Monday, August 1, 2022

How to find which user has rebooted the system

 

How to find which user has rebooted the system?

 

Environment

  • Red Hat Enterprise Linux 4, 5, 6, 7, 8, 9

Issue

  • How to find which user has rebooted the system?

Resolution

The availability of details is depended on the syslog's settings:

  1. Get the boot time by using uptime command and count back for how long it was on, or go to /var/log and see the boot.log file, or in the same directory see messages file and look for "syslog started" time stamp.
  2. type last command and see who were the users logged in at the time when system had been rebooted.
  3. See these users shell history files in ~username/.bash_history for su or sudo commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme.
  4. Check /var/log/secure for a possible shutdown (rebootinithaltshutdown) commands

NOTE: Please be careful about last command. If a user log in as a normal user and su - to become root, then reboot the server, last command would not list anything so in such case also needs to check /var/log/messages to see if anyone became root from normal user.

Utilize Audit

To monitor the root account's process execution which includes system reboot, use the following audit rule. Add below in /etc/audit/rules.d/audit.rules for RHEL7 and above. For RHEL6, edit /etc/audit/audit.rules instead.

  1. For tracking every command executed by root user.

    • For 64-bit architecture:

      -a exit,always -F arch=b64 -F uid=0 -S execve
      
    • For 32-bit architecture:

      -a exit,always -F arch=b32 -F uid=0 -S execve
      

    NOTE: On RHEL6, use entry,always instead of exit,always .

  2. For tracking every operation performed on below three files.

    -w /usr/sbin/reboot -p rwxa -k sys-reboot
    -w /usr/sbin/shutdown -p rwxa -k sys-shutdown
    -w /usr/bin/systemctl -p rwxa -k sys-systemctl
    -w /lib/systemd/systemd -p rwxa -k sys-systemd
    

    NOTE: On RHEL6, use the following instead.

    -w /sbin/reboot
    -w /sbin/shutdown
    -w /sbin/init
    
  3. Run below to apply the rules.

    # augenrules --load
    

    NOTE: On RHEL6, run the following commands instead.

    # chkconfig auditd on
    # service auditd restart
    

Tips:

  • Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ausearch command.

    $ ausearch -if /var/log/audit/audit.log -i | less
    
  • If the audit.log is from other system, it's best to set the timezone to the original server's with the below command.

    $ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
    $ ausearch -if /var/log/audit/audit.log -i | less
    

Enable Polkit Logging

Add a rule for the polkitd service for logging authorization action.

  1. Enable persistent logging for the systemd journal by following this KCS How to enable persistent logging for the systemd journal.

  2. Create a file /etc/polkit-1/rules.d/00-logging.rules with the content below

    polkit.addRule(function(action, subject) {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
    });
    

Tips

  • Read the log of polkitd from the last systemd journal log.