0
I'm running AuditD on Centos 6.5.
Is there a way to audit server reboots - who and when a server is rebooted? So if I login and run:
sudo reboot
I should see a log entry in /var/log/audit/audit.log with something like this:
type=CMD msg=audit(1484758210.821:630): user pid=2361 uid=101 auid=101 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 exe="/sbin/reboot"
Ken J
Posted 2017-01-18T17:01:46.067
Reputation: 303
1
Add a rule for it to audit.rules
-w /sbin/shutdown -p x -k power
djsmiley2k TMW
Posted 2017-01-18T17:01:46.067
Reputation: 5 937
0
You can try to look into logs for that too if you can't or doesn't want to configure the audit rules:
sudo grep sudo /var/log/auth.log
Every sudo commands executed will be there, so you can find it by looking for 'reboot' or 'shutdown'.
Tim Connor
Posted 2017-01-18T17:01:46.067
Reputation: 25