Steve, is there anyway that you know of both as the author of the Red Hat Audit software, and also an employee of Red Hat that would allow someone to review the audit logs and determine one of the following 2 possibilities:

If the machine was rebooted through software; such as;

poweroff,
shutdown,
init, etc.. etc..

2. Or a person pressed the power button on the front of the machine.

I ran into this problem in the workplace last year, and this feature would be helpful, but I don't know if it is already offered covering the power-button depression; versus the command execution.

I understand that with a power-button depression there is no way of capturing the/a userid; perhaps a hidden default account of "power-button" would suffice?

Thank you,

--------------------------
Warron French