On Friday, November 06, 2015 03:38:14 PM Steve Grubb wrote:
On Friday, November 06, 2015 02:39:36 PM Robert Jacobson wrote:
> On 2015-11-06 1:28 PM, Steve Grubb wrote:
> > That said, you can audit some things by placing a watch on specific
> > helpers in /usr/libexec. -Steve
>
> Can you expand on that a bit? I have no idea which helpers gnome might
> use for a reboot operation.
For reboot on RHEL7, that would go to systemd directly and it would start
the process of shutting down. Upstart on RHEL6 might do the same thing.
What might be better to to look on the internet for how to remove shutdown
from the menu and then create a new one.
You can add a desktop file in /usr/share/applications/ that runs save
session and then runs /sbin/shutdown, call it shutdown.desktop. Next go
into /etc/xdg/menus/settings.menu and add
<Include>
<Filename>shutdown.desktop</Filename>
</Include>
And then I think you are in business. You can then put a watch on
/sbin/shutdown and you should get an event. No idea if auid will be -1 or
even correct.
This might be a helpful reference in doing the above:
http://www.shaunrowland.com/fsync/2011/04/20/removing-shut-down-from-the-gno
me-panel-in-rhel-6/comment-page-1/
> I tried this rule just for fun:
>
> -w /usr/libexec -p rwxa -k libexec
>
> But I didn't see anything related to power when I rebooted the system
> via Gnome.
That's where the helper apps that are not supposed to be executed directly
live. Not all of them matter, You might do something like this:
-a always,exit -F dir=/usr/libexec -F uid=0 -F key=priv-helper
Forgot one field:
-a always,exit -F dir=/usr/libexec -F uid=0 -F perm=x -F key=priv-helper
You could also use euid=0 if that's more fitting.
-Steve
The main issue though is that auid & ses will be -1 so you
can't be certain
who did it. That is unless you fixed pam_limits to only allow 1 user
session. But correlating the event will be challenging due to auid=-1 and
ses=-1.
-Steve