Re: why no LOGOUT event record on some OSes
Hello,
On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
I'm new to audit, then i observed that there is no LOGOUT event
record
in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
fedora33 have it.
I google it but get no answer, so am I missing something about the audit
rules or special audit configuration ?
The logout events are hardwired into programs. IOW, they do not come from any
audit rules. You'd want to see which program the users login with. It is
responsible for sending the logout event. You might check the source code of
it or simply grep AUDIT_LOGOUT in the source.
If it is in the code, then you'd want to see what's happening in the code
when a user logs out.
-Steve
Below are part of records of audit in my several OSes.
debian 8
lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
[sudo] password for lizhijian:
6 USER_START
6 USER_END
4 USER_ACCT
4 USER_CMD
2 USER_AUTH
2 USER_LOGIN
ubuntu 18.04
lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
Thanks
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit