Re: why no LOGOUT event record on some OSes

Hello, On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: > I'm new to audit, then i observed that there is no LOGOUT event record > in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and > fedora33 have it. > > I google it but get no answer, so am I missing something about the audit > rules or special audit configuration ? The logout events are hardwired into programs. IOW, they do not come from any audit rules. You'd want to see which program the users login with.

It is responsible for sending the logout event. You might check the source code of it or simply grep AUDIT_LOGOUT in the source.

If it is in the code, then you'd want to see what's happening in the code when a user logs out. -Steve > Below are part of records of audit in my several OSes. > > debian 8 > lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > [sudo] password for lizhijian: > 6 USER_START > 6 USER_END > 4 USER_ACCT > 4 USER_CMD > 2 USER_AUTH > 2 USER_LOGIN > > ubuntu 18.04 > lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > 43241 USER_END > 16946 USER_START > 16718 USER_ACCT > 658 USER_AUTH > 543 USER_CMD > 255 USER_LOGIN > 9 USER_ROLE_CHANGE > 5 USER_ERR > 2 USER_CHAUTHTOK > 1 ADD_USER > > fedora 33 > [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > 7356 CRYPTO_KEY_USER > 2103 USER_START > 1649 USER_END > 1268 USER_ACCT > 1108 USER_ROLE_CHANGE > 1029 USER_AUTH > 895 USER_LOGIN > 789 USER_LOGOUT > 60 USER_CMD > 14 USER_ERR > 3 USER_MGMT > 3 USER_CHAUTHTOK > 1 ADD_USER > > Thanks > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit