0

Quick and simple question: How to I use auditd to log a system reboot? I tried using the reboot syscall to no avail. I could imagine that the audit daemon is stopped before the actual syscall is made.

I then set a hook on /sbin/reboot. But this is a symlink to /bin/systemctl. Even with monitoring every syscall, auditd does not log anything when I reboot the system...

How can I actually monitor a reboot with auditd?

edit: I noticed one thing: I configured audit to send directly to syslog, which saves . to a file. In /var/log/audit/audit.log there is a mention of a reboot, but not in the syslog file. Any how that could happen? Thanks.

Arpton
  • 1
  • 2
  • I see numerous audit events logged when the system reboots. Specifically what information are you looking for? – Michael Hampton Jul 21 '20 at 16:54
  • I want to know if the reboot command, either in terminal, or in the desktop gui was used, so if it was rebooted on purpose, or if it rebooted because of a crash. – Arpton Jul 22 '20 at 09:41
  • https://access.redhat.com/articles/2642741 – Michael Hampton Jul 22 '20 at 10:28
  • The suggestions are for ways to see it after the reboot. I want to log the usage of "reboot" before the reboot happens. I noticed something and edited the post. – Arpton Jul 22 '20 at 12:55
  • Several of those methods result in persistent log entries. But that, of course, depends on whether you have logging enabled at all. Make sure rsyslog is running. – Michael Hampton Jul 22 '20 at 18:27
  • logging is running, otherwise I would hot have other other audit entries in it... – Arpton Jul 23 '20 at 09:14

1 Answers1

0

in linux, you would have to have the auditd daemon running. I believe it usually is by default.

# this will work for both the older sysinit linux as well as newer systemd linux

service auditd [start | stop | status]

having the default audit.conf and audit.rules file I believe will put enough information in /var/log/audit/audit.log where one can easily recognize a reboot. So you don't have to manually add any special audit rule.

The raw linux audit log... is raw... not easily human readable. The date is in epoch format. However if you were to do this

service auditd stop
rm /var/log/audit/audit.log
service auditd start
reboot

login in
immediately edit audit.log to see what happened before it fills up making it harder to see

the beginning of that audit.log will show exactly what gets logged when a reboot happens and what happens upon boot. You should be able to easily recognize it, it will all be in the top of that new audit.log file. And it will likely be 50+ lines worth, I know it is using rhel 7 for example. Whether you can identify a reboot happening to a single line in audit.log I'm not sure.

I'm not sure if that raw audit log syntax varies with linux distribution, and it probably does with the varies versions of audit there are. Which is why it would be best to specifically look on your system to see what it is.

For dealing with that epoch date in the audit log:

https://unix.stackexchange.com/questions/2987/how-do-i-convert-an-epoch-timestamp-to-a-human-readable-format-on-the-cli

ron
  • 805
  • 3
  • 11
  • 21
  • I know in principle how auditd works :) But as I see it, audit shows that the system booted, but not if the boot was on purpose, or if the system crashed before that. The usage of reboot command, or the reboot syscall is not logged. But want that to be logged. – Arpton Jul 22 '20 at 09:42