Reboots and audit.rules
Ryan Sawhill
rsawhill at redhat.com
Thu Mar 30 14:36:24 UTC 2017
On Thu, Mar 30, 2017 at 8:17 AM, warron.french <warron.french at gmail.com>
wrote:
> Steve, is there anyway that you know of both as the author of the Red Hat
> Audit software, and also an employee of Red Hat that would allow someone to
> review the audit logs and determine one of the following 2 possibilities:
>
>
> 1. If the machine was rebooted through software; such as;
>
>
> - poweroff,
> - shutdown,
> - init, etc.. etc..
>
> 2. Or a person pressed the power button on the front of the machine.
>
> I ran into this problem in the workplace last year, and this feature would
> be helpful, but I don't know if it is already offered covering the
> power-button depression; versus the command execution.
>
> I understand that with a power-button depression there is no way of
> capturing the/a userid; perhaps a hidden default account of "power-button"
> would suffice?
>
I haven't made a study of this on different operating systems, but I did
recently want to run an action in RHEL7 when the power button was pressed
and my experience was that systemd-logind.service always generated a "Power
key pressed" message, e.g., the following command would complete as soon as
power button was pressed:
journalctl -fu systemd-logind | grep -q "Power key pressed"
>
I was only testing on VMs running in a cloud (outside of my control), but I
didn't see if there were different messages for reset vs power buttons.
On a related note, if you're looking to block shutdowns (including power
button & user-initiated) on systemd systems, check out reboot-guard
<https://github.com/ryran/reboot-guard/>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170330/13948450/attachment.htm>
More information about the Linux-audit
mailing list