Problem with watching power commands - key is not logged

Damian Tykałowski d47zm3 at gmail.com
Mon Jan 30 09:31:31 UTC 2017 

I found it out
auditctl -l did not list rule as loaded, I checked logs of auditd deeper
and found it stopped loading rules at some point due to duplicated rule,
after sorting that out, it loaded all rules correctly, sorry for trouble

On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb at redhat.com> wrote:

> On 2017-01-28 13:16, Damian Tykałowski wrote:
> > Hi
>
> Hi Damian,
>
> > I'm struggling to get proper auditing of usage of power commands, here's
> > what I've got in rules
> >
> > [root at host01 ~]# cat /etc/audit/audit.rules | grep power
> > -w /sbin/shutdown -p rwx -k power
> > -w /sbin/poweroff -p rwx -k power
> > -w /sbin/reboot -p rwx -k power
> > -w /sbin/halt -p rwx -k power
> > -w shutdown -p rwx -k power
> > -w poweroff -p rwx -k power
> > -w reboot -p rwx -k power
> > -w halt -p rwx -k power
> >
> > However despite full host reboot/refreshing rules I'm not getting events
> > with proper key "power"
> >
> > [root at host01 ~]# cat /var/log/audit/audit.log | grep power
> > <empty>
> >
> > Events are logged though but without key
> >
> > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004
> > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success'
> >
> > Any idea what is wrong? Rules with other keys seems to work.
>
> I suspect you have another rule that is catching it first?
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb at redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170130/8afafa9b/attachment.htm>

More information about the Linux-audit mailing list