I am trying to trace abnormal shutdowns which have been occurring periodically on some of our RHEL 5 systems. To aid this I have added a watch to audit.rules for the /sbin/shutdown command:
-w /sbin/shutdown -p x -k power
This has been successfully auditing the shutdown command being run, and the parameters it has been called with, but it appears that it is a daemon or service as the *id parameters audited are all "0" (zero). The audit log displays the pid and ppid but, as the system has shutdown, these are useless after the event. Is there anyway of getting audit to output a process tree to the audit log when the shutdown command is run so I can trace back to the ultimate culprit?