Re: why no LOGOUT event record on some OSes

Hi Steve On 21/10/2021 09:30, Li Zhijian wrote: > Hi Steve > > > Your reply was very much appreciated > > On 21/10/2021 01:05, Steve Grubb wrote: >> Hello, >> >> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >>> I'm new to audit, then i observed that there is no LOGOUT event record >>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >>> fedora33 have it. >>> >>> I google it but get no answer, so am I missing something about the audit >>> rules or special audit configuration ? >> The logout events are hardwired into programs. IOW, they do not come from any >> audit rules. You'd want to see which program the users login with. > I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. > > > >> It is >> responsible for sending the logout event. You might check the source code of >> it or simply grep AUDIT_LOGOUT in the source. > Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); while other openssh shipped by debian and ubuntu didn't do that. I truly appreciate you again. Thanks Zhijian > > IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. > > [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r > [lizhijian@yl util-linux-2.33]$ cd - > ... > [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r > [lizhijian@yl openssh-7.9p1]$ > > even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. > > Thanks > Zhijian > > >> >> If it is in the code, then you'd want to see what's happening in the code >> when a user logs out. >> >> -Steve >> >>> Below are part of records of audit in my several OSes. >>> >>> debian 8 >>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >>> [sudo] password for lizhijian: >>> 6 USER_START >>> 6 USER_END >>> 4 USER_ACCT >>> 4 USER_CMD >>> 2 USER_AUTH >>> 2 USER_LOGIN >>> >>> ubuntu 18.04 >>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >>> 43241 USER_END >>> 16946 USER_START >>> 16718 USER_ACCT >>> 658 USER_AUTH >>> 543 USER_CMD >>> 255 USER_LOGIN >>> 9 USER_ROLE_CHANGE >>> 5 USER_ERR >>> 2 USER_CHAUTHTOK >>> 1 ADD_USER >>> >>> fedora 33 >>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >>> 7356 CRYPTO_KEY_USER >>> 2103 USER_START >>> 1649 USER_END >>> 1268 USER_ACCT >>> 1108 USER_ROLE_CHANGE >>> 1029 USER_AUTH >>> 895 USER_LOGIN >>> 789 USER_LOGOUT >>> 60 USER_CMD >>> 14 USER_ERR >>> 3 USER_MGMT >>> 3 USER_CHAUTHTOK >>> 1 ADD_USER >>> >>> Thanks >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit(a)redhat.com >>> https://listman.redhat.com/mailman/listinfo/linux-audit >> >> >> >> >> > -- Linux-audit mailing list Linux-audit(a)redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit