On Wednesday 28 February 2007 08:28, Steve Grubb wrote: > > 1) Using auditd to check for system start/stop. In "man syscalls" it > > shows shutdown, but auditd doesn't like it when I use this for a system > > call. Would also have been nice to track any time someone uses init. > > shutdown is not system shutdown, its socket shutdown. If this has to be > tracked, probably the best thing to do is for us to patch init to record > changes to runlevels.
In the interim, you should also be able to set watches on the common utilities: -w /sbin/init -p x -k runlevel -w /sbin/telinit -p x -k runlevel -w /sbin/halt -p x -k runlevel -w /sbin/poweroff -p x -k runlevel -w /sbin/reboot -p x -k runlevel There might be a couple more. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
