why no LOGOUT event record on some OSes
Richard Guy Briggs
rgb at redhat.com
Thu Oct 21 12:38:25 UTC 2021
On 2021-10-21 01:39, lizhijian at fujitsu.com wrote:
> On 21/10/2021 00:38, Richard Guy Briggs wrote:
> > On 2021-10-20 22:55, Li Zhijian wrote:
> >> Hi guys
> Hi RGB
Hi Zhijian,
> >> I'm new to audit, then i observed that there is no LOGOUT event record
> >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
> >> and fedora33 have it.
> >>
> >> I google it but get no answer, so am I missing something about the
> >> audit rules or special audit configuration ?
> >>
> >> Below are part of records of audit in my several OSes.
> >>
> >> debian 8
> > This debian is 3 major releases behind which may explain.
> My fault, i missed that i have upgraded it to debian 9.4 month ago
11 Bullseye was released two months ago and debian releases are much
longer than other distros and tends to hold new stuff back in testing
and development branches.
Ubuntu is up to release 21.
Even fedora is up to f35.
> lizhijian at lkp-bingo:~/lkp/lkp-tests$ lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description: Debian GNU/Linux 9.4 (stretch)
> Release: 9.4
> Codename: stretch
> lizhijian at lkp-bingo:~/lkp/lkp-tests$ uname -a
> Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux
> lizhijian at lkp-bingo:~/lkp/lkp-tests$ aureport --version
> aureport version 2.6.7
>
> BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation.
>
> Thanks
> Zhijian
>
> >> lizhijian at lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> >> [sudo] password for lizhijian:
> >> 6 USER_START
> >> 6 USER_END
> >> 4 USER_ACCT
> >> 4 USER_CMD
> >> 2 USER_AUTH
> >> 2 USER_LOGIN
> >>
> >> ubuntu 18.04
> >> lizj at FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> >> 43241 USER_END
> >> 16946 USER_START
> >> 16718 USER_ACCT
> >> 658 USER_AUTH
> >> 543 USER_CMD
> >> 255 USER_LOGIN
> >> 9 USER_ROLE_CHANGE
> >> 5 USER_ERR
> >> 2 USER_CHAUTHTOK
> >> 1 ADD_USER
> >>
> >> fedora 33
> >> [root at iaas-rpma linux]# aureport -e -i --summary | grep USER
> >> 7356 CRYPTO_KEY_USER
> >> 2103 USER_START
> >> 1649 USER_END
> >> 1268 USER_ACCT
> >> 1108 USER_ROLE_CHANGE
> >> 1029 USER_AUTH
> >> 895 USER_LOGIN
> >> 789 USER_LOGOUT
> >> 60 USER_CMD
> >> 14 USER_ERR
> >> 3 USER_MGMT
> >> 3 USER_CHAUTHTOK
> >> 1 ADD_USER
> >>
> > - RGB
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list