RE: [EXT] why no LOGOUT event record on some OSes
Are you always seeing this discrepancy or just on one sample Ubuntu scan? Possible
reasons if you are seeing it on just the current scan, system may have rebooted after
users logged in but before they logged out (no logout records would be generated). You
might also try looking at the data with ausearch. Perhaps aureport on Ubuntu doesn't
report the logout records, but ausearch should show them to you if they exist (and I would
expect them to exist). Another thing to look at: make sure your audit rules file is
configured correctly to collect logout activity.
Karen Wieprecht
-----Original Message-----
From: linux-audit-bounces(a)redhat.com <linux-audit-bounces(a)redhat.com> On Behalf Of
Li Zhijian
Sent: Wednesday, October 20, 2021 10:55 AM
To: linux-audit(a)redhat.com
Cc: Li Zhijian <lizhijian(a)cn.fujitsu.com>
Subject: [EXT] why no LOGOUT event record on some OSes
APL external email warning: Verify sender linux-audit-bounces(a)redhat.com before clicking
links or attachments
Hi guys
I'm new to audit, then i observed that there is no LOGOUT event record in audit.log on
my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33 have it.
I google it but get no answer, so am I missing something about the audit rules or special
audit configuration ?
Below are part of records of audit in my several OSes.
debian 8
lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER [sudo] password for
lizhijian:
6 USER_START
6 USER_END
4 USER_ACCT
4 USER_CMD
2 USER_AUTH
2 USER_LOGIN
ubuntu 18.04
lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
Thanks
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit