How to find which user has rebooted the system?

最新推荐文章于 2021-07-29 08:53:58 发布

转载最新推荐文章于 2021-07-29 08:53:58 发布 · 292 阅读

RHEL7 同时被 2 个专栏收录

432 篇文章

订阅专栏

RHEL8

217 篇文章

订阅专栏

博客围绕Red Hat Enterprise Linux 4 - 7系统，探讨如何查找重启系统的用户。决议指出，可依据syslog设置获取相关信息，如用命令获取开机时间、查看登录用户、检查用户shell历史文件等，还介绍了使用审计方案及相关审计规则，以及日志时间格式转换等内容。

https://access.redhat.com/solutions/41281

SOLUTION 已验证 - 已更新 2017年七月31日16:45 -

English

环境

Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7

问题

How to find which user has rebooted the system?

决议

The availability of details is depended on the syslog's settings:

Get the boot time by using uptime command and count back for how long it was on, or go to /var/log and see the boot.log file, or in the same directory see messages file and look for "syslog started" time stamp.
type last command and see who were the users logged in at the time when system had been rebooted.
See these users shell history files in ~username/.bash_history for su or sudo commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme.
Check /var/log/secure for a possible shutdown (reboot, init, halt, shutdown) commands

NOTE: Please be careful about last command. If a user log in as a normal user and su - to become root, then reboot the server, last command would not list anything so in such case also needs to check /var/log/messages to see if anyone became root from normal user.

If you want to monitor the root account's process execution which includes system reboot, you can use the following audit rule. Add below in /etc/audit/audit.rules.

For tracking every command executed by root user.
For 64-bit architecture:

Raw

-a entry,always -F arch=b64 -F uid=0 -S execve

For 32-bit architecture:

Raw

-a entry,always -F arch=b32 -F uid=0 -S execve

NOTE: entry is deprecated in RHEL6. use exit instead of entry.

For tracking every operation performed on below three files.

Raw

-w /sbin/reboot
-w /sbin/shutdown
-w /sbin/init

Note: For Red Hat Enterprise Linux 7

Raw

-w /usr/sbin/reboot -p rwxa -k sys-reboot
-w /usr/sbin/shutdown -p rwxa -k sys-shutdown
-w /usr/bin/systemctl -p rwxa -k sys-systemctl

Run below to apply the rules.

Raw

$ chkconfig auditd on
$ service auditd restart

Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ausearch command.

Raw

$ ausearch -if /var/log/audit/audit.log -i | less

If the audit.log is from other system, it's best to set the timezone to the original server's with the below command.

Raw

$ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
$ ausearch -if /var/log/audit/audit.log -i | less