How to monitor user and group activity in Linux

Comprehensive explanation of how to monitor user and group activity in Linux using the tools and utilities mentioned Below:

ps command:

The "ps" command (short for process status) displays a snapshot of running processes on a Linux system. To view the processes running under a specific user, you can use the "-u" option followed by the username. For example, to see all the processes running under the user "john," you can use the following command:

ps -u john

This will display a list of all the processes running under the user "john" along with their process ID (PID), CPU usage, memory usage, and other relevant information.

top command:

The "top" command displays real-time information about the system's CPU and memory usage, as well as a list of the most resource-intensive processes currently running. To view the processes running under a specific user, you can press "u" followed by the username when running the "top" command.

top

Once inside the top command, pressing "u" followed by the username will show only the processes running under that user.

netstat command:

The "netstat" command displays a list of all active network connections on a Linux system. To view the network connections associated with a specific user or group, you can use the "-p" option followed by the user or group ID. For example, to view all the network connections associated with the user "john," you can use the following command:

netstat -p | grep john

This will display a list of all the network connections associated with the user "john," including the protocol (TCP or UDP), local and remote IP addresses and ports, and the process ID (PID) of the program using the connection.

sudo netstat -tunap

This will display a list of active network connections, including information on the local and remote addresses, protocol, and state of each connection.

last command:

The "last" command displays a list of all the recent logins and logouts on a Linux system. To view the login and logout history of a specific user, you can use username. For example, to view the login and logout history of the user "john," you can use the following command:

last john

This will display a list of all the login and logout events associated with the user "john," including the date and time, terminal used, and the IP address of the remote host.

w command:

The "w" command displays a list of all the currently logged-in users on a Linux system, along with the processes they are running and the time they have been idle. To view the processes running under a specific user, you can use the "-u" option followed by the username. For example, to view the processes running under the user "john" who is currently logged in, you can use the following command:

w -u john

This will display a list of all the processes running under the user "john," along with the terminal used and the time since the user last interacted with the system.

lsof command:

The "lsof" command displays a list of all the files currently open by processes on a Linux system. To view the files open by a specific user, you can use the "-u" option followed by the username. For example, to view all the files open by the user "john," you can use the following command:

lsof -u john

This will display a list of all the files open by processes running under the user "john," including the process ID (PID), the type of file (e.g. regular file, directory, socket), and the name and location of the file.

sudo lsof -i

This will display a list of network connections and the processes that are using them.

strace command:

The "strace" command can be used to trace system calls and signals made by a process. To trace the system calls made by a process running under a specific user, you can use the "-u" option followed by the username. For example, to trace the system calls made by a process running under the user "john," you can use the following command:

strace -u john -p <PID>

This will display a list of all the system calls and signals made by the process with the specified PID, including the function name, arguments, and return values.

sar command:

The "sar" command can be used to collect and display system activity data, including CPU usage, memory usage, disk activity, and network activity. To view the system activity data for a specific user or group, you can use the "-u" option followed by the username or group ID. For example, to view the CPU usage data for the user "john," you can use the following command:

sar -u -u john

This will display a list of the CPU usage data for the user "john," including the percentage of time spent in user mode, system mode, and idle mode.

For example, to view the CPU usage data for the user "john" for the past hour, you can use the following command:

sar -u -s HH:MM:SS -e HH:MM:SS -u -U john

This will display a report showing the CPU usage data for the user "john" for the past hour.

auditd:

The "auditd" daemon can be used to record system events such as user logins, file system changes, and process executions. To monitor user and group activity using auditd, you can configure audit rules to track specific events and store them in a log file.

For example, to log all user logins and logouts, you can add the following rule to the auditd configuration file:

sudo auditctl -a always,exit -F arch=b64 -S setlogin -S logout -F key=userlogins

This will log all user logins and logouts and store them in the audit log file with the key "userlogins".

For example, to enable auditing on a directory and all its subdirectories, you can use the following commands:

sudo apt-get install auditd

sudo auditctl -w /path/to/directory -p wa -k directory_access

This will enable auditing on the specified directory and log any access to it.

Once installed, you can configure "auditd" to monitor specific user and group activity. For example, to monitor all file accesses by the "root" user, run:

sudo auditctl -a always,exit -F arch=b64 -S open -F uid=root -k file-access

This will generate logs of all file accesses by the "root" user.

atop command:

The "atop" command is a powerful monitoring tool that provides detailed information on system resource usage, including CPU, memory, disk, and network activity. It can also display information on individual processes and threads, as well as the users and groups that own them. To view the resource usage data for a specific user or group, you can use the "-U" option followed by the username or group ID. For example, to view the CPU usage data for the user "john," you can use the following command:

atop -U john

This will display a list of the processes running under the user "john," along with their resource usage data.

pidstat command:

The "pidstat" command provides real-time process monitoring and performance analysis. It can display information on individual processes, as well as the users and groups that own them. To view the resource usage data for a specific user or group, you can use the "-u" option followed by the username or group ID. For example, to view the CPU usage data for the user "john," you can use the following command:

pidstat -u -U john

This will display a list of the processes running under the user "john," along with their CPU usage data.

ss command:

The "ss" command can be used to display detailed information on network connections and sockets. To view the network connections associated with a specific user or group, you can use the "-p" option followed by the username or group ID. 

For example, to view the network connections associated with the user "john," you can use the following command:

ss -p -U john

This will display a list of the network connections associated with the user "john," including the local and remote addresses and ports, the protocol used, and the process ID (PID) of the process that opened the connection.

