Reboots and audit.rules
Ryan Sawhill
rsawhill at redhat.com
Thu Mar 30 22:34:17 UTC 2017
On Thu, Mar 30, 2017 at 10:51 AM, warron.french <warron.french at gmail.com>
wrote:
> Hey Ryan, thank you for the feedback.
>
> Is there an audit rule that can be used against that service? Perhaps a
> binary to do a watch (-w) rule against for -p x with -k monitor_power -
> for example?
>
If that was my requirement, I'd setup a simple systemd service that watches
for the power event via journalctl -- or for more privilege separation, I'd
setup rsyslog to filter those messages to a file ... but either way, the
service would run a grep -q command watching for events and when that
exits, generate an audit event.
The fun part would be getting the unit file dependencies right so that it
does its work before it or anything it needs shuts down.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170330/a5c8a03f/attachment.htm>
More information about the Linux-audit
mailing list