On Thu, Mar 30, 2017 at 8:17 AM, warron.french <warron.french@gmail.com> wrote:

Steve, is there anyway that you know of both as the author of the Red Hat Audit software, and also an employee of Red Hat that would allow someone to review the audit logs and determine one of the following 2 possibilities:

If the machine was rebooted through software; such as;
poweroff,
shutdown,
init, etc.. etc..
2. Or a person pressed the power button on the front of the machine.

I ran into this problem in the workplace last year, and this feature would be helpful, but I don't know if it is already offered covering the power-button depression; versus the command execution.

I understand that with a power-button depression there is no way of capturing the/a userid; perhaps a hidden default account of "power-button" would suffice?

I haven't made a study of this on different operating systems, but I did recently want to run an action in RHEL7 when the power button was pressed and my experience was that systemd-logind.service always generated a "Power key pressed" message, e.g., the following command would complete as soon as power button was pressed:

journalctl -fu systemd-logind | grep -q "Power key pressed"

I was only testing on VMs running in a cloud (outside of my control), but I didn't see if there were different messages for reset vs power buttons.

On a related note, if you're looking to block shutdowns (including power button & user-initiated) on systemd systems, check out reboot-guard.