TransWikia.com

how to audit a reboot?

Server Fault Asked by Arpton on November 9, 2021

Quick and simple question: How to I use auditd to log a system reboot?
I tried using the reboot syscall to no avail. I could imagine that the audit daemon is stopped before the actual syscall is made.

I then set a hook on /sbin/reboot. But this is a symlink to /bin/systemctl. Even with monitoring every syscall, auditd does not log anything when I reboot the system…

How can I actually monitor a reboot with auditd?

edit: I noticed one thing: I configured audit to send directly to syslog, which saves . to a file. In /var/log/audit/audit.log there is a mention of a reboot, but not in the syslog file. Any how that could happen?
Thanks.

One Answer

in linux, you would have to have the auditd daemon running. I believe it usually is by default.

# this will work for both the older sysinit linux as well as newer systemd linux

service auditd [start | stop | status]

having the default audit.conf and audit.rules file I believe will put enough information in /var/log/audit/audit.log where one can easily recognize a reboot. So you don't have to manually add any special audit rule.

The raw linux audit log... is raw... not easily human readable. The date is in epoch format. However if you were to do this

service auditd stop
rm /var/log/audit/audit.log
service auditd start
reboot

login in
immediately edit audit.log to see what happened before it fills up making it harder to see

the beginning of that audit.log will show exactly what gets logged when a reboot happens and what happens upon boot. You should be able to easily recognize it, it will all be in the top of that new audit.log file. And it will likely be 50+ lines worth, I know it is using rhel 7 for example. Whether you can identify a reboot happening to a single line in audit.log I'm not sure.

I'm not sure if that raw audit log syntax varies with linux distribution, and it probably does with the varies versions of audit there are. Which is why it would be best to specifically look on your system to see what it is.

For dealing with that epoch date in the audit log:

https://unix.stackexchange.com/questions/2987/how-do-i-convert-an-epoch-timestamp-to-a-human-readable-format-on-the-cli

Answered by ron on November 9, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP