环境
- Red Hat Enterprise Linux 4
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
问题
- How to find which user has rebooted the system?
决议
The availability of details is depended on the syslog's settings:
- Get the boot time by using
uptime
command and count back for how long it was on, or go to /var/log
and see the boot.log
file, or in the same directory see messages
file and look for "syslog started" time stamp. - type
last
command and see who were the users logged in at the time when system had been rebooted. - See these users shell history files in
~username/.bash_history
for su
or sudo
commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme. - Check
/var/log/secure
for a possible shutdown (reboot
, init
, halt
, shutdown
) commands
NOTE: Please be careful about last
command. If a user log in as a normal user and su -
to become root, then reboot the server, last
command would not list anything so in such case also needs to check /var/log/messages
to see if anyone became root from normal user.
If you want to monitor the root account's process execution which includes system reboot, you can use the following audit rule. Add below in /etc/audit/audit.rules
.
For tracking every command executed by root user.
For 64-bit architecture:
Raw
-a entry,always -F arch=b64 -F uid=0 -S execve
For 32-bit architecture:
Raw
-a entry,always -F arch=b32 -F uid=0 -S execve
NOTE: entry
is deprecated in RHEL6. use exit
instead of entry
.
For tracking every operation performed on below three files.
Raw
-w /sbin/reboot
-w /sbin/shutdown
-w /sbin/init
Note: For Red Hat Enterprise Linux 7
Raw
-w /usr/sbin/reboot -p rwxa -k sys-reboot
-w /usr/sbin/shutdown -p rwxa -k sys-shutdown
-w /usr/bin/systemctl -p rwxa -k sys-systemctl
Run below to apply the rules.
Raw
$ chkconfig auditd on
$ service auditd restart
Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ausearch
command.
Raw
$ ausearch -if /var/log/audit/audit.log -i | less
If the audit.log
is from other system, it's best to set the timezone to the original server's with the below command.
Raw
$ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
$ ausearch -if /var/log/audit/audit.log -i | less