From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ryan Sawhill Subject: Re: Reboots and audit.rules Date: Thu, 30 Mar 2017 10:36:24 -0400 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8144188259914210927==" Return-path: Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 846F35C6CE for ; Thu, 30 Mar 2017 14:36:45 +0000 (UTC) Received: from mail-oi0-f70.google.com (mail-oi0-f70.google.com [209.85.218.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BD01F64062 for ; Thu, 30 Mar 2017 14:36:45 +0000 (UTC) Received: by mail-oi0-f70.google.com with SMTP id l203so25115653oig.3 for ; Thu, 30 Mar 2017 07:36:45 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "warron.french" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8144188259914210927== Content-Type: multipart/alternative; boundary=001a113cca1442d4fd054bf39fef --001a113cca1442d4fd054bf39fef Content-Type: text/plain; charset=UTF-8 On Thu, Mar 30, 2017 at 8:17 AM, warron.french wrote: > Steve, is there anyway that you know of both as the author of the Red Hat > Audit software, and also an employee of Red Hat that would allow someone to > review the audit logs and determine one of the following 2 possibilities: > > > 1. If the machine was rebooted through software; such as; > > > - poweroff, > - shutdown, > - init, etc.. etc.. > > 2. Or a person pressed the power button on the front of the machine. > > I ran into this problem in the workplace last year, and this feature would > be helpful, but I don't know if it is already offered covering the > power-button depression; versus the command execution. > > I understand that with a power-button depression there is no way of > capturing the/a userid; perhaps a hidden default account of "power-button" > would suffice? > I haven't made a study of this on different operating systems, but I did recently want to run an action in RHEL7 when the power button was pressed and my experience was that systemd-logind.service always generated a "Power key pressed" message, e.g., the following command would complete as soon as power button was pressed: journalctl -fu systemd-logind | grep -q "Power key pressed" > I was only testing on VMs running in a cloud (outside of my control), but I didn't see if there were different messages for reset vs power buttons. On a related note, if you're looking to block shutdowns (including power button & user-initiated) on systemd systems, check out reboot-guard . --001a113cca1442d4fd054bf39fef Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= hu, Mar 30, 2017 at 8:17 AM, warron.french <warron.french@gmail.com= > wrote:
Steve, is there anyway that you know of both as the = author of the Red Hat Audit software, and also an employee of Red Hat that = would allow someone to review the audit logs and determine one of the follo= wing 2 possibilities:

  1. If the machine was rebooted through so= ftware; such as;
  • poweroff,
  • shutdown,
  • init, etc.. etc..
2. Or a person pressed the power butto= n on the front of the machine.

I ran into = this problem in the workplace last year, and this feature would be helpful,= but I don't know if it is already offered covering the power-button de= pression; versus the command execution.

I understand that= with a power-button depression there is no way of capturing the/a userid; = perhaps a hidden default account of "power-button" would suffice?=

I haven't = made a study of this on different operating systems, but I did recently wan= t to run an action in RHEL7 when the power button was pressed and my experi= ence was that systemd-logind.service always generated a "Power key pre= ssed" message, e.g., the following command would complete as soon as p= ower button was pressed:

journalctl -fu systemd-logind | grep -q "Power key pressed"= ;

I was only testing on VMs running in a cloud (o= utside of my control), but I didn't see if there were different message= s for reset vs power buttons.

On a related note, if you're looki= ng to block shutdowns (including power button & user-initiated) on syst= emd systems, check out r= eboot-guard.
--001a113cca1442d4fd054bf39fef-- --===============8144188259914210927== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8144188259914210927==--