Syscalls
Steve Grubb
sgrubb at redhat.com
Wed Feb 28 15:17:31 UTC 2007
On Wednesday 28 February 2007 08:28, Steve Grubb wrote:
> > 1) Using auditd to check for system start/stop. In "man syscalls" it
> > shows shutdown, but auditd doesn't like it when I use this for a system
> > call. Would also have been nice to track any time someone uses init.
>
> shutdown is not system shutdown, its socket shutdown. If this has to be
> tracked, probably the best thing to do is for us to patch init to record
> changes to runlevels.
In the interim, you should also be able to set watches on the common
utilities:
-w /sbin/init -p x -k runlevel
-w /sbin/telinit -p x -k runlevel
-w /sbin/halt -p x -k runlevel
-w /sbin/poweroff -p x -k runlevel
-w /sbin/reboot -p x -k runlevel
There might be a couple more.
-Steve
More information about the Linux-audit
mailing list