This brief guide explains how to find who rebooted the Linux system and the time of last reboot. This trick could be useful for those who are managing a multi-user shared server.
Find Who Rebooted The Linux System
To find out who rebooted your Linux server, you need to install psacct utility, which is used to monitor the user's activity. Refer the following link to know more details about psacct.
After installing psacct, run the following to find who rebooted the Linux server:
$ lastcomm reboot
Sample output:
reboot sk pts/0 0.00 secs Mon Apr 3 15:05 reboot S X root __ 0.00 secs Mon Apr 3 15:00 reboot sk pts/0 0.00 secs Mon Apr 3 15:00
As you see above, the user called "sk" has executed 'reboot
' command from 'pts0
' on Monday April 2, at 15:05 local time.
Wait, we're not finished yet.
The above command displays only the three results of the previous reboots. We can display the complete reboot history by running the following command. Please note that, it will not show who has rebooted the system. Instead, it will only show the date and time of the previous reboot.
$ last reboot
Sample output:
reboot system boot 5.11.11-200.fc33 Fri Apr 9 10:59 still running reboot system boot 5.11.11-200.fc33 Thu Apr 8 20:14 - 21:45 (01:31) reboot system boot 5.11.11-200.fc33 Thu Apr 8 14:12 - 20:14 (06:02) reboot system boot 5.11.11-200.fc33 Thu Apr 8 10:30 - 20:14 (09:43) reboot system boot 5.11.11-200.fc33 Wed Apr 7 10:32 - 21:46 (11:13) reboot system boot 5.11.11-200.fc33 Tue Apr 6 21:30 - 22:13 (00:43) reboot system boot 5.11.11-200.fc33 Tue Apr 6 12:38 - 20:33 (07:55) reboot system boot 5.11.11-200.fc33 Tue Apr 6 10:04 - 12:37 (02:33) reboot system boot 5.11.11-200.fc33 Mon Apr 5 17:24 - 21:58 (04:33) reboot system boot 5.11.11-200.fc33 Mon Apr 5 17:00 - 17:23 (00:23)
Also, you can find out which user has rebooted your Linux box by looking at the BASH history file like.
$ grep reboot /home/*/.bash_history
The above command will look at all users .bash_history files and display who has rebooted your system.
/home/sk/.bash_history:reboot /home/sk/.bash_history:sudo reboot /home/sk/.bash_history:reboot /home/sk/.bash_history:sudo reboot /home/sk/.bash_history:sudo reboot /home/sk/.bash_history:reboot
To search for specific user, just mention the username as shown below.
$ grep reboot /home/sk/.bash_history
This command will only look at the .bash_history
file belongs to user called 'sk'. It is always recommended to keep an eye on all user's activities. You never know who is going to break your system. Keep changing the root user's password periodically. Limit user's access to your Linux system and set password policies to users to avoid any security breaches.