why no LOGOUT event record on some OSes
lizhijian at fujitsu.com
lizhijian at fujitsu.com
Thu Oct 21 01:31:42 UTC 2021
Hi Steve
Your reply was very much appreciated
On 21/10/2021 01:05, Steve Grubb wrote:
> Hello,
>
> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>> fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the audit
>> rules or special audit configuration ?
> The logout events are hardwired into programs. IOW, they do not come from any
> audit rules. You'd want to see which program the users login with.
I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
> It is
> responsible for sending the logout event. You might check the source code of
> it or simply grep AUDIT_LOGOUT in the source.
Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.
IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
[lizhijian at yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
[lizhijian at yl util-linux-2.33]$ cd -
...
[lizhijian at yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
[lizhijian at yl openssh-7.9p1]$
even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
Thanks
Zhijian
>
> If it is in the code, then you'd want to see what's happening in the code
> when a user logs out.
>
> -Steve
>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
>> lizhijian at lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6 USER_START
>> 6 USER_END
>> 4 USER_ACCT
>> 4 USER_CMD
>> 2 USER_AUTH
>> 2 USER_LOGIN
>>
>> ubuntu 18.04
>> lizj at FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241 USER_END
>> 16946 USER_START
>> 16718 USER_ACCT
>> 658 USER_AUTH
>> 543 USER_CMD
>> 255 USER_LOGIN
>> 9 USER_ROLE_CHANGE
>> 5 USER_ERR
>> 2 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> fedora 33
>> [root at iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356 CRYPTO_KEY_USER
>> 2103 USER_START
>> 1649 USER_END
>> 1268 USER_ACCT
>> 1108 USER_ROLE_CHANGE
>> 1029 USER_AUTH
>> 895 USER_LOGIN
>> 789 USER_LOGOUT
>> 60 USER_CMD
>> 14 USER_ERR
>> 3 USER_MGMT
>> 3 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> Thanks
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
>
More information about the Linux-audit
mailing list