Monitoring User Activity

Monitoring user activity serves two purposes: incident response (understanding what happened during a security event) and compliance (proving that access controls were followed). Ubuntu provides built-in tools for real-time monitoring, shell history, and process accounting, plus auditd for comprehensive tamper-resistant logging.

Real-time user monitoring

# See who is logged in and what they are running
w

w output

 14:30:00 up 5 days,  2:10,  2 users,  load average: 0.02, 0.05, 0.01
USER     TTY      FROM             LOGIN@   IDLE JCPU   PCPU WHAT
irfan    pts/0    192.168.1.45     14:00    0.00s 0.05s  0.00s w
deploy   pts/1    10.0.0.5         12:00   2:00m 0.10s  0.02s bash

# Show what a specific user is doing
watch -n1 "ps aux | grep ^irfan"

# Show all open files by a user
sudo lsof -u irfan | head -20

# Show network connections by a user
sudo ss -tp | grep irfan

# See terminal activity of another user in real time (read-only view)
# Their terminal device (from `w` output, e.g. pts/1):
sudo ttysnoop /dev/pts/1    # Requires ttysnoop package

Process monitoring by user

# List all processes for a specific user
ps aux | grep "^irfan"
ps -u irfan -f    # Full format, all irfan's processes

# Sort by CPU usage for a user
ps aux --sort=-%cpu | grep "^irfan" | head -10

# Monitor resource usage in real time
top -u irfan    # Press 1 to see per-CPU usage

# See process tree for a user
pstree -u irfan -p

# Send a signal to all processes of a user
sudo pkill -u irfan        # SIGTERM
sudo pkill -9 -u irfan     # SIGKILL (force)

Shell command history

# View a user's bash history (as root)
sudo cat /home/irfan/.bash_history

# View with timestamps (if HISTTIMEFORMAT was set for the user)
sudo cat /home/irfan/.bash_history

# Force bash to write history immediately (not just at session end)
# Add to /etc/bash.bashrc or each user's .bashrc:
echo 'PROMPT_COMMAND="history -a"' | sudo tee -a /etc/bash.bashrc

# Save timestamps in history (add to /etc/profile or .bashrc)
echo 'export HISTTIMEFORMAT="%F %T  "' | sudo tee -a /etc/bash.bashrc

# Increase history size and prevent truncation (add to /etc/profile)
echo 'HISTSIZE=10000' | sudo tee -a /etc/profile
echo 'HISTFILESIZE=20000' | sudo tee -a /etc/profile

# Prevent users from clearing history (use immutable flag)
sudo chattr +a /home/irfan/.bash_history    # Append-only

📝 NOTE: Shell history is not a reliable audit mechanism — users can clear it, disable it, or redirect commands to avoid it. Use auditd with -S execve rules for tamper-resistant command logging. Shell history is useful for quick investigation but should not be your sole compliance audit tool.

Auditing with auditd

# Install and start auditd
sudo apt install -y auditd
sudo systemctl enable --now auditd

# Add a rule to log all commands executed by a specific user
# Replace 1001 with the user's UID
sudo auditctl -a always,exit -F arch=b64 -F uid=1001 -S execve -k user-irfan-cmds

# Or log all users
sudo auditctl -a always,exit -F arch=b64 -S execve -k all-commands

# Search audit log for commands run by a user
sudo ausearch -ua 1001 --start today

# Search for a specific command
sudo ausearch -k all-commands -x bash | tail -30

# Generate a report of commands run today
sudo aureport --start today --end now -x --summary

aureport --summary output

Executable Summary Report
======================
Total Executable Events: 342
Files    Events Executable
      1      87 /usr/bin/ls
      1      63 /usr/bin/cat
      1      42 /usr/sbin/nginx

Session recording with asciinema

# Install asciinema for terminal session recording
sudo apt install -y asciinema

# Record a session (the user can stop recording with exit)
asciinema rec /var/log/sessions/irfan-$(date +%Y%m%d-%H%M%S).cast

# Play back a recorded session
asciinema play /var/log/sessions/irfan-20240601-140000.cast

# For mandatory recording (all SSH sessions recorded):
# Add to /etc/ssh/sshd_config:
# ForceCommand asciinema rec -q /var/log/sessions/%u-$(date +%s).cast

File access monitoring

# Watch a specific file or directory for access in real time
sudo inotifywait -m -e access,modify,create,delete /etc/passwd

# Watch a directory recursively
sudo inotifywait -m -r -e access,modify /etc/

# Log inotify events to a file
sudo inotifywait -m -r -e access,modify /etc/ 2>&1 | tee /var/log/file-access.log &

# Use auditd to log access to sensitive files
sudo auditctl -w /etc/passwd -p rwa -k passwd-access
sudo auditctl -w /home/ -p rwa -k home-access

# Search for events on a watched file
sudo ausearch -k passwd-access --start today

Conclusion

Combine tools based on your monitoring needs: w and ps for real-time session visibility, shell history (with timestamps and append-only via chattr +a) for quick forensics, and auditd with execve rules for compliance-grade command logging that users cannot tamper with. Set HISTTIMEFORMAT system-wide so history entries include timestamps. For high-security environments, implement mandatory session recording and use inotifywait or auditd file watches on sensitive paths.

FAQ

Is Monitoring User Activity important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support