Can I trace who asked for reboot


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Top Forums UNIX for Beginners Questions & Answers Can I trace who asked for reboot
# 1  
Can I trace who asked for reboot

Hi,
I have an unexpected reboot happening on a Debian 9.9 server.
Yesterday 2019-12-01 at 8:30:34 a reboot happened without me or my team being aware:
Code:
/var/log/syslog:Dec      1 08:30:34 xxxx shutdown[6027]: shutting down for system reboot
/var/log/syslog:Dec      1 08:30:34 xxxx init: Switching to runlevel: 6

I see nothing in any other log file.
What should I do to investigate the cause of the reboot?
Regards
Santiago
# 2  
Does the output from last show you who (and where from) people were logged in at that time? Look especially for lines that say down in them.

Does that help you?


It might help in future if you logged all commands run by root to the syslog. Anything run by sudo may well be in /var/log/secure already.




Kind regards,
Robin
These 2 Users Gave Thanks to rbatte1 For This Post:
# 3  
Also check cron logs to be sure nothing added to initiate the reboot.

Were there any updates prior to the reboot, as in updates to physical hardware?
This User Gave Thanks to samthewildone For This Post:
# 4  
As root run history to get root's command history.
Check /var/log/secure for system access (through PAM).
/var/log/su* might be special logs fo su/sudo.
This User Gave Thanks to MadeInGermany For This Post:
# 5  
Even if it does not directly help in this case, I'd like to mention Linux Audit, because it's really interesting:

One can audit all commands entered by anyone with these 2 rules:

Code:
auditctl -a always,exit -F arch=b32 -S execve -F key=audit_all_commands
auditctl -a always,exit -F arch=b64 -S execve -F key=audit_all_commands

To make it persistent, you need to place the commands in the auditd-rule files.(For Red Hat they are located in /etc/audit/rules.d)

...and then use ausearch for investigation of /var/log/audit/audit.log, or just grep it.

Interesting thing about Linux-Audit:

If you do su or sudo Linux-Audit tracks your original user anyway.

And for this investigation it won't help you: Because you need to have the rules in place before the event to be investigated happens.

Here's an example of the two most interesting lines of what you might have in the log(/var/log/audit/audit.log):

Code:
type=SYSCALL msg=audit(1575314015.062:20): arch=c000003e syscall=59 success=yes exit=0 a0=55c7fbbc4e20 a1=55c7fbbc43a0 a2=55c7fbbc86a0 a3=2 items=2 ppid=1 pid=832 auid=1004 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="reboot" exe="reboot" key="audit_all_commands"
type=EXECVE msg=audit(1575314015.062:20): argc=1 a0="reboot"

Auditd is very noisy in logging. That means one possibly has to dig a lot log records.

As you see above the key audit_all_commands is in the line. So you can grep for your configured string. And uid in the first line shows 0 which is root. But the auid-value shows 1004, which is the real user id(which originally logged on to the system before using su or sudo. So it's a good idea to restrict direct root access and only allow sudo for becoming root).

The second line is linked with the first line through the audit-id field(audit(1575314015.062:20)) and shows you the linked command with parameters executed.

What can you do with Linux-Audit?
  • Trace commands with rules to include or exclude specific events
  • Trace File System Activities (Access with type: read, write, permission change, execute) on selected files or directory trees
  • Trace Standard Linux Management activities(user/group management, Firewall-Configuration, Audit-Log-Config-Changes,...)
  • setup logging to remote sites or syslogs
  • use it to log important information into it yourself


I worked the last 3 month with it and did a lot with it. For example i created a little perl script which uses inotify & git & audit to log diffs of config file changes into audit log which could then be tracked down to the causing user accounts.

Here's the perl script, if someone cares: [Perl] #!/usr/bin/perl # # - Track files in /etc # - Create audit log - Pastebin.com

Last edited by stomp; 1 Week Ago at 09:20 PM..
These 2 Users Gave Thanks to stomp For This Post:
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #742
Difficulty: Medium
XL Fortran is the name of an open source Fortran compiler for IBM-supported environments, including Linux for big-endian distributions and AIX.
True or False?

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Sudo asked for root password .

i have tried to use a sudo command from a user level . but instead of asking for user password it asked for root password . how should i go about it . james@opensuse:/etc> sudo ifconfig root's password: And i wish to ask how should i allow a list of command to be allowed to used for a... (4 Replies)
Discussion started by: lobsang
4 Replies

2. Shell Programming and Scripting

Username password asked during loging

Hi, Whenever I open my unix box,after providing username and password I get the following message. Are you authorised to use this computer as detailed above? (Y)es/(N)o : y Export: Release 10.2.0.2.0 - Production on Mon May 16 16:00:15 2011 Copyright (c) 1982, 2005, Oracle. All rights... (5 Replies)
Discussion started by: emilybose
5 Replies

3. Shell Programming and Scripting

variable not getting asked....

Hello all, I am trying to pass or trying to get a variable assinged...but seemed like i am doing something wrong here.... so lets say abc.txt(spool the output out) is my file, where i am doing select * Fro mv$version inside my DB and getting some info. -/home/oracle/logs >cat abc.txt SQL>... (1 Reply)
Discussion started by: abdul.irfan2
1 Replies

4. AIX

Career Advice Asked

Dear All i am working on windows plattform and i am interested in Aix so i have done IBM Aix certification, can you please suggest Aix filed is good for my carrier,currently i am working as Desktop admin edit by bakunin: please understand that the question you raised has nothing to do with the... (1 Reply)
Discussion started by: manzur13
1 Replies

5. Programming

put the prog asked in your interview

Submit the program asked to write in the interview eg. write a prog to generate fibonacci series using recursion (2 Replies)
Discussion started by: useless79
2 Replies

6. Shell Programming and Scripting

how to set up ssh, so password not asked

Hi All Plz guide me in setting ssh on local machine so that password will not be asked. I have written a script abc.ksh on machineA to execute a script sampletest.ksh available on machineB Conent of abc.ksh is as follows ssh -q bali@machineB sh ClaimGenFeed/claim/sampletest.ksh... (1 Reply)
Discussion started by: balireddy_77
1 Replies

7. Solaris

different between soft reboot and hard reboot

Hi Guru's Can any want here could explain to me the different between soft reboot and hard reboot . Best Regards Seelan (3 Replies)
Discussion started by: seelan3
3 Replies

8. Shell Programming and Scripting

I thought I asked the question before but I haven't sorry

:D could any one answer my previous question... just looked through logg and found no such question that I had asked.. please any input would help \.. :confused: (2 Replies)
Discussion started by: moxxx68
2 Replies

9. UNIX for Dummies Questions & Answers

Simple Question ever asked

How do I cahnge my plan under my profile? (5 Replies)
Discussion started by: D3adRabbit
5 Replies

Featured Tech Videos