Hi Steve
On 21/10/2021 09:30, Li Zhijian wrote:
Hi Steve
Your reply was very much appreciated
On 21/10/2021 01:05, Steve Grubb wrote:
> Hello,
>
> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>> fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the audit
>> rules or special audit configuration ?
> The logout events are hardwired into programs. IOW, they do not come from any
> audit rules. You'd want to see which program the users login with.
I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them
cannot generate LOGOUT event correctly.
> It is
> responsible for sending the logout event. You might check the source code of
> it or simply grep AUDIT_LOGOUT in the source.
Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find
any clue so far.
After taking a look into the openssh of fedora-33, indeed, as you said, openssh of
fedora-33 add extra patch to support LOGOUT event and etc
[root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r
./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
while other openssh shipped by debian and ubuntu didn't do that.
I truly appreciate you again.
Thanks
Zhijian
IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh,
they both return nothing from them.
[lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
[lizhijian@yl util-linux-2.33]$ cd -
...
[lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
[lizhijian@yl openssh-7.9p1]$
even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in
it.
Thanks
Zhijian
>
> If it is in the code, then you'd want to see what's happening in the code
> when a user logs out.
>
> -Steve
>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6 USER_START
>> 6 USER_END
>> 4 USER_ACCT
>> 4 USER_CMD
>> 2 USER_AUTH
>> 2 USER_LOGIN
>>
>> ubuntu 18.04
>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241 USER_END
>> 16946 USER_START
>> 16718 USER_ACCT
>> 658 USER_AUTH
>> 543 USER_CMD
>> 255 USER_LOGIN
>> 9 USER_ROLE_CHANGE
>> 5 USER_ERR
>> 2 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> fedora 33
>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356 CRYPTO_KEY_USER
>> 2103 USER_START
>> 1649 USER_END
>> 1268 USER_ACCT
>> 1108 USER_ROLE_CHANGE
>> 1029 USER_AUTH
>> 895 USER_LOGIN
>> 789 USER_LOGOUT
>> 60 USER_CMD
>> 14 USER_ERR
>> 3 USER_MGMT
>> 3 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> Thanks
>>
>> --
>> Linux-audit mailing list
>> Linux-audit(a)redhat.com
>>
https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
>