From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Syscalls
Date: Wed, 28 Feb 2007 10:17:31 -0500
Message-ID: <200702281017.31985.sgrubb@redhat.com>
References: <C448EC7056762442858D09FC8380D112981E90@XCGC3008.northgrum.com>
	<A21CF1DCE029FB4F83D44EDF747A4BFAB4DEFB@UKSTHMSX006.uk.pri.o2.com>
	<200702280828.47480.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200702280828.47480.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Johnston Mark (UK)" <Mark.Johnston@o2.com>
List-Id: linux-audit@redhat.com

On Wednesday 28 February 2007 08:28, Steve Grubb wrote:
> > 1) Using auditd to check for system start/stop. In "man syscalls" it
> > shows shutdown, but auditd doesn't like it when I use this for a system
> > call. Would also have been nice to track any time someone uses init.
>
> shutdown is not system shutdown, its socket shutdown. If this has to be
> tracked, probably the best thing to do is for us to patch init to record
> changes to runlevels.

In the interim, you should also be able to set watches on the common 
utilities:

-w /sbin/init -p x -k runlevel
-w /sbin/telinit -p x -k runlevel
-w /sbin/halt -p x -k runlevel
-w /sbin/poweroff -p x -k runlevel
-w /sbin/reboot -p x -k runlevel

There might be a couple more. 

-Steve