why no LOGOUT event record on some OSes

Richard Guy Briggs rgb at redhat.com
Thu Oct 21 12:38:25 UTC 2021 

On 2021-10-21 01:39, lizhijian at fujitsu.com wrote:
> On 21/10/2021 00:38, Richard Guy Briggs wrote:
> > On 2021-10-20 22:55, Li Zhijian wrote:
> >> Hi guys

> Hi RGB

Hi Zhijian,

> >> I'm new to audit, then i observed that there is no LOGOUT event record
> >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
> >> and fedora33 have it.
> >>
> >> I google it but get no answer, so am I missing something about the
> >> audit rules or special audit configuration ?
> >>
> >> Below are part of records of audit in my several OSes.
> >>
> >> debian 8
> > This debian is 3 major releases behind which may explain.
> My fault, i missed that i have upgraded it to debian 9.4 month ago

11 Bullseye was released two months ago and debian releases are much
longer than other distros and tends to hold new stuff  back in testing
and development branches.

Ubuntu is up to release 21.

Even fedora is up to f35.

> lizhijian at lkp-bingo:~/lkp/lkp-tests$ lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description:    Debian GNU/Linux 9.4 (stretch)
> Release:        9.4
> Codename:       stretch
> lizhijian at lkp-bingo:~/lkp/lkp-tests$ uname -a
> Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux
> lizhijian at lkp-bingo:~/lkp/lkp-tests$ aureport --version
> aureport version 2.6.7
> 
> BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation.
> 
> Thanks
> Zhijian
> 
> >> lizhijian at lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> >> [sudo] password for lizhijian:
> >> 6  USER_START
> >> 6  USER_END
> >> 4  USER_ACCT
> >> 4  USER_CMD
> >> 2  USER_AUTH
> >> 2  USER_LOGIN
> >>
> >> ubuntu 18.04
> >> lizj at FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> >> 43241  USER_END
> >> 16946  USER_START
> >> 16718  USER_ACCT
> >> 658  USER_AUTH
> >> 543  USER_CMD
> >> 255  USER_LOGIN
> >> 9  USER_ROLE_CHANGE
> >> 5  USER_ERR
> >> 2  USER_CHAUTHTOK
> >> 1  ADD_USER
> >>
> >> fedora 33
> >> [root at iaas-rpma linux]# aureport -e -i --summary | grep USER
> >> 7356  CRYPTO_KEY_USER
> >> 2103  USER_START
> >> 1649  USER_END
> >> 1268  USER_ACCT
> >> 1108  USER_ROLE_CHANGE
> >> 1029  USER_AUTH
> >> 895  USER_LOGIN
> >> 789  USER_LOGOUT
> >> 60  USER_CMD
> >> 14  USER_ERR
> >> 3  USER_MGMT
> >> 3  USER_CHAUTHTOK
> >> 1  ADD_USER
> >>
> > - RGB

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list