From mboxrd@z Thu Jan 1 00:00:00 1970 From: "warron.french" Subject: Reboots and audit.rules Date: Thu, 30 Mar 2017 08:17:05 -0400 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3101096995849244212==" Return-path: Received: from mx1.redhat.com (ext-mx09.extmail.prod.ext.phx2.redhat.com [10.5.110.38]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C353D17B9B for ; Thu, 30 Mar 2017 12:17:08 +0000 (UTC) Received: from mail-qt0-f173.google.com (mail-qt0-f173.google.com [209.85.216.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1B39967EA7 for ; Thu, 30 Mar 2017 12:17:08 +0000 (UTC) Received: by mail-qt0-f173.google.com with SMTP id r45so36893946qte.3 for ; Thu, 30 Mar 2017 05:17:08 -0700 (PDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============3101096995849244212== Content-Type: multipart/alternative; boundary=94eb2c0bb94ede505e054bf1abe8 --94eb2c0bb94ede505e054bf1abe8 Content-Type: text/plain; charset=UTF-8 Steve, is there anyway that you know of both as the author of the Red Hat Audit software, and also an employee of Red Hat that would allow someone to review the audit logs and determine one of the following 2 possibilities: 1. If the machine was rebooted through software; such as; - poweroff, - shutdown, - init, etc.. etc.. 2. Or a person pressed the power button on the front of the machine. I ran into this problem in the workplace last year, and this feature would be helpful, but I don't know if it is already offered covering the power-button depression; versus the command execution. I understand that with a power-button depression there is no way of capturing the/a userid; perhaps a hidden default account of "power-button" would suffice? Thank you, -------------------------- Warron French --94eb2c0bb94ede505e054bf1abe8 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Steve, is there anyway that you know of both as the a= uthor of the Red Hat Audit software, and also an employee of Red Hat that w= ould allow someone to review the audit logs and determine one of the follow= ing 2 possibilities:

  1. If the machine was rebooted through sof= tware; such as;
  • poweroff,
  • shutdown,
  • init, etc.. etc..
2. Or a person pressed the power button= on the front of the machine.

I ran into t= his problem in the workplace last year, and this feature would be helpful, = but I don't know if it is already offered covering the power-button dep= ression; versus the command execution.

I understand that = with a power-button depression there is no way of capturing the/a userid; p= erhaps a hidden default account of "power-button" would suffice?<= br>

Thank you,
------------= --------------
Warron French

--94eb2c0bb94ede505e054bf1abe8-- --===============3101096995849244212== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3101096995849244212==--