Reboots and audit.rules

Reboots and audit.rules

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 823 bytes --]

Steve, is there anyway that you know of both as the author of the Red Hat
Audit software, and also an employee of Red Hat that would allow someone to
review the audit logs and determine one of the following 2 possibilities:


   1. If the machine was rebooted through software; such as;


   - poweroff,
   - shutdown,
   - init, etc.. etc..

2. Or a person pressed the power button on the front of the machine.

I ran into this problem in the workplace last year, and this feature would
be helpful, but I don't know if it is already offered covering the
power-button depression; versus the command execution.

I understand that with a power-button depression there is no way of
capturing the/a userid; perhaps a hidden default account of "power-button"
would suffice?


Thank you,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 1229 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Reboots and audit.rules

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 1609 bytes --]

On Thu, Mar 30, 2017 at 8:17 AM, warron.french <warron.french@gmail.com>
wrote:

> Steve, is there anyway that you know of both as the author of the Red Hat
> Audit software, and also an employee of Red Hat that would allow someone to
> review the audit logs and determine one of the following 2 possibilities:
>
>
>    1. If the machine was rebooted through software; such as;
>
>
>    - poweroff,
>    - shutdown,
>    - init, etc.. etc..
>
> 2. Or a person pressed the power button on the front of the machine.
>
> I ran into this problem in the workplace last year, and this feature would
> be helpful, but I don't know if it is already offered covering the
> power-button depression; versus the command execution.
>
> I understand that with a power-button depression there is no way of
> capturing the/a userid; perhaps a hidden default account of "power-button"
> would suffice?
>

I haven't made a study of this on different operating systems, but I did
recently want to run an action in RHEL7 when the power button was pressed
and my experience was that systemd-logind.service always generated a "Power
key pressed" message, e.g., the following command would complete as soon as
power button was pressed:

journalctl -fu systemd-logind | grep -q "Power key pressed"
>

I was only testing on VMs running in a cloud (outside of my control), but I
didn't see if there were different messages for reset vs power buttons.

On a related note, if you're looking to block shutdowns (including power
button & user-initiated) on systemd systems, check out reboot-guard
<https://github.com/ryran/reboot-guard/>.

[-- Attachment #1.2: Type: text/html, Size: 2265 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Reboots and audit.rules

[Steve Grubb]

On Thursday, March 30, 2017 8:17:05 AM EDT warron.french wrote:
> Steve, is there anyway that you know of both as the author of the Red Hat
> Audit software, and also an employee of Red Hat that would allow someone to
> review the audit logs and determine one of the following 2 possibilities:

We have specification around most things these days. This is the document about 
system lifecycle events:

https://github.com/linux-audit/audit-documentation/wiki/SPEC-System-Lifecycle-Events

According to it, the event you are looking for is SYSTEM_SHUTDOWN. The reason 
for shutdown is not required.

>    1. If the machine was rebooted through software; such as;
> 
>    - poweroff,
>    - shutdown,
>    - init, etc.. etc..

You could place watches on these if you really wanting this information.

> 2. Or a person pressed the power button on the front of the machine.

There is also hibernate and pulling the power cord.

-Steve

> I ran into this problem in the workplace last year, and this feature would
> be helpful, but I don't know if it is already offered covering the
> power-button depression; versus the command execution.
> 
> I understand that with a power-button depression there is no way of
> capturing the/a userid; perhaps a hidden default account of "power-button"
> would suffice?
> 
> 
> Thank you,
> --------------------------
> Warron French

Re: Reboots and audit.rules

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 751 bytes --]

On Thu, Mar 30, 2017 at 10:51 AM, warron.french <warron.french@gmail.com>
wrote:

> Hey Ryan, thank you for the feedback.
>
> Is there an audit rule that can be used against that service?  Perhaps a
> binary to do a watch (-w) rule against for -p x with -k monitor_power  -
> for example?
>

If that was my requirement, I'd setup a simple systemd service that watches
for the power event via journalctl -- or for more privilege separation, I'd
setup rsyslog to filter those messages to a file ... but either way, the
service would run a grep -q command watching for events and when that
exits, generate an audit event.

The fun part would be getting the unit file dependencies right so that it
does its work before it or anything it needs shuts down.

[-- Attachment #1.2: Type: text/html, Size: 1147 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]