On Thu, Mar 30, 2017 at 8:17 AM, warron.french wrote: > Steve, is there anyway that you know of both as the author of the Red Hat > Audit software, and also an employee of Red Hat that would allow someone to > review the audit logs and determine one of the following 2 possibilities: > > > 1. If the machine was rebooted through software; such as; > > > - poweroff, > - shutdown, > - init, etc.. etc.. > > 2. Or a person pressed the power button on the front of the machine. > > I ran into this problem in the workplace last year, and this feature would > be helpful, but I don't know if it is already offered covering the > power-button depression; versus the command execution. > > I understand that with a power-button depression there is no way of > capturing the/a userid; perhaps a hidden default account of "power-button" > would suffice? > I haven't made a study of this on different operating systems, but I did recently want to run an action in RHEL7 when the power button was pressed and my experience was that systemd-logind.service always generated a "Power key pressed" message, e.g., the following command would complete as soon as power button was pressed: journalctl -fu systemd-logind | grep -q "Power key pressed" > I was only testing on VMs running in a cloud (outside of my control), but I didn't see if there were different messages for reset vs power buttons. On a related note, if you're looking to block shutdowns (including power button & user-initiated) on systemd systems, check out reboot-guard .