How to view OS on/off and user login/logout events in Linux (Debian)?

5

5tgb5tgb2020-05-26 21:04:45

linux

5tgb5tgb, 2020-05-26 21:04:45

Good afternoon. The question is:
on a Debian server without a GUI, you need to look at the logs for the following types of events:
1) turning on the server

my solution is NOT SUITABLE

journalctl --list-boots

2) server shutdown/server restart

my decision

в файл /etc/audit/audit.rules добавить строки:
-a exit,always -F arch=b64 -S execve -F path=/sbin/reboot -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/init -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/poweroff -k reboot
-a exit,always -F arch=b64 -S execve -F path=/sbin/shutdow -k reboot
Отслеживать события с помощью команды: sudo ausearch -k reboot

3) user login

my decision

sudo aereport -l

4) user exit

5) process creation

my decision

в файл /etc/audit/audit.rules добавить строки:
-a entry,always -F arch=b64 -S fork -k start_process
-a entry,always -F arch=b64 -S clone -k start_process
-a entry,always -F arch=b64 -S execve -k start_process
Отслеживать события с помощью команды: sudo ausearch -k start_process

6) process completion

my decision

в файл /etc/audit/audit.rules добавить строки:
-a exit,always -F arch=b64 -S kill -k kill_process
-a exit,always -F arch=b64 -S exit_group -k kill_process
Отслеживать события с помощью команды: sudo ausearch -k kill_process

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

C

CityCat4, 2020-05-26
@CityCat4

man last
man who man
uptime

A

Alexey, 2020-05-26
@AlexeyKolodchenko

who -b - last power on
last -x reboot - at what time the computer was turned on
last -x shutdown - shutdown accordingly
uptime -p - system uptime,
well, something like this

R

Ruslan, 2020-05-27
@msHack

Lnav Log Files Navigator
lnav.org
https://github.com/tstack/lnav