On Thu, Mar 30, 2017 at 10:51 AM, warron.french <warron.french(a)gmail.com>
wrote:
Hey Ryan, thank you for the feedback.
Is there an audit rule that can be used against that service? Perhaps a
binary to do a watch (-w) rule against for -p x with -k monitor_power -
for example?
If that was my requirement, I'd setup a simple systemd service that watches
for the power event via journalctl -- or for more privilege separation, I'd
setup rsyslog to filter those messages to a file ... but either way, the
service would run a grep -q command watching for events and when that
exits, generate an audit event.
The fun part would be getting the unit file dependencies right so that it
does its work before it or anything it needs shuts down.