Re: Problem with watching power commands - key is not logged

I found it out auditctl -l did not list rule as loaded, I checked logs of auditd deeper and found it stopped loading rules at some point due to duplicated rule, after sorting that out, it loaded all rules correctly, sorry for trouble On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: On 2017-01-28 13:16, Damian Tykałowski wrote: > Hi Hi Damian, > I'm struggling to get proper auditing of usage of power commands, here's > what I've got in rules > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > -w /sbin/shutdown -p rwx -k power > -w /sbin/poweroff -p rwx -k power > -w /sbin/reboot -p rwx -k power > -w /sbin/halt -p rwx -k power > -w shutdown -p rwx -k power > -w poweroff -p rwx -k power > -w reboot -p rwx -k power > -w halt -p rwx -k power > > However despite full host reboot/refreshing rules I'm not getting events > with proper key "power" > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > <empty> > > Events are logged though but without key > > type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 > ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' > > Any idea what is wrong? Rules with other keys seems to work. I suspect you have another rule that is catching it first? - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit