Statement

Monitoring a system is an essential part of system administration and a regular monitoring/checking will only make sure that everything is in order. There are several things to monitor in a server, viz user accounts, CPU or memory loads and network traffics.

We will start with the user accounts. In the previous post I have already discussed about the security issues related to user accounts and the reason a good password policy is required and how to implement it.  Also how to check if an user is trying to use incorrect password to login or attempting for su  privilege. A few basic commands to monitor user accounts are :

$ who              → show who is logged on

user1     tty7         2011-10-27 14:38 (:0)

user1     pts/0        2011-10-27 14:39 (:0.0)

$ w                  → Show who is logged on and what they are doing.

14:40:30 up 2 min,  2 users,  load average: 0.73, 0.32, 0.12

USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT

user1     tty7     :0               14:38    2:17   7.24s  0.12s gnome-session

user1     pts/0    :0.0             14:39    0.00s  0.30s  0.00s w

$ ps -u <username>     → To see every process running for the user (real & effective ID) format:

PID TTY          TIME CMD

1563 ?        00:00:00 gdm-session-wor

1573 ?        00:00:00 gnome-keyring-d

1591 ?        00:00:00 gnome-session

1630 ?        00:00:00 ssh-agent

1633 ?        00:00:00 dbus-launch

1634 ?        00:00:00 dbus-daemon

1637 ?        00:00:00 gconfd-2

$top -U <username>   → Monitor  only processes with a UID or user name matching that given.  This matches real, effective, saved,  and  filesystem UIDs.

$ faillog    →   display faillog records or set login failure limits

$ faillog -u user1

Login       Failures Maximum Latest                   On

user1            0        0   01/01/70 05:30:00 +0530

System monitoring

You can perform most of the system monitoring using only two commands, but there are several more that you might want to know. The first two commands that are discussed below are most important for any system administrator to know.

$ top -c    → Displays all tasks currently running ( real time )

top – 19:00:03 up 9 min,  2 users,  load average: 0.13, 0.45, 0.37

Tasks: 155 total,   2 running, 153 sleeping,   0 stopped,   0 zombie

Cpu(s):  1.5%us,  1.8%sy,  0.0%ni, 96.0%id,  0.7%wa,  0.0%hi,  0.0%si,  0.0%st

Mem:   2052028k total,   777968k used,  1274060k free,    69940k buffers

Swap:  3906552k total,        0k used,  3906552k free,   443180k cached

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND

1209 root      20   0 75820  27m  15m S    2  1.4   0:23.38 /usr/bin/X :0 -nr -

1803 user1      20   0 50568  12m 9916 S    1  0.6   0:01.94 gnome-terminal

4 root      20   0     0    0    0 S    0  0.0   0:00.36 [ksoftirqd/0]

54 root      20   0     0    0    0 S    0  0.0   0:00.11 [scsi_eh_0]

1752 root      20   0  5188  992  712 S    0  0.0   0:00.25 udisks-daemon: poll

1895 user1      20   0  220m  87m  65m S    0  4.4   0:10.96 /usr/lib/openoffice

2026 user1      20   0  184m  46m  24m S    0  2.3   0:03.46 /usr/lib/firefox-3.

2176 user1      20   0  2548 1216  924 R    0  0.1   0:00.22 top -c

$ sar      →  Collect, report, or save system activity information.

Linux 2.6.32-34-generic (nick)             10/27/2011              _i686_     (2 CPU)

07:09:14 PM       LINUX RESTART

07:11:10 PM       LINUX RESTART

** sar and top commands are very powerful and good tools to help a system admin to monitor his system.  Sar is a part of the sysstat package which has a few more effective tools. You can install sysstat  using either of the following commands

1. sudo apt-get install sysstat

2. yum install sysstat

3. rpm -ivh sysstat-9.0.6-1.i586.rpm

There are few more commands like uptime ( to check how long the system has been running ) , vmstat (Report virtual memory statistics ) , iostat (Report Central Processing Unit (CPU) statistics and input/output statistics for devices, partitions and network filesystems (NFS)) , free (Display amount of free and used memory in the system) can be interesting.

$losof -u <username,username>   → list open files for the username or userID specified, You can use multiple usernames at a time.

Now that with all these commands you know what’s going on in your system and if not everything is working as intended, its time to take some action against the rogue user or process. For user whom you want to take care of :

$usermod -L <username>    → Lock a users password. This puts a ! in front of the encrypted password, effectively disabling the password.

$usermod -U <username>  → To unlock the user’s password.

$userdel -rf <username>  → To remove the user from the system. you should use the -r option to remove the homedir of the user also. ** Note that all users might not have a homedir.

For processes that is consuming a lot of resources, try :

$ kill -9 <pid>   → to kill the process forcefully. You can find the process id of the process from commands like top or ps.