See list of logged on users.

> w

See last logons:

> last

or all logon attempts, including bad attempts:

> lastb

List recently accessed files:

> last -d

See files opened by steve

> lsof -t -u steve

See files opened by anyone but steve

> lsof -u ^steve

Fuser can also track people loggingin:

> fuser /var/log/syslog

... and fuser can kill everything accessing the home directory:

> fuser -km /home

# Looking for dodgy files

Some files can be executed by people as if they had super user permissions, and that's okay... sometimes.

Let's start with files executable by user:

> sudo find / -type f -perm -g=s -ls

And then those executable by the group:

> find / -type f -perm -g=s -ls

And finally, worrying files, executable by anyone as if sie were the owner:

> find / -xdev \( -o -nogroup \) -print

Then have a look at resource usage per user.

#SGID

> sudo chmod u+s process.sh

This will modify process.sh to that instead of being simply executable, anyone executing it will have the permissions as if owner while executing it.