju-ThinkPad-SL410:/home/chaosju# who
chaosju  :0           2015-05-21 12:50 (:0)
chaosju  pts/1        2015-05-21 12:54 (:0)

• 使用last命令查看最近登录情况。

        如下所示，last命令列出最近一段时间的用户登录时间及ip记录。（单独执行last指令，它会读取位于/var/log目录下，名称为wtmp的文件，并把该给文件的内容记录的登入系统的用户名单全部显示出来）

root@chaosju-ThinkPad-SL410:/home/chaosju# last
chaosju  pts/1        :0               Thu May 21 12:54   still logged in   
chaosju  :0           :0               Thu May 21 12:50   still logged in   
reboot   system boot  3.13.0-32-generi Thu May 21 12:49 - 13:18  (00:28)    
chaosju  pts/27       :0               Wed May 20 23:46 - down   (00:16)    
chaosju  tty1                          Wed May 20 23:38 - down   (00:25)    
zx       pts/27       10.210.96.78     Wed May 20 23:18 - 23:26  (00:08)    
chaosju  pts/29       10.210.96.78     Wed May 20 23:17 - 23:17  (00:00)    
chaosju  pts/27       10.210.96.78     Wed May 20 23:15 - 23:17  (00:02)    
chaosju  pts/28       :0               Wed May 20 23:08 - down   (00:54)    
chaosju  pts/27       10.210.96.78     Wed May 20 22:59 - 23:13  (00:14)    

• 使用lastlog命令查看各个用户登录情况

root@chaosju-ThinkPad-SL410:/home/chaosju# lastlog 
用户名           端口     来自             最后登陆时间
root                                       **从未登录过**
daemon                                     **从未登录过**
bin                                        **从未登录过**
sys                                        **从未登录过**
sync                                       **从未登录过**
games                                      **从未登录过**
man                                        **从未登录过**
lp                                         **从未登录过**
mail                                       **从未登录过**
news                                       **从未登录过**
uucp                                       **从未登录过**

lastlog命令列出了各个用户的登录情况，如果没有登录过，则显示Never logged in，如果有登录历史，则显示出ip及登录时间。

• 查看/var/log/auth.log文件，分析用户登录及行为。

root@chaosju-ThinkPad-SL410:/home/chaosju#  cat /var/log/auth.log |more

     1  May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session opened for user root by (uid=0)
     2  May 19 10:17:01 chaosju-ThinkPad-SL410 CRON[13161]: pam_unix(cron:session): session closed for user root
     3  May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000)
     4  May 19 10:22:59 chaosju-ThinkPad-SL410 pkexec[14880]: chaosju: Executing command [USER=root] [TTY=unknown] [CWD=/home/chaosju] [COMMAND=/usr/lib/update-notifier/package-system-locked]
     5  May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session opened for user root by (uid=0)
     6  May 19 11:17:01 chaosju-ThinkPad-SL410 CRON[30372]: pam_unix(cron:session): session closed for user root
     7  May 19 11:38:10 chaosju-ThinkPad-SL410 polkitd(authority=local): Unregistered Authentication Agent for unix-session:c2 (system bus name :1.64, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
     8  May 19 11:38:11 chaosju-ThinkPad-SL410 gnome-keyring-daemon[2263]: g_dbus_connection_real_closed: Remote peer vanished with error: Underlying GIOStream returned 0 bytes on an async read (g-io-error-quark, 0). Exiting.
     9  May 19 11:38:12 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm:session): session closed for user chaosju
    10  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
    11  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so
    12  May 19 11:38:14 chaosju-ThinkPad-SL410 lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
    13  May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: New session c3 of user lightdm.
    14  May 19 11:38:14 chaosju-ThinkPad-SL410 systemd-logind[483]: Linked /tmp/.X11-unix/X0 to /run/user/112/X11-display.
    15  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM unable to dlopen(pam_kwallet.so): /lib/security/pam_kwallet.so: cannot open shared object file: No such file or directory
    16  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: PAM adding faulty module: pam_kwallet.so
    17  May 19 11:38:15 chaosju-ThinkPad-SL410 lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "chaosju"
    18  May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session opened for user root by (uid=0)
    19  May 19 12:17:01 chaosju-ThinkPad-SL410 CRON[4366]: pam_unix(cron:session): session closed for user root
    20  May 19 13:17:01 chaosju-ThinkPad-SL410 CRON[4394]: pam_unix(cron:session): session opened for user root by (uid=0)

如上所示，通过查看auth.log，可以分析出用户尝试登录情况，以及退出历史；

• 查看 /home/{username}/.bash_history，可以查看用户的操作记录

root@chaosju-ThinkPad-SL410:/home/chaosju#   cat /home/chaosju/.bash_history |less

sudo apt-add-repository ppa:paolorotolo/android-studio
sudo apt-get update
sudo apt-get install android-studio
ls
cd 下载
ls
cd android-studio/
ls
cd bin/
ls
sudo ./studio.sh 
find / -android-studio
find /-android-studio
find . -android-studio
dpkg -L 
dpkg -L  android-studio 
/usr/share/doc/android-studio/
ls
cd /usr/share/doc/android-studio/
ls
dpkg -L  android-studio 
apt-file list android-studio
cd 下载
ls
cd android-studio/
ls
cd bin 
ls
vim idea.properties
ls
gedit idea.properties~