Introduction
Please keep in mind that system administrative tasks such as investigating and monitoring system reboots are best handled by a systems administrator.
Procedure
Verify that auditd is installed, enabled, and running:
- systemctl enable auditd
- systemctl start auditd
- systemctl status auditd
Add the rules to auditd with the following commands:
- auditctl -a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot
- auditctl -a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot
- auditctl -a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
- auditctl -a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k reboot
Verify that the rules are now in place with the following command:
- auditctl -l
Add the rules to the configuration file so that they persist through a reboot:
Centos 7:
/etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdown -k reboot
Centos 6:
/etc/audit/audit.rules
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdow -k reboot
When a reboot occurs that you would like to investigate, use the following command:
- ausearch -k reboot