How to track user activity in Linux - Monitoring & Logging Guide

How to Track User Activity in Linux Monitoring user activity is a critical aspect of Linux system administration, security, and compliance. Whether you're managing a multi-user server environment, investigating security incidents, or ensuring regulatory compliance, understanding how to effectively track user activity can make the difference between a secure system and a compromised one. This comprehensive guide will walk you through various methods, tools, and best practices for monitoring user activity in Linux systems. Table of Contents - [Introduction](#introduction) - [Prerequisites](#prerequisites) - [Understanding Linux Logging Architecture](#understanding-linux-logging-architecture) - [Built-in Commands for User Activity Tracking](#built-in-commands-for-user-activity-tracking) - [Log File Analysis](#log-file-analysis) - [Advanced Monitoring Tools](#advanced-monitoring-tools) - [Real-time User Activity Monitoring](#real-time-user-activity-monitoring) - [Process and Command Monitoring](#process-and-command-monitoring) - [Network Activity Tracking](#network-activity-tracking) - [Automated Monitoring Solutions](#automated-monitoring-solutions) - [Common Issues and Troubleshooting](#common-issues-and-troubleshooting) - [Best Practices](#best-practices) - [Security Considerations](#security-considerations) - [Conclusion](#conclusion) Introduction User activity tracking in Linux involves monitoring various aspects of user behavior, including login sessions, command execution, file access, network connections, and system resource usage. This information is invaluable for: - Security auditing: Detecting unauthorized access or suspicious activities - Compliance requirements: Meeting regulatory standards like SOX, HIPAA, or PCI DSS - Performance optimization: Understanding system usage patterns - Troubleshooting: Identifying the root cause of system issues - Resource planning: Analyzing usage trends for capacity planning Linux provides numerous built-in tools and log files that capture user activity data. Additionally, third-party solutions can enhance monitoring capabilities for enterprise environments. Prerequisites Before diving into user activity tracking, ensure you have: System Requirements - Linux system with root or sudo access - Basic understanding of Linux command line - Familiarity with text editors (vi, nano, or emacs) - Understanding of file permissions and ownership Required Packages Most tools discussed are included in standard Linux distributions, but you may need to install additional packages: ```bash Ubuntu/Debian sudo apt update sudo apt install acct psacct auditd sysstat CentOS/RHEL/Fedora sudo yum install psacct audit sysstat or for newer versions sudo dnf install psacct audit sysstat ``` Permissions and Access Ensure you have appropriate permissions to: - Read system log files (typically in `/var/log/`) - Execute administrative commands - Configure system services if needed Understanding Linux Logging Architecture Linux systems use several logging mechanisms to track user and system activities: System Logging (rsyslog/syslog-ng) The primary logging system that handles most system and application logs: - Configuration: `/etc/rsyslog.conf` or `/etc/syslog-ng/syslog-ng.conf` - Log location: `/var/log/` - Key files: `auth.log`, `syslog`, `messages` Journal (systemd) Modern Linux distributions use systemd's journal for logging: - Command: `journalctl` - Storage: `/var/log/journal/` (persistent) or memory (volatile) - Advantages: Structured logging, indexing, filtering capabilities Audit System The Linux Audit system provides detailed security-relevant logging: - Daemon: `auditd` - Configuration: `/etc/audit/auditd.conf` - Rules: `/etc/audit/rules.d/` - Logs: `/var/log/audit/audit.log` Built-in Commands for User Activity Tracking Linux provides several built-in commands for tracking user activity: who Command Displays currently logged-in users: ```bash Show current users who Show detailed information who -a Show login times and processes who -u ``` Example output: ``` john pts/0 2024-01-15 09:30 (192.168.1.100) alice pts/1 2024-01-15 10:15 (192.168.1.101) ``` w Command Shows detailed information about logged-in users and their activities: ```bash Basic usage w Show specific user w john Suppress header w -h ``` Example output: ``` 10:45:23 up 2:15, 2 users, load average: 0.15, 0.10, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT john pts/0 