How to find which user has rebooted the system?

 

Environment

• Red Hat Enterprise Linux 4, 5, 6, 7, 8, 9

Issue

• How to find which user has rebooted the system?

Resolution

The availability of details is depended on the syslog's settings:

1. Get the boot time by using uptime command and count back for how long it was on, or go to /var/log and see the boot.log file, or in the same directory see messages file and look for "syslog started" time stamp.
2. type last command and see who were the users logged in at the time when system had been rebooted.
3. See these users shell history files in ~username/.bash_history for su or sudo commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme.
4. Check /var/log/secure for a possible shutdown (reboot, init, halt, shutdown) commands

NOTE: Please be careful about last command. If a user log in as a normal user and su - to become root, then reboot the server, last command would not list anything so in such case also needs to check /var/log/messages to see if anyone became root from normal user.

Utilize Audit

To monitor the root account's process execution which includes system reboot, use the following audit rule. Add below in /etc/audit/rules.d/audit.rules for RHEL7 and above. For RHEL6, edit /etc/audit/audit.rules instead.

1. For tracking every command executed by root user.

   • For 64-bit architecture:

     Raw

     -a exit,always -F arch=b64 -F uid=0 -S execve
     

   • For 32-bit architecture:

     Raw

     -a exit,always -F arch=b32 -F uid=0 -S execve
     

   NOTE: On RHEL6, use entry,always instead of exit,always .

2. For tracking every operation performed on below three files.

   Raw

   -w /usr/sbin/reboot -p rwxa -k sys-reboot
   -w /usr/sbin/shutdown -p rwxa -k sys-shutdown
   -w /usr/bin/systemctl -p rwxa -k sys-systemctl
   -w /lib/systemd/systemd -p rwxa -k sys-systemd
   

   NOTE: On RHEL6, use the following instead.

   Raw

   -w /sbin/reboot
   -w /sbin/shutdown
   -w /sbin/init
   

3. Run below to apply the rules.

   Raw

   # augenrules --load
   

   NOTE: On RHEL6, run the following commands instead.

   Raw

   # chkconfig auditd on
   # service auditd restart
   

Tips:

• Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ausearch command.

  Raw

  $ ausearch -if /var/log/audit/audit.log -i | less
  

• If the audit.log is from other system, it's best to set the timezone to the original server's with the below command.

  Raw

  $ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
  $ ausearch -if /var/log/audit/audit.log -i | less
  

Enable Polkit Logging

Add a rule for the polkitd service for logging authorization action.

1. Enable persistent logging for the systemd journal by following this KCS How to enable persistent logging for the systemd journal.

2. Create a file /etc/polkit-1/rules.d/00-logging.rules with the content below

   Raw

   polkit.addRule(function(action, subject) {
       polkit.log("action=" + action);
       polkit.log("subject=" + subject);
   });
   

Tips

• Read the log of polkitd from the last systemd journal log.

 

Install Ubuntu Server 22.04 (Jammy Jellyfish) Step by Step

“Canonical Ubuntu 22.04 LTS is now generally available, featuring significant leaps forward in cloud confidential computing, real-time kernel for industrial applications, and enterprise Active Directory, PCI-DSS, HIPAA, FIPS and FedRAMP compliance – raising the bar for open source from cloud to edge, IoT and workstations. Canonical partners with industry leaders to deliver enterprise-grade security, long-term maintenance and support on all major architectures, hardware and clouds.”

For Ubuntu 22.04 Desktop Edition check out the guide in the link below.

• Install Ubuntu 22.04 (Jammy Jellyfish) Desktop – Step by Step With Screenshots

We are going to install this seemingly juicy new version in this guide so that you can enjoy the good things it brings into your workspace. Let us begin:

Prepare your bootable device

Go over to Ubuntu Downloads page and grab the new Ubuntu server 22.04 LTS.

wget https://releases.ubuntu.com/22.04/ubuntu-22.04-live-server-amd64.iso

Once your download is complete, you can create bootable USB if the installation is done on a Laptop or physical server hardware. For Linux/Unix users, dd command can be used for this.

First, identify the name of your USB device partition. Then run the following command replacing sdX with the name of your USB, e.g sdb.

sudo dd if=/path/to/image.iso of=/dev/sdX bs=8M status=progress oflag=direct

Wait until the command completes then proceed to boot your system from USB stick. You can also install and use Fedora Media Writer.

• Download for Windows
• Download for macOS

Step 1: Try Ubuntu or install Ubuntu

After your bootable media is ready, place in your bootable device in your computer, reboot and press the requisite keys that will lead you to the bootable menu depending on your laptop or computer configuration. Once you choose the installation media (USB or DVD), choose start installation as shown below.

You can choose to move around Ubuntu 22.04 LTS’s rooms before installing it or you can go ahead and get it running like we will choose to do here. Let it load the files for a few seconds then proceed to choose your locale.

Step 2: Choose your language and keyboard

Choose the language you prefer using up and down keys then hit “Enter“.

Choose your keyboard as well then hit “Enter” after you highlight “Done” below

Step 3: Type of install

Depending on your needs, you can have minimal install or fully fledged one on this step. Move using Up and Down keyboard keys than choose the one you want by pressing the backspace. Move to “Done” below and hit enter when you are done.

Step 4: Network Configuration

You can create an IP statically or you can use DHCP in case you have one already configured here depending on your needs. There is also a provision to create a bond if your physical server has more than one Network Interface Card. It is pretty convenient. Highlight “Done” below and hit “Enter” when everything is okay.

You can also enter a proxy address if you use one.

And the nearest mirror address to your location for fast content like updates.

Step 5: Storage Configuration

In this step, we believe you already have a layout of how you would want your disks to be arranged in your server. If you have custom partitions, use “Up” and “Down” keyboard keys and select “Custom storage layout” by hitting the backspace then configure your partitions accordingly. For this example, we will use the entire disk. Highlight “Done” below and hit “Enter” when everything is well configured.

You will get a report of how you have configured your disks next as illustrated below.

Then confirm your setup when the pop up below erupts.

Step 6: User Profile Setup

In this step, you will be presented with a form-like screen where you will key in a system user profile. Input the details accordingly. Once you have entered your profile details, highlight “Done” below and hit “Enter“

Step 7: SSH Setup

Here, you can choose to ignore the setting up of OpenSSH Server or you can go ahead to get it configured since it is pretty important to aid logging into the server remotely. Select “Install OpenSSH Server” using the space-bar then highlight “Done” below by moving using “Up” and “Down” keyboard keys then hit “Enter“.

Step 8: Select Packages you would like to install

In this step, Canonical was prudent enough to provide a list of tools you can choose to install during the installation process to make your life easier later. Look at the list and choose the ones you would like to have by selecting them using the space-bar. Use the “Up” and “Down” keyboard keys to navigate. When you are satisfied, highlight “Done” below and hit “Enter“

Installation will now begin. Let it do what it does then highlight and hit “Reboot Now” after all installs are done and you have removed your installation media as illustrated below.

Step 9: Login and Start Working

When the reboot is over, you will have your server ready to accept your login credentials, receive your applications that will serve your clients and your special people.

Input username and password then press <Enter>

Cheers to you and may your labour increase!!

Last Words

Now it time to shine and make the services you have in plan shining as well. The new Ubuntu server 22.04 LTS is at your service. Thank you for sticking through the entire guide.