How to Monitor Linux User Activity with Built‑In Commands and Auditd

Introduction

Monitoring user activity is a crucial part of Linux system security, helping administrators detect issues, trace events, and maintain compliance. The following sections describe several built‑in tools and the auditd framework, each with concrete command examples.

Using who and w Commands

1. View currently logged‑in users

who

2. View user activity and system load

w

Using last Command

1. Show login history for all users

last

2. Show login history for a specific user

last username

Using auditd Auditing Tool

1. Install and start auditd

sudo apt install auditd   # Debian/Ubuntu
sudo yum install audit   # CentOS/RHEL
sudo systemctl start auditd

2. Monitor file access

auditctl -w /path/to/directory -p rwxa

3. View audit logs

cat /var/log/audit/audit.log

Using ps Command

1. List processes for all users

ps aux

2. List processes for a specific user

ps -u username

Using ss and netstat Commands

1. Show all network connections

ss -tuln

2. Filter connections for a specific user

ss -tuln | grep username

Using journalctl to View System Logs

1. Show the complete system log

journalctl

2. Show sudo operations for a specific user

journalctl _COMM=sudo | grep username

Advanced Auditing with auditd and ausearch

1. Set an audit rule for sensitive files

auditctl -w /path/to/sensitive/file -p rwa -k sensitive_file_access

2. Query audit logs for a user’s access to the sensitive file

ausearch -k sensitive_file_access -sv avc -u username

Summary

Linux provides a variety of native commands and the powerful auditd framework to monitor user logins, activity, process usage, network connections, and system events. Regularly using tools such as who, w, last, ps, ss, journalctl, auditd, and ausearch helps maintain system security, ensure compliance, and quickly identify potential problems.