• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Audit rules to log reboot command executions in CentOS/RHEL

by admin

auditd is the userspace component to the Linux Auditing System. It’s responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or aureport utilities. Configuring the audit rules is done with the auditctl utility. During startup, the rules in /etc/audit/rules.d/audit.rules (For CentOS/RHEL 7) are read by auditctl. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the auditd.conf file.

The post provides a sample audit rule to capture the user credentials and command used to reboot/shutdown the linux servers and this rule can be modified as required.

The primary configuration file to add the audit rule is “/etc/audit/audit.rules” and the same needs to be updated with the required rules.

Note: On CentOS/RHEL 7, the configuration file is /etc/audit/rules.d/audit.rules instead of /etc/audit/audit.rules.

Auditd Configuration

Below is example based on CentOS/RHEL 6, but the steps remains the same for CentOS/RHEL 7 as well.

1. Take the backup of existing configuration.

# cp /etc/audit/audit.rules /etc/audit/audit.rules.bkp

2. Edit the file /etc/audit/audit.rules and append the following rules to make it persistent.

# vi /etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot    [ -k Filter key ]
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdow -k reboot

3. Restart auditd service to make the changes effect.

# service auditd restart

4. List the added rules,

# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/reboot key=reboot syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/init key=reboot syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/poweroff key=reboot syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/sbin/shutdow key=reboot syscall=execve

Verify

To filter the reboot events from audit log the filter key has to be specified.

# ausearch -k reboot

time->Mon Jan 4 11:48:20 2016
type=PATH msg=audit(1451926100.004:17): item=1 name=(null) inode=1368522 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1451926100.004:17): item=0 name="/sbin/init" inode=1792404 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1451926100.004:17): cwd="/root"
type=EXECVE msg=audit(1451926100.004:17): argc=2 a0="init" a1="6"  
type=SYSCALL msg=audit(1451926100.004:17): arch=c000003e syscall=59 success=yes exit=0 a0=12706f0 a1=1271190 a2=1268ec0 a3=8 items=2 ppid=2830 pid=2879 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="init" exe="/sbin/init" key="reboot

Here,
uid – Represent the user id.
gid – Represent the group id
exe=”/sbin/init” – command executed

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. bpftool: command not found
  2. CentOS / RHEL : How to log all LVM commands
  3. partprobe: command not found
  4. Search XML Attributes PowerShell XPath
  5. Time goes out of sync on a node running CentOS/RHEL 7
  6. How to find if NUMA configuration is enabled or disabled?
  7. How to Enable sudo I/O Logging
  8. mate-screenshot: command not found
  9. ip: command not found
  10. mkfs.vfat: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright