One handy technique to record particulars about person logins on a Linux system is to make use of the lslogins command. You will get a really helpful and properly formatted show that features fairly a couple of necessary particulars.
On my system and sure most others, person accounts will begin with UID 1000. To record simply these accounts somewhat than embody the entire service accounts like daemon, mail and syslog, add the -u choice as proven within the instance beneath.
$ sudo lslogins -u UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS
Zero root 151 0 0 root
1000 shs 68 0 0 12:35 Sandra H-S 1001 nemo 0 0 0 2021-Jan05 Nemo Demo,,, 1002 dbell 0 0 1 Dory Bell 1003 shark 2 0 0 7:15 Sharon Hark 1004 tadpole 0 0 0 2020-Dec05 Ted Pole 1005 eel 0 0 0 2021-Jan11 Ellen McDay 1006 bugfarm 0 0 0 2021-Jan01 Bug Farm 1008 dorothy 0 0 1 Dorothy Reuben 1012 jadep 0 0 1 2021-Jan04 Jade Jones 1013 myself 0 0 0 2021-Jan12 My Self 1014 marym 0 0 0 2020-Mar20 Mary McShea 1017 gijoe 0 0 0 GI Joe 65534 no person 0 0 1 no person
What the lslogins command does is seize related data from system information similar to /and many others/passwd, /and many others/shadow and /var/log/wtmp and lay it out in a format like that proven beneath. In the event you run this command with out utilizing sudo, you will be unable to retrieve the entire data proven. Non-privileged accounts will not have entry to the entire information which can be wanted.
The show exhibits the numeric UIDs, usernames and the variety of processes working. This output means that the primary person listed is probably going logged in on the system console since she has 68 working processes. What we do not see is that she’s additionally logged in on a pseudo terminal; we would see two entries for this person if we used the who command.
The following two columns (PWD-LOCK and PWD-DENY) present that 4 accounts are locked. Every of those has a password hash area within the /and many others/shadow file that begins with a “!”. As well as, we see solely 5 “latest” logins. (I put “latest” in quotes as a result of March 20, 2020 would not appear all that latest to me.) This implies not solely that this person in all probability would not want her account any longer however that the system usually is not closely used as a result of the /var/log/wtmp file rolled over in March 2020 or earlier. Since two of these LAST-LOGIN dates solely present times–not dates–we know that they are each displaying immediately’s logins.
Present particulars for just one person
If you wish to show the small print for one explicit person solely, you’ll be able to add the username to the command as an argument. You will see fairly a distinct show format and a few further particulars:
$ sudo lslogins shs Username: shs UID: 1000 Gecos area: Sandra H-S Residence listing: /residence/shs Shell: /bin/bash No login: no Password is locked: no Password not required: no Login by password disabled: no Password encryption technique: SHA-512 Main group: shs GID: 1000 Supplementary teams: secteam,sudo Supplementary group IDs: 11,27 Final login: 14:44 Final terminal: pts/1 Final hostname: 192.168.0.13 Hushed: no Password expiration warn interval: 7 Password modified: 2020-Sep30 Most change time: 99999 Operating processes: 67
Search for failed logins
To detect failed logins, use the -f choice (making the choices -uf) as proven on this instance:
$ sudo lslogins -uf UID USER FAILED-LOGIN FAILED-TTY Zero root 1000 shs 1001 nemo 1002 dbell 12:49 ssh:notty 1003 shark 1004 tadpole 1005 eel 1006 bugfarm 1008 dorothy 1012 jadep 1013 myself 1017 gijoe
If you need a listing of usernames with failed logins, you would do that:
$ sudo lslogins -f | awk 'if ($4) print $2;' USER dbell
View when passwords have been final modified or will probably be expiring
Use the -a choice to show password altering and expiration particulars.
$ sudo lslogins -ua
UID USER PWD-WARN PWD-MIN PWD-MAX PWD-CHANGE PWD-EXPIR
Zero root 7 99999 2020-Sep21
1000 shs 7 99999 2020-Sep30
1001 nemo 7 90 2020-Dec04
1002 dbell 14 90 2020-Oct27
1003 shark 7 10 90 2020-Mar15
1004 tadpole 7 99999 2019-Oct14 2020-Nov10
1005 eel 7 99999 2020-Jan18
1006 bugfarm 7 99999 2020-Jul08
1008 dorothy 7 99999 2019-Jul08
1012 jadep 7 99999 2019-Jul15
1013 myself 7 99999 2020-Jan18
1017 gijoe 7 99999 2020-Nov11
Use : as a area separator
Use the -c choice to have your lslogins particulars colon-separated. This may be useful in case you intend to course of this data additional.
$ sudo lslogins -c | awk -F ":" '$1 >= 1000 print' UID:USER:PROC:PWD-LOCK:PWD-DENY:LAST-LOGIN:GECOS 1000:shs:68:0:0:14:44:Sandrax20H-S 1001:nemo:0:0:0:2020-Dec05:Nemox20Demo,,, 1002:dbell:0:0:1::Doryx20Bell 1003:shark:0:0:0::Shark,,, 1004:tadpole:0:0:0::Tadx20Pole,,, 1005:eel:0:0:0::Ellen,El,, 1006:bugfarm:0:0:0::Bugx20Farm 1008:dorothy:0:0:1::Dorothyx20Lee 1012:jadep:0:0:1::Jadex20Jones 1013:myself:0:0:0::Myx20Self 1017:gijoe:0:0:0::GIx20Joe 65534:no person:0:0:1::no person
Listing accounts working greater than 10 processes
To get a fast record of what number of customers are working 10 or extra processes, you’ll be able to have the awk command proven beneath look at the third area within the lslogins output. Fortuitously for me, the string “PROC” can also be alphanumerically larger than “10”, so I haven’t got to make any additional effort to retain the conventional column headings.
$ sudo lslogins | awk '$3 >= 10 print' UID USER PROC PWD-LOCK PWD-DENY LAST-LOGIN GECOS Zero root 152 0 0 root 1000 shs 68 0 0 14:44 Sandra H-S
Wrap-Up
The lslogins command gives fairly a couple of helpful choices for trying into person accounts, however requires utilizing sudo or logging in as root to see the entire particulars. Take a look at the person web page to study much more about this command.
Copyright © 2021 IDG Communications, Inc.
Leave a Reply