192.168.1.100 09:30 0.00s 0.12s 0.01s vim report.txt alice pts/1 192.168.1.101 10:15 5:00 0.05s 0.02s -bash ``` last Command Shows login history from `/var/log/wtmp`: ```bash Show recent logins last Show specific user last john Show last 10 entries last -n 10 Show logins from specific date last -s 2024-01-01 Show failed login attempts lastb ``` users Command Simple command showing currently logged-in usernames: ```bash users Output: alice john ``` id Command Shows user and group information: ```bash Current user id Specific user id john Show only user ID id -u john ``` Log File Analysis Authentication Logs /var/log/auth.log (Ubuntu/Debian) Contains authentication-related events: ```bash Monitor authentication events sudo tail -f /var/log/auth.log Search for failed login attempts sudo grep "Failed password" /var/log/auth.log Search for successful logins sudo grep "Accepted password" /var/log/auth.log Find sudo usage sudo grep "sudo:" /var/log/auth.log ``` /var/log/secure (CentOS/RHEL) Similar to auth.log but on Red Hat-based systems: ```bash Monitor security events sudo tail -f /var/log/secure Find SSH login attempts sudo grep "sshd" /var/log/secure ``` System Logs /var/log/syslog or /var/log/messages General system activity logs: ```bash Monitor system events sudo tail -f /var/log/syslog Search for user-related events sudo grep "user" /var/log/syslog Filter by date sudo grep "Jan 15" /var/log/syslog ``` Login Records /var/log/wtmp and /var/log/utmp Binary files containing login records: ```bash Current login sessions utmpdump /var/run/utmp Historical login data utmpdump /var/log/wtmp | tail -20 Failed login attempts utmpdump /var/log/btmp ``` Advanced Monitoring Tools Process Accounting (acct) Process accounting tracks every command executed on the system: Installation and Setup ```bash Install accounting package sudo apt install acct # Ubuntu/Debian sudo yum install psacct # CentOS/RHEL Enable accounting sudo accton on Or specify accounting file sudo accton /var/log/account/pacct ``` Using Process Accounting Commands ```bash Show command summary by user sa -u Show individual commands lastcomm Show commands by specific user lastcomm john Show commands in time range lastcomm --time-range 09:00-17:00 ``` Linux Audit System (auditd) The audit system provides comprehensive security event logging: Configuration ```bash Install audit system sudo apt install auditd audispd-plugins Start audit daemon sudo systemctl start auditd sudo systemctl enable auditd ``` Adding Audit Rules ```bash Edit audit rules sudo nano /etc/audit/rules.d/audit.rules Example rules: Monitor file access -w /etc/passwd -p wa -k passwd_changes Monitor system calls -a always,exit -F arch=b64 -S execve -k command_exec Monitor user login/logout -w /var/log/wtmp -p wa -k session Load rules sudo augenrules --load ``` Analyzing Audit Logs ```bash Search audit logs sudo ausearch -k passwd_changes Search by user sudo ausearch -ui john Search by time sudo ausearch -ts today Generate reports sudo aureport --summary sudo aureport --login sudo aureport --executable ``` System Activity Reporter (sar) Part of the sysstat package, sar provides system performance data: ```bash CPU usage by user sar -u 1 10 Memory usage sar -r 1 5 I/O statistics sar -b 1 5 Network statistics sar -n DEV 1 5 Generate daily report sar -A > daily_report.txt ``` Real-time User Activity Monitoring Using watch Command Monitor commands in real-time: ```bash Monitor logged-in users watch -n 1 'who' Monitor system processes watch -n 2 'ps aux --sort=-%cpu | head -20' Monitor network connections watch -n 5 'netstat -tuln' ``` Monitoring with tail Follow log files in real-time: ```bash Follow multiple logs simultaneously sudo tail -f /var/log/auth.log /var/log/syslog Follow with grep filtering sudo tail -f /var/log/auth.log | grep "Failed password" ``` Using journalctl for Real-time Monitoring ```bash Follow journal in real-time sudo journalctl -f Follow specific service sudo journalctl -f -u ssh Follow with filtering sudo journalctl -f --grep="Failed password" ``` Process and Command Monitoring ps Command for Process Monitoring ```bash Show all processes with user information ps aux Show processes for specific user ps -u john Show process tree ps auxf Custom format showing user activity ps -eo user,pid,ppid,cmd,etime ``` top and htop Commands ```bash Interactive process monitoring top Show processes by user top -u john Enhanced version (if installed) htop Sort by different criteria in htop Press F6 to sort, F4 