环境

  • Red Hat Enterprise Linux 4
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

问题

  • How to find which user has rebooted the system?

决议

The availability of details is depended on the syslog's settings:

  1. Get the boot time by using ​​uptime​​ command and count back for how long it was on, or go to ​​/var/log​​ and see the ​​boot.log​​ file, or in the same directory see ​​messages​​ file and look for "syslog started" time stamp.
  2. type ​​last​​ command and see who were the users logged in at the time when system had been rebooted.
  3. See these users shell history files in ​​~username/.bash_history​​ for ​​su​​ or ​​sudo​​ commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme.
  4. Check ​​/var/log/secure​​ for a possible shutdown (​​reboot​​, ​​init​​, ​​halt​​, ​​shutdown​​) commands

NOTE: Please be careful about ​​last​​ command. If a user log in as a normal user and ​​su -​​ to become root, then reboot the server, ​​last​​ command would not list anything so in such case also needs to check ​​/var/log/messages​​ to see if anyone became root from normal user.

If you want to monitor the root account's process execution which includes system reboot, you can use the following audit rule. Add below in ​​/etc/audit/audit.rules​​.

For tracking every command executed by root user.

For 64-bit architecture:

​Raw​

-a entry,always -F arch=b64 -F uid=0 -S execve

For 32-bit architecture:

​Raw​

-a entry,always -F arch=b32 -F uid=0 -S execve

NOTE: ​​entry​​ is deprecated in RHEL6. use ​​exit​​ instead of ​​entry​​.

For tracking every operation performed on below three files.

​Raw​

-w /sbin/reboot
-w /sbin/shutdown
-w /sbin/init

Note: For Red Hat Enterprise Linux 7

​Raw​

-w /usr/sbin/reboot -p rwxa -k sys-reboot
-w /usr/sbin/shutdown -p rwxa -k sys-shutdown
-w /usr/bin/systemctl -p rwxa -k sys-systemctl

Run below to apply the rules.

​Raw​

$ chkconfig auditd on
$ service auditd restart

Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ​​ausearch​​ command.

​Raw​

$ ausearch -if /var/log/audit/audit.log -i | less

If the ​​audit.log​​ is from other system, it's best to set the timezone to the original server's with the below command.

​Raw​

$ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
$ ausearch -if /var/log/audit/audit.log -i | less