why no LOGOUT event record on some OSes

[lizhijian at fujitsu.com]

Hi Steve


On 21/10/2021 09:30, Li Zhijian wrote:
> Hi Steve
>
>
> Your reply was very much appreciated
>
> On 21/10/2021 01:05, Steve Grubb wrote:
>> Hello,
>>
>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>>> I'm new to audit, then i observed that there is no LOGOUT event record
>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>>> fedora33 have it.
>>>
>>> I google it but get no answer, so am I missing something about the audit
>>> rules or special audit configuration ?
>> The logout events are hardwired into programs. IOW, they do not come from any
>> audit rules. You'd want to see which program the users login with.
> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
>
>
>
>> It is
>> responsible for sending the logout event. You might check the source code of
>> it or simply grep AUDIT_LOGOUT in the source.
> Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.

After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc
[root at iaas-rpma SOURCES]# grep USER_LOGOUT . -r
./openssh-7.6p1-audit.patch:+            "ssh", 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+            li->line, 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+                "ssh", 1, AUDIT_USER_LOGOUT);

while other openssh shipped by debian and ubuntu  didn't do that.

I truly appreciate you again.

Thanks
Zhijian



>
> IIUC, for above login programs, i  should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
>
> [lizhijian at yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
> [lizhijian at yl util-linux-2.33]$ cd -
> ...
> [lizhijian at yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
> [lizhijian at yl openssh-7.9p1]$
>
> even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
>
> Thanks
> Zhijian
>
>
>>
>> If it is in the code, then you'd want to see what's happening in the code
>> when a user logs out.
>>
>> -Steve
>>
>>> Below are part of records of audit in my several OSes.
>>>
>>> debian 8
>>> lizhijian at lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>>> [sudo] password for lizhijian:
>>> 6  USER_START
>>> 6  USER_END
>>> 4  USER_ACCT
>>> 4  USER_CMD
>>> 2  USER_AUTH
>>> 2  USER_LOGIN
>>>
>>> ubuntu 18.04
>>> lizj at FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>>> 43241  USER_END
>>> 16946  USER_START
>>> 16718  USER_ACCT
>>> 658  USER_AUTH
>>> 543  USER_CMD
>>> 255  USER_LOGIN
>>> 9  USER_ROLE_CHANGE
>>> 5  USER_ERR
>>> 2  USER_CHAUTHTOK
>>> 1  ADD_USER
>>>
>>> fedora 33
>>> [root at iaas-rpma linux]# aureport -e -i --summary | grep USER
>>> 7356  CRYPTO_KEY_USER
>>> 2103  USER_START
>>> 1649  USER_END
>>> 1268  USER_ACCT
>>> 1108  USER_ROLE_CHANGE
>>> 1029  USER_AUTH
>>> 895  USER_LOGIN
>>> 789  USER_LOGOUT
>>> 60  USER_CMD
>>> 14  USER_ERR
>>> 3  USER_MGMT
>>> 3  USER_CHAUTHTOK
>>> 1  ADD_USER
>>>
>>> Thanks
>>>
>>> -- 
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://listman.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>>
>