How to find which user has rebooted the system?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (all versions)

Issue

  • How to find which user has rebooted the system?

Resolution

The availability of details is depended on the syslog's settings:

  1. Get the boot time by using uptime command and count back for how long it was on, or go to /var/log and see the boot.log file, or in the same directory see messages file and look for "syslog started" time stamp.
  2. type last command and see who were the users logged in at the time when system had been rebooted.
  3. See these users shell history files in ~username/.bash_history for su or sudo commands. But the vulnerability is, the user's can easily delete there history, so the best option is to use the auditing scheme.
  4. Check /var/log/secure for a possible shutdown (reboot, init, halt, shutdown) commands

NOTE: Please be careful about last command. If a user log in as a normal user and su - to become root, then reboot the server, last command would not list anything so in such case also needs to check /var/log/messages to see if anyone became root from normal user.

Utilize Audit

To monitor the root account's process execution which includes system reboot, use the following audit rule. Add below in /etc/audit/rules.d/audit.rules for RHEL7 and above. For RHEL6, edit /etc/audit/audit.rules instead.

  1. For tracking every command executed by root user.

    • For 64-bit architecture:

        -a exit,always -F arch=b64 -F uid=0 -S execve

    • For 32-bit architecture:

        -a exit,always -F arch=b32 -F uid=0 -S execve

    NOTE: On RHEL6, use entry,always instead of exit,always .

  2. For tracking every operation performed on below files.

     -w /usr/sbin/reboot -p rwxa -k sys-reboot
 -w /usr/sbin/shutdown -p rwxa -k sys-shutdown
 -w /usr/bin/systemctl -p rwxa -k sys-systemctl
 -w /lib/systemd/systemd -p rwxa -k sys-systemd
 -w /run/systemd/shutdown -p rwa -k sys-schedule

    NOTE: On RHEL6, use the following instead.

     -w /sbin/reboot
 -w /sbin/shutdown
 -w /sbin/init

  3. Run below to apply the rules.

     # augenrules --load

    NOTE: On RHEL6, run the following commands instead.

     # chkconfig auditd on
 # service auditd restart

Tips:

  • Audit logs use epoch time to log the timestamps, so it needs to be converted into normal time format using ausearch command.

      $ ausearch -if /var/log/audit/audit.log -i | less

  • If the audit.log is from other system, it's best to set the timezone to the original server's with the below command.

      $ export TZ=$(grep ^ZONE /etc/sysconfig/clock | awk -F '=' '{print $2}')
  $ ausearch -if /var/log/audit/audit.log -i | less

Enable Polkit Logging

Add a rule for the polkitd service for logging authorization action.

  1. Enable persistent logging for the systemd journal by following this KCS How to enable persistent logging for the systemd journal.

  2. Create a file /etc/polkit-1/rules.d/00-logging.rules with the content below

     polkit.addRule(function(action, subject) {
     polkit.log("action=" + action);
     polkit.log("subject=" + subject);
 });

Tips

  • Read the log of polkitd from the last systemd journal log.

Enable GDM Debugging

Enable debug option of GDM on systems running GNOME to obtain detailed logs by following this KCS How to run GDM in debug mode? .

Use SystemTap script

If you frequently face unexpected but graceful reboots, the SystemTap script can be used. In order to obtain further assistance on that topic, please open a support case.

For more information on SystemTap and setup instructions, please see What is SystemTap and how to use it?.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.