Tracking Linux User Activity with who #linux #shorts

Linux Security Audit: Mastering the ‘who’ Command for Real-Time User Monitoring

Welcome back to Darren’s Tech Tutorials!

In the world of system administration, security and accountability are non-negotiable. If you run a multi-user Linux system—whether it’s a dedicated server or a shared development environment—you need to know exactly who is logged in, where they came from, and how long they’ve been active.

Fortunately, Linux provides a simple, indispensable tool designed specifically for this purpose: the who command.

This guide will walk you through mastering the who command, showing you how to quickly gather crucial login data, troubleshoot connection issues, and maintain a secure environment without breaking a sweat. Let’s dive in!

The Basics: What is the `who` Command?

The who command is one of the most fundamental utilities in Linux, giving you a snapshot of all users currently active on the system. When you execute who without any options, it returns four key pieces of information for every active session:

Username: Who is logged in.
Terminal Line (TTY/PTS): The specific console or pseudo-terminal they are using.
Login Time: The date and time the user logged in.
Host/IP Address: Where the user logged in from (if connecting remotely).

Running the Standard Command

To see the list of currently logged-in users, simply type:

$ who

Pro Tip: If you want a quick count of how many users are active, use the quick mode (-q):

$ who -q

This is excellent for rapid system load checks!

Essential `who` Command Options

While the basic output is useful, the real power of who comes from its command-line options, which allow you to tailor the output for specific auditing or troubleshooting tasks.

1. Show All Available Information (`-a`)

For comprehensive system auditing, the -a (all) option displays the broadest possible output, including inactive sessions, boot time, system run level, and dead processes.

$ who -a

This output is key for security checks, as it often reveals status information that might indicate system changes or lingering issues.

2. Display the System’s Boot Time (`-b`)

Need to know exactly when the system last restarted? The -b (boot) option is your friend. This is crucial for analyzing logs relative to the last system startup.

$ who -b

The output provides a clear timestamp of the last successful reboot.

3. Adding Descriptive Headers (`-H`)

When dealing with many entries, it can be easy to lose track of which column is which. The -H (header) option simply adds a helpful descriptive header row to your output, making the data instantly readable. This is highly recommended for scripts or troubleshooting sessions.

$ who -H

4. Monitoring Terminal Activity (`-T`)

To monitor the terminal message status of users (i.e., whether you can send them a message using the write command), use the -T (mesg) option.

The status codes are:

+: Message passing is allowed.
-: Message passing is denied.
?: A line error occurred.

$ who -T

Advanced Monitoring: Filtering and Troubleshooting

The who command is surprisingly useful for identifying and troubleshooting specific login issues, especially those involving stale or dead terminal sessions.

Targeting Dead Processes (`-d`)

If a user terminates their session abruptly (e.g., closing a window without logging out), their entry might remain on the system, sometimes cluttering the results. The -d (dead) option specifically lists these dead or expired processes, helping you identify sessions that need manual cleanup or investigation.

$ who -d

Displaying Active Process Information (`-p`)

To see the process ID (PID) of the user’s login shell, you can use the -p (process) option. This is essential information if you need to manually manage or terminate a specific user session through other tools.

$ who -p

Focusing on Yourself (`-m` or `am i`)

If you just want to verify your own login details (which terminal you are using, where you logged in from), you can use the simple am i syntax:

$ who am i

Alternatively, the -m option provides the same focused output:

$ who -m

This is useful for scripting and quick checks within nested SSH sessions.

Beyond `who`: Related Commands

While who gives you the immediate snapshot, monitoring user activity often involves two other closely related commands:

w (What): Shows who is logged on and what they are doing. This is an extremely useful complement to who as it includes load average and the running command for each user.
last: Displays a historical log of all previous user logins and reboots, pulled from the /var/log/wtmp file.

Mastering the combination of who, w, and last ensures you have full visibility over current and past activity on your system.

Start Auditing Your System Today!

The who command might seem simple on the surface, but its versatility makes it an indispensable tool for every Linux administrator. From basic accountability checks to deep-dive security audits and login troubleshooting, who delivers the information you need in seconds.

Take a few minutes right now and try out the -a, -H, and -d options on your own system. See what details you discover!

Did this tutorial help you clarify the security status of your Linux machine? If so, hit that like button, subscribe to Darren’s Tech Tutorials for more practical guides, and drop a comment below letting us know your favorite who command trick!

Happy auditing!

The Basics: What is the who Command?

Running the Standard Command

Essential who Command Options

1. Show All Available Information (-a)

2. Display the System’s Boot Time (-b)

3. Adding Descriptive Headers (-H)

4. Monitoring Terminal Activity (-T)