How to find which user has rebooted the system?
Environment
- Red Hat Enterprise Linux 4, 5, 6, 7, 8, 9
Issue
- How to find which user has rebooted the system?
Resolution
The availability of details is depended on the syslog's settings:
- Get the boot time by using
uptime
command and count back for how long it was on, or go to/var/log
and see theboot.log
file, or in the same directory seemessages
file and look for "syslog started" time stamp. - type
last
command and see who were the users logged in at the time when system had been rebooted. - See these users shell history files in
~username/.bash_history
forsu
orsudo
commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme. - Check
/var/log/secure
for a possible shutdown (reboot
,init
,halt
,shutdown
) commands
NOTE: Please be careful about last
command. If a user log in as a normal user and su -
to become root, then reboot the server, last
command would not list anything so in such case also needs to check /var/log/messages
to see if anyone became root from normal user.
Utilize Audit
To monitor the root account's process execution which includes system reboot, use the following audit rule. Add below in /etc/audit/rules.d/audit.rules
for RHEL7 and above. For RHEL6, edit /etc/audit/audit.rules
instead.
For tracking every command executed by root user.
For 64-bit architecture:
-a exit,always -F arch=b64 -F uid=0 -S execve
For 32-bit architecture:
-a exit,always -F arch=b32 -F uid=0 -S execve
NOTE: On RHEL6, use
entry,always
instead ofexit,always
.For tracking every operation performed on below three files.
-w /usr/sbin/reboot -p rwxa -k sys-reboot -w /usr/sbin/shutdown -p rwxa -k sys-shutdown -w /usr/bin/systemctl -p rwxa -k sys-systemctl -w /lib/systemd/systemd -p rwxa -k sys-systemd
NOTE: On RHEL6, use the following instead.
-w /sbin/reboot -w /sbin/shutdown -w /sbin/init
Run below to apply the rules.
# augenrules --load
NOTE: On RHEL6, run the following commands instead.
# chkconfig auditd on # service auditd restart
Tips:
Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using
ausearch
command.$ ausearch -if /var/log/audit/audit.log -i | less
If the
audit.log
is from other system, it's best to set the timezone to the original server's with the below command.$ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}') $ ausearch -if /var/log/audit/audit.log -i | less
Enable Polkit Logging
Add a rule for the polkitd service for logging authorization action.
Enable persistent logging for the systemd journal by following this KCS How to enable persistent logging for the systemd journal.
Create a file
/etc/polkit-1/rules.d/00-logging.rules
with the content belowpolkit.addRule(function(action, subject) { polkit.log("action=" + action); polkit.log("subject=" + subject); });
Tips
- Read the log of polkitd from the last systemd journal log.
No comments:
Post a Comment