2

Can I know who issued the shutdown command on any *nix system in a multi-user system? I want to know the name of the user who issued the particular command.

Zelda
  • 6,262
  • 1
  • 23
  • 28
  • EDIT : I Guess it isn't the user who runs shutdown but some system process. So in that case, how to know from the system process, who initiated the shutdown. Look here : http://pastebin.com/5g6RpmuM – ASCIIbetical Jan 03 '14 at 04:53

1 Answers1

6

NOTE: This answer primary focuses on showing when a system was booted/shutdown. Getting the actual user that performed the shutdown is a bit trickier. The best way I've seen it done, is to limit access to a system, and only give certain operators sudo rights to the shutdown command. This will give you a log of who ran what sudo command and at what time they did it. This is far superior then to attempt to hack the shutdown command!

1. Parsing log files

Most systems already have this info contained in their logs, you just have to know what to look for.

The log files /var/log/messages, /var/log/syslog (Ubuntu) or /var/log/secure (CentOS) will typically have this.

Examples

$ sudo grep -iE "shutdown|boot" secure*
secure-20131215:Dec 14 02:08:56 greeneggs sudo:     saml : TTY=pts/6 ; PWD=/home/saml ; USER=root ; COMMAND=/sbin/reboot

2. Last time system booted?

For this you can use the who command. Specifically with the -b switch.

$ who -b
         system boot  2013-08-01 17:56

This says the last time the system was booted was 2013-08-01.

3. Past reboots

If you're interested in seeing a more extensive list of previous reboots you can use the last command.

$ last reboot | less
reboot   system boot  2.6.35.14-106.fc Thu Aug  1 17:56 - 02:03 (7+08:06)   
reboot   system boot  2.6.35.14-106.fc Thu Aug  1 09:41 - 17:55  (08:14)    
reboot   system boot  2.6.35.14-106.fc Thu Jul 25 15:24 - 17:55 (7+02:31)   
reboot   system boot  2.6.35.14-106.fc Thu Jul 18 18:05 - 15:23 (6+21:17)   
...

4. Past system shutdowns & runlevel changes?

You can use the last command for this too. You'll need to use the -x switch.

$ last -x | less
saml     pts/7        :pts/6:S.0       Sat Aug  3 21:30 - 21:30  (00:00)    
saml     pts/6        :0.0             Sat Aug  3 21:29 - 21:30  (00:01)    
saml     pts/4        :0.0             Fri Aug  2 21:49 - 22:16 (2+00:26)   
saml     pts/2        :0.0             Fri Aug  2 13:30 - 22:16 (2+08:45)   
saml     pts/1        :0.0             Fri Aug  2 13:05   still logged in   
saml     pts/0        :0.0             Fri Aug  2 12:37   still logged in   
saml     pts/0        :0.0             Fri Aug  2 12:35 - 12:37  (00:02)    
saml     pts/0        :0.0             Thu Aug  1 17:58 - 12:35  (18:36)    
saml     tty1         :0               Thu Aug  1 17:56   still logged in   
runlevel (to lvl 5)   2.6.35.14-106.fc Thu Aug  1 17:56 - 02:04 (7+08:08)   
reboot   system boot  2.6.35.14-106.fc Thu Aug  1 17:56 - 02:04 (7+08:08)   
shutdown system down  2.6.35.14-106.fc Thu Aug  1 17:55 - 17:56  (00:00)    
runlevel (to lvl 6)   2.6.35.14-106.fc Thu Aug  1 17:55 - 17:55  (00:00)    
saml     tty2                          Thu Aug  1 17:54 - down   (00:01)    
root     tty2                          Thu Aug  1 17:53 - 17:54  (00:00)    
...

References

slm
  • 369,824
  • 1
    Note that, as far as I can tell, this still doesn't tell you who shut it down, since it will likely be root. +1 however, because the other answer is dangerous, and this is about as good as it gets without dbus. – Chris Down Jan 02 '14 at 09:10
  • @ChrisDown - yes this is actually bits from another answer I gave a couple months back. I was tempted to mark this Q as a dup, but he's asking for who, and that isn't actually feasible, as you've indicated as well. The other Q was asking for when and who. – slm Jan 02 '14 at 09:13
  • @ChrisDown - I added a blub at the top mentioning the difficulties in getting the user, and the use of sudo was the most appropriate. Feel free to word smith it further if you feel it needs additional verbiage. – slm Jan 02 '14 at 09:23
  • @ASCIIbetical - is there something wrong with this solution? – slm Jan 03 '14 at 03:53
  • @slm while I do appreciate all your efforts and research that you did for the solution, it doesn't explicitly answer my who aspect. You say filter out from system file, but which one? I checked auth.log, there is no log for who started the shutdown. Which log file should you tell I look at ? – ASCIIbetical Jan 03 '14 at 04:05
  • 1
    @ASCIIbetical - fair enough, never accept an answer unless you feel it solves your problem. 8-). Are you using sudo on your system? I believe in my A I explained that using sudo will be the only way you'll find username's and shutdown events. In the example I showed, the log file /var/log/secure* contains these records of userX running reboot or shutdown commands. – slm Jan 03 '14 at 04:08
  • @ASCIIbetical - also there is no general solution, I for example am using Fedora/CentOS/RHEL which use the file /var/log/secure*, other distros opt for different logs altogether, so you'll have to be more specific in your Q if you really want the "who" information. – slm Jan 03 '14 at 04:12
  • Regarding Ubuntu, alas, hoping to /var/log/syslog didn't help. – ASCIIbetical Jan 03 '14 at 04:26
  • @slm Kindly have a look here: I initiated a shutdown at 10:10:34 and started computer at 10:11:16, alas, no username is present: Log of /var/log/syslog Jan 3 10:10:34 thinktank rsyslogd: [origin software="rsyslogd" swVersion="5.8.6" x-pid="508" x-info="http://www.rsyslog.com"] exiting on signal 15. Jan 3 10:11:16 thinktank kernel: imklog 5.8.6, log source = /proc/kmsg started. Jan 3 10:11:16 thinktank rsyslogd: [origin software="rsyslogd" swVersion="5.8.6" x-pid="711" x-info="http://www.rsyslog.com"] start – ASCIIbetical Jan 03 '14 at 04:45
  • I Guess it isn't the user who runs shutdown but some system process. So in that case, how to know from the system process, who initiated the shutdown. I Guess it isn't the user who runs shutdown but some system process. So in that case, how to know from the system process, who initiated the shutdown. Look here :http://pastebin.com/5g6RpmuM – ASCIIbetical Jan 03 '14 at 04:53
  • I initiated a shutdown at 10:10:34 and started my system at 10:11:16, no username is there. – ASCIIbetical Jan 03 '14 at 04:53
  • 1
    @ASCIIbetical - this was my exact point in the 1st paragraph. You can't know because there is a interface that catches the signal to shutdown/reboot and then triggers it. This process runs as root so you'll never see a username that way. Using sudo and walling off access to shutdown/reboot is just how sysadmins do this. We managed a fortune 500 companies infrastructure and this is how we did it there. – slm Jan 03 '14 at 04:57
  • Oh, Thanks then. I guess, that's how its gonna be done. Thanks for the inputs. Always a pleasure to learn from pros like you. Thanks a ton. – ASCIIbetical Jan 03 '14 at 05:02
  • @ASCIIbetical - the pleasure is mine. I like helping others make sense of all the noise 8-) – slm Jan 03 '14 at 05:05