Kill a User and All Their Current Processes.


#!/bin/bash
#  This program will kill all processes from a
#  user.  The user name is read from the command line.
#
#  This program also demonstrates reading a bash variable
#  into an awk script.
#
#  Usage: kill9user <user>
#
kill -9 `ps aux|awk -v var=$1 '$1==var { print $2 }'`

or if you want want to create the above script the command
below will kill the user "donkey" and all of his processes.

$ kill -9 `ps aux|awk -v var="donkey" '$1==var { print $2 }'`

Check their cron jobs and "at" jobs, if you have a security issue.

$ crontab -u <user> -e

Lock the account:

$ passwd -l <user>

Remove all authorized_keys

$ rm /home/user/.shosts
$ rm /home/user/.rhosts
$ rm -rf /home/user/.ssh
$ rm /home/user/.forward

or consider

$ mv /home/user  /home/safeuser


Change the shell

$ chsh -s /bin/true <user>

Do an inventory

$ find / -user <user>  > list_of_user_files

NOTE: Also see (TIP 10).

To see all users, except the current user. Do not use the
dash "ps -aux" is wrong but the following is correct:

$ ps aux| awk '!/'${USER}'/{printf("%s \n",$0)}'

or (ww = wide, wide output)

$ ps auwwx| awk '!/'${USER}'/{printf("%s \n",$0)}'


The following codes may be useful:

D    Uninterruptible sleep (usually IO)
R    Running or runnable (on run queue)
S    Interruptible sleep (waiting for an event to complete)
T    Stopped, either by a job control signal or because it is being traced.
W    paging (not valid since the 2.6.xx kernel)
X    dead (should never be seen)
Z    Defunct ("zombie") process, terminated but not reaped by its parent.

For BSD formats and when the stat keyword is used, additional
characters may be displayed:

<    high-priority (not nice to other users)
N    low-priority (nice to other users)
L    has pages locked into memory (for real-time and custom IO)
s    is a session leader
l    is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
+    is in the foreground process group