Audit Prelude Logout Tracking

LC Bruzenak lenny at magitekltd.com
Thu Feb 19 15:24:58 UTC 2009 

On Thu, 2009-02-19 at 09:36 -0500, Steve Grubb wrote:
> On Thursday 19 February 2009 09:26:28 am Dan Gruhn wrote:
> > Although this seemed like the right place to look, I don't see
> > USER_LOGOUT events in my audit logs,
> 
> They are not used. I decided later that it was not needed for analysis. When 
> you login, there is always a session open event (user_start). This is 
> associated with a user_login event. So, when you see the session closed event 
> (user_end), the logout has occurred.

So for IDS events we have only console logins, not logouts, and no ssh
events?

> 
> However...what if gdm dies? What if the kernel oopses? You have no ending 
> marker. So, what I did recently was patch upstart so that it logs system boot 
> & shutdown events. This way you can tell when the system malfunctioned. The 
> logic for the analysis is in the aulast program, which is in 1.7.11. However, 
> you don't have a patched upstart daemon for RHEL5 since it uses the older 
> SysVinit package.

If gdm dies I thought it would throw an anomaly event.
Don't the kernel oopses do the same thing?

I have seen neither of these two events in the last several months
(thankfully). But I've seen many a login...

> 
> One thing to note, preikka/prelude is an IDS system. Not all audit events are 
> IDS events. Only a handful really qualify as Intrusion Detection worthy. So, 
> you really can't use prewikka as an audit log browser.

Agreed. It is (at least in my CONOPS) an early warning system. But the
people who are watching prelude events will not go digging through audit
data unless an alert triggers it. That or a security breach needing
investigation. Possibly fast login/logout pairs matter. Also at some
sites a logout each day is required by policy and a prelude check over
the LAN with a clicky-click interface is easy. An ssh in from a windows
machine by an occasional user, who doesn't remember the command or know
a forward slash from a backslash, to run a command is unlikely to be a
hit. Since the audit-viewer is not network-capable, we need more info in
the prelude listings.

As I've said before, if logouts are not IDS events why are logins?
Personally I'd prefer both. I will probably patch my audisp to include
them. The time taken to do that would be less than answering the "Why
are there no matching logouts?" for each site at which we
field...especially since I don't have a good answer. Although I
personally hold Steve in high regard, "Because Steve says so" probably
won't fly that great. :)

Dan, as Steve says, aulast provides the analysis. 
However, either I read it wrong or it ignores root:

[root at audit ~]# aulast
issm     tty1         ?                Tue Feb 17 05:35   gone - no
logout
issm     tty1         ?                Tue Feb 17 05:55   gone - no
logout
issm     tty1         ?                Tue Feb 17 06:22   gone - no
logout
issm     tty1         ?                Wed Feb 18 10:16 - 17:19  (07:02)
issm     pts/1        192.168.31.40    Thu Feb 19 02:36 - 02:36  (00:00)
[root at audit ~]# who
root     pts/0        2009-02-19 02:36 (192.168.31.40)

Also aureport has good metrics you can maybe put to use.
At some point I'd like to see the audit-viewer be made network-capable
(preferably the info be browser-accessed) and include these tools
visually.

LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

More information about the Linux-audit mailing list