Being the system administrator one should be able to authenticate logs and monitor users and groups activities. you will learn more about the basic concepts behind user management, monitoring and authentication logging.
Monitoring System Logins
After the server is setup and all the users are configured one should need to have a monitoring component to take care of system authentication. Most Linux distributions will have a file known as auth.log which logs all authentication attempts. You can find it at /var/log/auth.log.
sudo less /var/log/auth.log
Jun 5 06:45:05 ns2 CRON: pam_unix(cron:session): session closed for user www-data Jun 5 06:45:05 ns2 CRON: pam_unix(cron:session): session closed for user munin Jun 5 06:45:20 ns2 pkexec: pam_unix(polkit-1:session): session opened for user root by (uid=1000) Jun 5 06:45:20 ns2 pkexec: raj: Executing command [USER=root] [TTY=unknown] [CWD=/home/raj] [COMMAND=/usr/lib/update-notifier/package-system-locked] Jun 5 06:47:01 ns2 CRON: pam_unix(cron:session): session opened for user root by (uid=0) Jun 5 06:47:02 ns2 CRON: pam_unix(cron:session): session closed for user root Jun 5 06:48:11 ns2 compiz: gkr-pam: unlocked login keyring Jun 5 06:50:01 ns2 CRON: pam_unix(cron:session): session opened for user www-data by (uid=0 ...
Making use of the ‘last’ Command
Practically, to monitor the most recent login attempts. you can use ‘last’ tool.
raj pts/0 :0 Wed Jun 1 14:33 - 19:04 (04:30) raj :0 :0 Wed Jun 1 14:30 - down (04:34) reboot system boot 3.13.0-85-generi Wed Jun 1 14:30 - 19:04 (04:34) raj pts/9 :0 Wed Jun 1 12:57 - 12:57 (00:00) raj pts/4 :0 Wed Jun 1 12:56 - 12:59 (00:02)
As you can see, the result almost looks like a formatted version of /etc/log/wtmp. You can make out if a particular user is still logged in or you can get the previous login timestamp and duration of any user.
Making use of the ‘lastlog’ Command
To check the last login time for each user you can use ‘lastlog’ command. The file /etc/log/lastlog will have all the information on last logins. This data will be sorted against the data in /etc/passwd file.
Username Port From Latest raj pts/1 rrcs-72-43-115-1 Thu jun 1 19:37:02 +0000 2013 daemon **Never logged in** bin **Never logged in** sys **Never logged in** sync **Never logged in** games **Never logged in** . . .
From the output, you will be able to get the last login time of every user. System users doesn’t have authentication set up. Hence their data will show ‘Never logged in’.
We have covered only basics tools to track the logs of users authentication however Linux distributions have many ways of system authentication tracking.