to filter ``` pstree Command ```bash Show process tree pstree Show with PIDs pstree -p Show for specific user pstree john ``` Monitoring Command History ```bash View user's command history sudo cat /home/john/.bash_history Monitor history file changes sudo tail -f /home/john/.bash_history Search command history sudo grep "sudo" /home/john/.bash_history ``` Network Activity Tracking netstat Command ```bash Show all network connections netstat -tuln Show connections with process info netstat -tulnp Show connections by user (requires lsof) lsof -i -P -n ``` ss Command (Modern Alternative) ```bash Show all sockets ss -tuln Show with process information ss -tulnp Show connections by specific user ss -tulnp | grep "users:(("john" ``` Monitoring SSH Connections ```bash Current SSH connections who | grep pts SSH connection logs sudo grep "sshd" /var/log/auth.log | tail -20 Failed SSH attempts sudo grep "Failed password" /var/log/auth.log | grep sshd ``` Automated Monitoring Solutions Creating Custom Monitoring Scripts User Login Monitor Script ```bash #!/bin/bash save as user_monitor.sh LOG_FILE="/var/log/user_activity.log" DATE=$(date '+%Y-%m-%d %H:%M:%S') Function to log user activity log_activity() { echo "[$DATE] $1" >> $LOG_FILE } Monitor current users CURRENT_USERS=$(who | wc -l) log_activity "Current logged in users: $CURRENT_USERS" Check for new logins RECENT_LOGINS=$(last -n 5 | head -5) log_activity "Recent logins: $RECENT_LOGINS" Check for failed login attempts FAILED_LOGINS=$(sudo grep "Failed password" /var/log/auth.log | tail -5) if [ ! -z "$FAILED_LOGINS" ]; then log_activity "Recent failed logins detected" fi ``` Automated Alert Script ```bash #!/bin/bash save as security_alert.sh ADMIN_EMAIL="admin@company.com" THRESHOLD=5 Check for excessive failed logins FAILED_COUNT=$(sudo grep "Failed password" /var/log/auth.log | grep "$(date '+%b %d')" | wc -l) if [ $FAILED_COUNT -gt $THRESHOLD ]; then echo "Alert: $FAILED_COUNT failed login attempts detected today" | \ mail -s "Security Alert - Failed Logins" $ADMIN_EMAIL fi Check for root login ROOT_LOGINS=$(sudo grep "Accepted password for root" /var/log/auth.log | grep "$(date '+%b %d')") if [ ! -z "$ROOT_LOGINS" ]; then echo "Alert: Root login detected: $ROOT_LOGINS" | \ mail -s "Security Alert - Root Login" $ADMIN_EMAIL fi ``` Cron Job Setup ```bash Edit crontab crontab -e Add monitoring jobs Run user monitor every 15 minutes /15 * /path/to/user_monitor.sh Run security alert check every hour 0 /path/to/security_alert.sh Generate daily activity report 0 6 * /path/to/daily_report.sh ``` Log Rotation Configuration ```bash Create logrotate configuration sudo nano /etc/logrotate.d/user_activity Configuration content: /var/log/user_activity.log { daily rotate 30 compress delaycompress missingok notifempty create 0644 root root } ``` Common Issues and Troubleshooting Log File Permissions Issue: Cannot read log files Solution: ```bash Check permissions ls -la /var/log/auth.log Add user to appropriate group sudo usermod -a -G adm username Or use sudo for one-time access sudo tail /var/log/auth.log ``` Missing Log Entries Issue: Expected log entries are missing Troubleshooting: ```bash Check if logging service is running sudo systemctl status rsyslog sudo systemctl status systemd-journald Check log configuration sudo nano /etc/rsyslog.conf Check disk space df -h /var/log Check log rotation sudo logrotate -d /etc/logrotate.conf ``` Audit System Issues Issue: auditd not capturing events Solutions: ```bash Check audit daemon status sudo systemctl status auditd Verify audit rules sudo auditctl -l Check audit log permissions ls -la /var/log/audit/ Test audit rule sudo auditctl -w /tmp/test -p wa -k test_rule ``` High Log Volume Issue: Logs growing too quickly Solutions: ```bash Implement log rotation sudo nano /etc/logrotate.d/custom Filter unnecessary entries sudo nano /etc/rsyslog.conf Add: *.info;mail.none;authpriv.none;cron.none /var/log/messages Use remote logging Configure rsyslog to send logs to central server ``` Performance Impact Issue: Monitoring affecting system performance Optimizations: ```bash Limit audit rules to essential items sudo nano /etc/audit/rules.d/audit.rules Use log sampling for high-volume events Adjust monitoring frequency in cron jobs Implement log compression sudo nano /etc/logrotate.d/audit Add: compress ``` Best Practices Security Best Practices 1. Protect Log Files ```bash # Set appropriate permissions sudo chmod 640 /var/log/auth.log sudo chown root:adm /var/log/auth.log # Use immutable attribute for critical logs sudo chattr +a /var/log/audit/audit.log ``` 2. Centralized Logging ```bash # Configure rsyslog for remote logging echo ". @@logserver.company.com:514" >> /etc/rsyslog.conf ``` 3. Log Integrity ```bash # Use digital signatures for audit logs sudo nano /etc/audit/auditd.conf # Set: log_format = ENRICHED ``` Monitoring Best Practices 1. Establish Baselines - Document normal user activity patterns - Set appropriate alert thresholds - Regular review and adjustment of monitoring rules 2. Automated Analysis ```bash # Create summary reports #!