# 1. 定期检查登录用户
# w | mail -s “Current logged users” admin@fgedu.net

# 2. 监控root用户登录
# who | grep root

# 3. 检查异常登录
# who | awk ‘{print $1}’ | sort | uniq -c | sort -rn

# 4. 记录用户活动
# w >> /var/log/user_activity.log

# 5. 检查用户权限
# id $(whoami)

# 6. 查看用户登录历史
# last | head -n 20

# 1. 显示当前登录用户
# who
root pts/0 2026-04-02 10:00 (192.168.1.100)
user1 pts/1 2026-04-02 10:05 (192.168.1.101)
user2 pts/2 2026-04-02 10:10 (192.168.1.102)

# 2. 显示所有信息
# who -a
system boot 2026-04-02 09:00
run-level 3 2026-04-02 09:00
root + pts/0 2026-04-02 10:00 . 12345 (192.168.1.100)
user1 + pts/1 2026-04-02 10:05 . 12346 (192.168.1.101)
user2 + pts/2 2026-04-02 10:10 . 12347 (192.168.1.102)

# 3. 显示系统启动时间
# who -b
system boot 2026-04-02 09:00

# 4. 显示当前运行级别
# who -r
run-level 3 2026-04-02 09:00

# 5. 显示标题行
# who -H
NAME LINE TIME COMMENT
root pts/0 2026-04-02 10:00 (192.168.1.100)
user1 pts/1 2026-04-02 10:05 (192.168.1.101)

# 6. 显示登录用户数量
# who -q
root user1 user2
# users=3

# 7. 显示用户消息状态
# who -T
root + pts/0 2026-04-02 10:00 (192.168.1.100)
user1 + pts/1 2026-04-02 10:05 (192.168.1.101)
user2 – pts/2 2026-04-02 10:10 (192.168.1.102)
（+表示允许消息，-表示禁止消息）

# 8. 显示当前终端用户
# who am i
root pts/0 2026-04-02 10:00 (192.168.1.100)

# 9. 显示登录进程
# who -l
LOGIN tty1 2026-04-02 09:00 1234 id=tty1

# 10. 显示死进程
# who -d

# 11. 显示所有登录用户
# who -u
root pts/0 2026-04-02 10:00 . 12345 (192.168.1.100)
user1 pts/1 2026-04-02 10:05 . 12346 (192.168.1.101)
user2 pts/2 2026-04-02 10:10 . 12347 (192.168.1.102)

# 12. 显示系统时钟最后修改时间
# who -t

# 13. 显示简短信息
# who -s
root pts/0 2026-04-02 10:00 (192.168.1.100)
user1 pts/1 2026-04-02 10:05 (192.168.1.101)

# 14. 显示init进程启动的活动进程
# who -p

# 15. 查看特定文件中的登录信息
# who /var/run/utmp
root pts/0 2026-04-02 10:00 (192.168.1.100)

# 1. 显示当前用户名
# whoami
root

# 2. 在脚本中使用
# cat > /tmp/check_user.sh << 'EOF' #!/bin/bash CURRENT_USER=$(whoami) if [ "$CURRENT_USER" != "root" ]; then echo "Error: This script must be run as root" exit 1 fi echo "Running as root" EOF # chmod +x /tmp/check_user.sh # /tmp/check_user.sh Running as root # 3. 检查用户权限 # id $(whoami) uid=0(root) gid=0(root) groups=0(root) # 4. 检查用户组 # groups $(whoami) root : root # 5. 检查用户主目录 # echo $HOME /root # 6. 检查用户Shell # echo $SHELL /bin/bash # 7. 检查用户ID # echo $UID 0 # 8. 检查用户环境变量 # env | grep USER USER=root # 9. 切换用户后检查 # su - user1 $ whoami user1 # 10. 使用sudo后检查 # sudo -u user1 whoami user1 # 11. 显示版本信息 # whoami --version whoami (GNU coreutils) 8.32 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Richard M. Stallman and David MacKenzie.

# 12. 显示帮助信息
# whoami –help
Usage: whoami [OPTION]…
Print the user name associated with the current effective user ID.
Same as id -un.

–help display this help and exit
–version output version information and exit

GNU coreutils online help:
Full documentation
or available locally via: info ‘(coreutils) whoami invocation’

# 13. 与id命令对比
# id -un
root
（与whoami输出相同）

# 14. 在定时任务中使用
# cat > /etc/cron.d/check_user << 'EOF' * * * * * root echo "Current user: $(whoami)" >> /var/log/user_check.log
EOF

# 15. 在系统服务中使用
# cat > /etc/systemd/system/check_user.service << 'EOF' [Unit] Description=Check current user [Service] Type=oneshot ExecStart=/usr/bin/whoami [Install] WantedBy=multi-user.target EOF

# 1. 显示当前登录用户及活动
# w
10:00:00 up 1:00, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w
user1 pts/1 192.168.1.101 10:05 5:00 0.10s 0.05s vim file.txt
user2 pts/2 192.168.1.102 10:10 0.00s 0.15s 0.10s top

# 2. 显示简短信息
# w -s
10:00:00 up 1:00, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM IDLE WHAT
root pts/0 192.168.1.100 1.00s w
user1 pts/1 192.168.1.101 5:00 vim file.txt
user2 pts/2 192.168.1.102 0.00s top

# 3. 不显示标题行
# w -h
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w
user1 pts/1 192.168.1.101 10:05 5:00 0.10s 0.05s vim file.txt
user2 pts/2 192.168.1.102 10:10 0.00s 0.15s 0.10s top

# 4. 显示特定用户
# w root
10:00:00 up 1:00, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w

# 5. 忽略当前进程的用户名
# w -u
10:00:00 up 1:00, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w
user1 pts/1 192.168.1.101 10:05 5:00 0.10s 0.05s vim file.txt
user2 pts/2 192.168.1.102 10:10 0.00s 0.15s 0.10s top

# 6. 使用旧式输出
# w -o
10:00:00 up 1:00, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w
user1 pts/1 192.168.1.101 10:05 5:00 0.10s 0.05s vim file.txt
user2 pts/2 192.168.1.102 10:10 0.00s 0.15s 0.10s top

# 7. 显示版本信息
# w –version
w from procps-ng 3.3.17

# 8. 显示帮助信息
# w –help
Usage:
w [options]
Options:
-h, –no-header do not print header
-u, –no-current ignore current process username
-s, –short short format
-f, –from show remote hostname field
-o, –old-style old style output
–help display this help and exit
-V, –version output version information and exit

For more details see w(1).

# 9. 解析w命令输出
# w | tail -n +2 | awk ‘{print $1}’ | sort | uniq -c
1 root
1 user1
1 user2

# 10. 统计登录用户数
# w | tail -n +2 | wc -l
3

# 11. 查看用户正在执行的命令
# w | grep root
root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w

# 12. 查看用户空闲时间
# w | awk ‘{print $1, $5}’
USER IDLE
root 1.00s
user1 5:00
user2 0.00s

# 13. 查看用户CPU使用时间
# w | awk ‘{print $1, $6}’
USER JCPU
root 0.05s
user1 0.10s
user2 0.15s

# 14. 查看用户登录来源
# w | awk ‘{print $1, $3}’
USER FROM
root 192.168.1.100
user1 192.168.1.101
user2 192.168.1.102

# 15. 监控用户活动
# watch -n 5 w
（每5秒刷新一次用户活动）

# 1. 检查当前登录用户
# cat > /usr/local/bin/check_users.sh << 'EOF' #!/bin/bash echo "=== Current logged users ===" who echo "" echo "=== User activities ===" w echo "" echo "=== Current user ===" whoami echo "" echo "=== User count ===" who | wc -l EOF # chmod +x /usr/local/bin/check_users.sh # check_users.sh === Current logged users === root pts/0 2026-04-02 10:00 (192.168.1.100) user1 pts/1 2026-04-02 10:05 (192.168.1.101) === User activities === 10:00:00 up 1:00, 2 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 192.168.1.100 10:00 1.00s 0.05s 0.01s w user1 pts/1 192.168.1.101 10:05 5:00 0.10s 0.05s vim file.txt === Current user === root === User count === 2 # 2. 监控root用户登录 # cat > /usr/local/bin/monitor_root.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/root_login.log" while true; do ROOT_COUNT=$(who | grep "^root" | wc -l) if [ $ROOT_COUNT -gt 0 ]; then echo "[$(date '+%Y-%m-%d %H:%M:%S')] Root user logged in from:" >> $LOG_FILE
who | grep “^root” >> $LOG_FILE
fi
sleep 60
done
EOF

# chmod +x /usr/local/bin/monitor_root.sh

# 3. 检查异常登录
# cat > /usr/local/bin/check_abnormal.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/abnormal_login.log" # 检查同一用户多次登录 who | awk '{print $1}' | sort | uniq -c | while read count user; do if [ $count -gt 3 ]; then echo "[$(date '+%Y-%m-%d %H:%M:%S')] User $user has $count sessions" >> $LOG_FILE
fi
done

# 检查非工作时间登录
HOUR=$(date +%H)
if [ $HOUR -lt 6 ] || [ $HOUR -gt 22 ]; then
echo “[$(date ‘+%Y-%m-%d %H:%M:%S’)] Login outside working hours:” >> $LOG_FILE
who >> $LOG_FILE
fi
EOF

# chmod +x /usr/local/bin/check_abnormal.sh

# 4. 统计用户登录时间
# cat > /usr/local/bin/user_login_time.sh << 'EOF' #!/bin/bash echo "User login time statistics:" echo "============================" who | while read user tty date time from; do LOGIN_TIME=$(date -d "$date $time" +%s) CURRENT_TIME=$(date +%s) DURATION=$((CURRENT_TIME - LOGIN_TIME)) HOURS=$((DURATION / 3600)) MINUTES=$(((DURATION % 3600) / 60)) echo "$user: ${HOURS}h ${MINUTES}m" done EOF # chmod +x /usr/local/bin/user_login_time.sh # 5. 检查用户权限 # cat > /usr/local/bin/check_permissions.sh << 'EOF' #!/bin/bash CURRENT_USER=$(whoami) echo "Current user: $CURRENT_USER" echo "User ID: $(id -u)" echo "Group ID: $(id -g)" echo "Groups: $(id -Gn)" echo "Home: $HOME" echo "Shell: $SHELL" if [ $(id -u) -eq 0 ]; then echo "Running as root!" fi EOF # chmod +x /usr/local/bin/check_permissions.sh

# 1. 检查脚本是否以root用户运行
# cat > /tmp/require_root.sh << 'EOF' #!/bin/bash if [ $(whoami) != "root" ]; then echo "Error: This script must be run as root" exit 1 fi echo "Running as root, continuing..." EOF # chmod +x /tmp/require_root.sh # 2. 检查用户是否登录 # cat > /tmp/check_login.sh << 'EOF' #!/bin/bash USER=$1 if [ -z "$USER" ]; then echo "Usage: $0 ”
exit 1
fi

if who | grep -q “^$USER”; then
echo “User $USER is currently logged in”
else
echo “User $USER is not logged in”
fi
EOF

# chmod +x /tmp/check_login.sh

# 3. 踢出指定用户
# cat > /tmp/kick_user.sh << 'EOF' #!/bin/bash USER=$1 if [ -z "$USER" ]; then echo "Usage: $0 ”
exit 1
fi

if [ $(whoami) != “root” ]; then
echo “Error: This script must be run as root”
exit 1
fi

TTY=$(who | grep “^$USER” | awk ‘{print $2}’)
if [ -n “$TTY” ]; then
pkill -9 -t $TTY
echo “User $USER has been kicked out”
else
echo “User $USER is not logged in”
fi
EOF

# chmod +x /tmp/kick_user.sh

# 4. 发送消息给所有用户
# cat > /tmp/broadcast.sh << 'EOF' #!/bin/bash MESSAGE=$1 if [ -z "$MESSAGE" ]; then echo "Usage: $0 ”
exit 1
fi

who | awk ‘{print $2}’ | while read tty; do
echo “$MESSAGE” > /dev/$tty
done

echo “Message sent to all users”
EOF

# chmod +x /tmp/broadcast.sh

# 5. 记录用户活动日志
# cat > /tmp/log_users.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/user_activity.log" while true; do echo "=== $(date '+%Y-%m-%d %H:%M:%S') ===" >> $LOG_FILE
w >> $LOG_FILE
echo “” >> $LOG_FILE
sleep 300
done
EOF

# chmod +x /tmp/log_users.sh

# 1. 排查用户无法登录问题
# 检查用户是否存在
# id username

# 检查用户Shell
# grep username /etc/passwd

# 检查用户是否被锁定
# passwd -S username

# 检查登录日志
# last | grep username

# 2. 排查用户权限问题
# 检查当前用户
# whoami

# 检查用户组
# groups

# 检查用户权限
# id

# 检查sudo权限
# sudo -l

# 3. 排查用户会话问题
# 检查用户会话
# who

# 检查用户进程
# ps aux | grep username

# 检查用户终端
# w username

# 4. 排查系统负载问题
# 检查系统负载
# w | head -n 1

# 检查用户CPU使用
# w | awk ‘{print $1, $6, $7}’

# 检查用户进程
# ps aux –sort=-%cpu | head -n 10

# 5. 排查异常登录问题
# 检查当前登录用户
# who

# 检查登录历史
# last | head -n 20

# 检查失败登录
# lastb | head -n 20

# 检查SSH日志
# grep “Failed password” /var/log/secure

# 6. 排查用户资源占用问题
# 检查用户进程
# ps aux | grep username

# 检查用户内存使用
# ps aux | grep username | awk ‘{sum+=$6} END {print sum/1024 ” MB”}’

# 检查用户CPU使用
# ps aux | grep username | awk ‘{sum+=$3} END {print sum ” %”}’

# 检查用户打开的文件
# lsof | grep username | wc -l