For example, to view the network sockets associated with the user "john," you can use the following command:

ss -o user=john

This will display a list of the network sockets associated with the user "john."

iotop command:

The "iotop" command can be used to monitor disk I/O activity, displaying the processes that are generating the most disk I/O, as well as their users and groups. To view the disk I/O activity for a specific user or group, you can use the "-u" option followed by the username or group ID. For example, to view the disk I/O activity for the user "john," you can use the following command:

iotop -u john

This will display a list of the processes running under the user "john," along with their disk I/O usage data.

sudo iotop

This will display a live view of the processes using the disk. You can press "q" to exit the program.

htop command:

The "htop" command is an interactive process viewer that can be used to monitor running processes, their resource usage, and the users and groups that own them. It provides a more user-friendly interface than the traditional "top" command and allows for easy navigation and sorting of process data. To view the running processes associated with a specific user or group, you can use the "F4" key to filter the process list by user or group. For example, to view the running processes belonging to the user "john," you can press "F4" and enter "john" in the filter field.

nethogs command:

The "nethogs" command can be used to monitor network traffic on a per-process basis. It shows the processes that are using the most network bandwidth, as well as their users and groups. To view the network traffic associated with a specific user or group, you can use the "-u" option followed by the username or group ID. For example, to view the network traffic for the user "john," you can use the following command:

nethogs -u john

This will display a list of the processes running under the user "john," along with their network usage data.

lnav command:

The "lnav" command is a log file viewer that can be used to monitor system logs in real-time. It can be used to view log data from various sources, including system logs, application logs, and network logs. It can also display the logs for specific users and groups. To view the logs associated with a specific user or group, you can use the "-c" option followed by the username or group ID. For example, to view the system logs for the user "john," you can use the following command:

lnav -c "user=john" /var/log/syslog

This will display the system log data for the user "john" in real-time.

whoami command:

The "whoami" command can be used to display the username of the current user. It can be useful when running scripts or commands that require the current user's username as input. For example, to display the username of the current user in a script, you can use the following command:

echo "The current user is $(whoami)"

This will display a message indicating the username of the current user.

psacct tool:

The "psacct" tool is a set of utilities that can be used to monitor and report on the system's process accounting data. It can track the system resource usage for individual processes and users, as well as generate reports on system usage over time. To enable process accounting on the system, you can install the "psacct" package and use the "accton" command to start the accounting process. For example, to enable process accounting, you can use the following command:

sudo apt-get install acct

sudo accton on

This will install the "psacct" package and start the process accounting.

you can enable process accounting by running:

sudo service accounting start

This will start tracking user and group activity on the system.

loginctl command:

The "loginctl" command can be used to manage and monitor user login sessions on the system. It can display information on the currently active user sessions, as well as allow administrators to terminate user sessions if necessary. To view the user sessions associated with a specific user or group, you can use the "-u" option followed by the username or group ID. For example, to view the user sessions for the user "john," you can use the following command:

loginctl list-sessions -u john

This will display a list of the user sessions associated with the user "john."

htop command:

The "htop" command is an interactive process viewer that allows you to monitor system processes in real-time. It provides a more user-friendly interface than the "top" command, allowing you to sort processes by various criteria such as CPU usage, memory usage, and user. To view the processes running under a specific user or group, you can use the "F4" function key to filter the process list by user or group. 

For example, to view the processes running under the user "john," you can use the following steps:

1. Launch "htop" by typing "htop" in the terminal.
2. Press the "F4" function key.
3. Type "john" in the filter field and press "Enter".

This will display a list of the processes running under the user "john."

nettop command:

The "nettop" command is a network traffic viewer that allows you to monitor network activity in real-time. It provides a graphical interface showing the network traffic for each process running on the system, as well as the users and groups associated with each process. To view the network traffic associated with a specific user or group, you can use the "u" key to filter the display by user or group. 

For example, to view the network traffic for the user "john," you can use the following steps:

1. Launch "nettop" by typing "nettop" in the terminal.
2. Press the "u" key.
3. Type "john" in the filter field and press "Enter".

This will display the network traffic associated with the user "john."

logwatch:

The "logwatch" command is a log analysis and reporting tool that can be used to monitor system logs for user and group activity, as well as other system events. It can generate daily, weekly, or monthly reports summarizing system activity and identifying any potential issues or security risks. To install and configure logwatch on a system, you can use the following commands:

sudo apt-get install logwatch

sudo dpkg-reconfigure logwatch

This will install logwatch and launch a configuration wizard to set up the report settings.

iostat:

The "iostat" command is a system monitoring tool that can be used to track I/O (input/output) statistics for disk devices and partitions on the system. It can show the read and write rates, as well as the average response times for each device or partition. This can help identify any I/O bottlenecks and potential performance issues. To use "iostat," simply run the command followed by the interval in seconds that you want the statistics to be displayed:

iostat 5

This will display I/O statistics every 5 seconds.

atop:

The "atop" command is another system monitoring tool that can be used to track system activity, including user and group activity. It can display information on running processes, resource usage, disk I/O, and network activity. It also has a built-in log file that can be used to review system activity over time. To use "atop," simply run the command:

sudo atop

This will display a live view of system activity. You can press "t" to switch between different views, such as process view, disk view, and network view.

tcpdump:

The "tcpdump" command is a network monitoring tool that can be used to capture and analyze network traffic on the system. It can display information on network packets, including their source and destination addresses, protocols, and payload data. To capture network traffic, simply run the command followed by the network interface that you want to monitor:

sudo tcpdump -i eth0

This will capture network traffic on the "eth0" interface.

tcptrack:

The "tcptrack" command is a tool for monitoring TCP connections in real-time. It displays a live view of all active TCP connections on the system, including information on the local and remote addresses and ports, as well as the amount of data being transferred. To use "tcptrack," simply run the command:

sudo tcptrack

This will display a live view of TCP connections. You can press "q" to exit the program.