why no LOGOUT event record on some OSes

lizhijian at fujitsu.com lizhijian at fujitsu.com
Thu Oct 21 01:31:42 UTC 2021 

Hi Steve
  

Your reply was very much appreciated

On 21/10/2021 01:05, Steve Grubb wrote:
> Hello,
>
> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>> fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the audit
>> rules or special audit configuration ?
> The logout events are hardwired into programs. IOW, they do not come from any
> audit rules. You'd want to see which program the users login with.
I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.



> It is
> responsible for sending the logout event. You might check the source code of
> it or simply grep AUDIT_LOGOUT in the source.
Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.

IIUC, for above login programs, i  should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.

[lizhijian at yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
[lizhijian at yl util-linux-2.33]$ cd -
...
[lizhijian at yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
[lizhijian at yl openssh-7.9p1]$

even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.

Thanks
Zhijian


>
> If it is in the code, then you'd want to see what's happening in the code
> when a user logs out.
>
> -Steve
>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
>> lizhijian at lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6  USER_START
>> 6  USER_END
>> 4  USER_ACCT
>> 4  USER_CMD
>> 2  USER_AUTH
>> 2  USER_LOGIN
>>
>> ubuntu 18.04
>> lizj at FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241  USER_END
>> 16946  USER_START
>> 16718  USER_ACCT
>> 658  USER_AUTH
>> 543  USER_CMD
>> 255  USER_LOGIN
>> 9  USER_ROLE_CHANGE
>> 5  USER_ERR
>> 2  USER_CHAUTHTOK
>> 1  ADD_USER
>>
>> fedora 33
>> [root at iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356  CRYPTO_KEY_USER
>> 2103  USER_START
>> 1649  USER_END
>> 1268  USER_ACCT
>> 1108  USER_ROLE_CHANGE
>> 1029  USER_AUTH
>> 895  USER_LOGIN
>> 789  USER_LOGOUT
>> 60  USER_CMD
>> 14  USER_ERR
>> 3  USER_MGMT
>> 3  USER_CHAUTHTOK
>> 1  ADD_USER
>>
>> Thanks
>>
>> --
>> Linux-audit mailing list
>> Linux-audit at redhat.com
>> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
>

More information about the Linux-audit mailing list