From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Reboots and audit.rules Date: Thu, 30 Mar 2017 11:33:27 -0400 Message-ID: <1514563.jQEK1XCEs1@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, March 30, 2017 8:17:05 AM EDT warron.french wrote: > Steve, is there anyway that you know of both as the author of the Red Hat > Audit software, and also an employee of Red Hat that would allow someone to > review the audit logs and determine one of the following 2 possibilities: We have specification around most things these days. This is the document about system lifecycle events: https://github.com/linux-audit/audit-documentation/wiki/SPEC-System-Lifecycle-Events According to it, the event you are looking for is SYSTEM_SHUTDOWN. The reason for shutdown is not required. > 1. If the machine was rebooted through software; such as; > > - poweroff, > - shutdown, > - init, etc.. etc.. You could place watches on these if you really wanting this information. > 2. Or a person pressed the power button on the front of the machine. There is also hibernate and pulling the power cord. -Steve > I ran into this problem in the workplace last year, and this feature would > be helpful, but I don't know if it is already offered covering the > power-button depression; versus the command execution. > > I understand that with a power-button depression there is no way of > capturing the/a userid; perhaps a hidden default account of "power-button" > would suffice? > > > Thank you, > -------------------------- > Warron French