Reboots and audit.rules
Steve Grubb
sgrubb at redhat.com
Thu Mar 30 15:33:27 UTC 2017
On Thursday, March 30, 2017 8:17:05 AM EDT warron.french wrote:
> Steve, is there anyway that you know of both as the author of the Red Hat
> Audit software, and also an employee of Red Hat that would allow someone to
> review the audit logs and determine one of the following 2 possibilities:
We have specification around most things these days. This is the document about
system lifecycle events:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-System-Lifecycle-Events
According to it, the event you are looking for is SYSTEM_SHUTDOWN. The reason
for shutdown is not required.
> 1. If the machine was rebooted through software; such as;
>
> - poweroff,
> - shutdown,
> - init, etc.. etc..
You could place watches on these if you really wanting this information.
> 2. Or a person pressed the power button on the front of the machine.
There is also hibernate and pulling the power cord.
-Steve
> I ran into this problem in the workplace last year, and this feature would
> be helpful, but I don't know if it is already offered covering the
> power-button depression; versus the command execution.
>
> I understand that with a power-button depression there is no way of
> capturing the/a userid; perhaps a hidden default account of "power-button"
> would suffice?
>
>
> Thank you,
> --------------------------
> Warron French
More information about the Linux-audit
mailing list