On Friday, November 06, 2015 03:38:14 PM Steve Grubb wrote: > On Friday, November 06, 2015 02:39:36 PM Robert Jacobson wrote: > > On 2015-11-06 1:28 PM, Steve Grubb wrote: > > > That said, you can audit some things by placing a watch on specific > > > helpers in /usr/libexec. -Steve > > > > Can you expand on that a bit? I have no idea which helpers gnome might > > use for a reboot operation. > > For reboot on RHEL7, that would go to systemd directly and it would start > the process of shutting down. Upstart on RHEL6 might do the same thing. > > What might be better to to look on the internet for how to remove shutdown > from the menu and then create a new one. > > You can add a desktop file in /usr/share/applications/ that runs save > session and then runs /sbin/shutdown, call it shutdown.desktop. Next go > into /etc/xdg/menus/settings.menu and add > > <Include> > <Filename>shutdown.desktop</Filename> > </Include> > > And then I think you are in business. You can then put a watch on > /sbin/shutdown and you should get an event. No idea if auid will be -1 or > even correct. > > > This might be a helpful reference in doing the above: > http://www.shaunrowland.com/fsync/2011/04/20/removing-shut-down-from-the-gno > me-panel-in-rhel-6/comment-page-1/ > > I tried this rule just for fun: > > > > -w /usr/libexec -p rwxa -k libexec > > > > But I didn't see anything related to power when I rebooted the system > > via Gnome. > > That's where the helper apps that are not supposed to be executed directly > live. Not all of them matter, You might do something like this: > > -a always,exit -F dir=/usr/libexec -F uid=0 -F key=priv-helper
Forgot one field: -a always,exit -F dir=/usr/libexec -F uid=0 -F perm=x -F key=priv-helper You could also use euid=0 if that's more fitting. -Steve > The main issue though is that auid & ses will be -1 so you can't be certain > who did it. That is unless you fixed pam_limits to only allow 1 user > session. But correlating the event will be challenging due to auid=-1 and > ses=-1. > > -Steve -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