/bin/bash # weekly_summary.sh echo "Weekly User Activity Summary" echo "=============================" echo "Total logins: $(last | wc -l)" echo "Unique users: $(last | awk '{print $1}' | sort -u | wc -l)" echo "Failed attempts: $(sudo grep 'Failed password' /var/log/auth.log | wc -l)" ``` 3. Regular Maintenance ```bash # Clean old logs find /var/log -name ".log." -mtime +90 -delete # Archive important logs tar -czf /backup/logs/$(date +%Y%m%d)_logs.tar.gz /var/log/audit/ ``` Compliance Considerations 1. Data Retention - Implement appropriate log retention policies - Ensure compliance with regulatory requirements - Document log management procedures 2. Access Control - Limit access to log files - Implement role-based access control - Regular access review and audit 3. Monitoring Coverage - Ensure all critical activities are logged - Regular testing of monitoring systems - Document monitoring procedures Security Considerations Protecting Monitoring Infrastructure 1. Secure Log Storage ```bash # Encrypt log partition sudo cryptsetup luksFormat /dev/sdb1 sudo cryptsetup luksOpen /dev/sdb1 encrypted_logs sudo mkfs.ext4 /dev/mapper/encrypted_logs ``` 2. Network Security - Use encrypted connections for remote logging - Implement firewall rules for log servers - Regular security updates 3. Detection Evasion Prevention ```bash # Monitor for log tampering sudo auditctl -w /var/log/auth.log -p wa -k log_tampering # Implement file integrity monitoring sudo aide --init sudo aide --check ``` Incident Response Integration 1. Alert Prioritization - Critical: Root access, failed login storms - High: Unusual user activity, privilege escalation - Medium: Off-hours access, new user creation 2. Automated Response ```bash # Example: Block IP after failed attempts #!/bin/bash FAILED_IPS=$(sudo grep "Failed password" /var/log/auth.log | \ grep "$(date '+%b %d')" | \ awk '{print $(NF-3)}' | sort | uniq -c | \ awk '$1 > 5 {print $2}') for IP in $FAILED_IPS; do sudo iptables -A INPUT -s $IP -j DROP done ``` Conclusion Tracking user activity in Linux is essential for maintaining system security, ensuring compliance, and optimizing performance. This comprehensive guide has covered various methods and tools available for monitoring user activity, from basic built-in commands to advanced audit systems and automated monitoring solutions. Key Takeaways 1. Multiple Monitoring Layers: Combine different tools and methods for comprehensive coverage 2. Proactive Monitoring: Implement real-time monitoring and automated alerts 3. Regular Review: Continuously analyze logs and adjust monitoring strategies 4. Security Focus: Protect monitoring infrastructure and maintain log integrity 5. Compliance Alignment: Ensure monitoring meets regulatory requirements Next Steps To further enhance your user activity monitoring capabilities: 1. Implement SIEM Solutions: Consider enterprise-grade Security Information and Event Management systems 2. Machine Learning Integration: Explore AI-based anomaly detection tools 3. Cloud Integration: Adapt monitoring strategies for cloud and hybrid environments 4. Advanced Analytics: Implement user behavior analytics (UBA) solutions 5. Continuous Improvement: Regular assessment and improvement of monitoring procedures Additional Resources - Linux Audit Documentation: `/usr/share/doc/auditd/` - System logging configuration: `man rsyslog.conf` - Process accounting: `man acct` - Security frameworks: NIST Cybersecurity Framework, CIS Controls By implementing the techniques and best practices outlined in this guide, you'll be well-equipped to effectively monitor user activity in your Linux environment, ensuring security, compliance, and optimal system performance. Remember that monitoring is an ongoing process that requires regular attention, updates, and refinement to remain effective against evolving security threats and changing business requirements.