Re: Reboots and audit.rules
On Thu, Mar 30, 2017 at 8:17 AM, warron.french <warron.french(a)gmail.com wrote:
I was only testing on VMs running in a cloud (outside of my control), but I
didn't see if there were different messages for reset vs power buttons.
On a related note, if you're looking to block shutdowns (including power
button & user-initiated) on systemd systems, check out reboot-guard
<https://github.com/ryran/reboot-guard/>;.
Steve, is there anyway that you know of both as the author of the Red
Hat
Audit software, and also an employee of Red Hat that would allow someone to
review the audit logs and determine one of the following 2 possibilities:
1. If the machine was rebooted through software; such as;
- poweroff,
- shutdown,
- init, etc.. etc..
2. Or a person pressed the power button on the front of the machine.
I ran into this problem in the workplace last year, and this feature would
be helpful, but I don't know if it is already offered covering the
power-button depression; versus the command execution.
I understand that with a power-button depression there is no way of
capturing the/a userid; perhaps a hidden default account of "power-button"
would suffice?
I haven't made a study of this on different operating systems, but I did
recently want to run an action in RHEL7 when the power button was pressed
and my experience was that systemd-logind.service always generated a "Power
key pressed" message, e.g., the following command would complete as soon as
power button was pressed:
journalctl -fu systemd-logind | grep -q "Power key pressed"
Attachments:
- attachment.html (text/html — 2.2 KB)