Re: why no LOGOUT event record on some OSes

Could you please file a bug in Ubuntu about this, openssh package? https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug We can take a look at what it would take to adopt that patch, and submit it to debian as well

On Thu, Oct 21, 2021 at 9:56 AM lizhijian(a)fujitsu.com <lizhijian(a)fujitsu.com&gt; wrote: > Hi Steve > > > On 21/10/2021 09:30, Li Zhijian wrote: >> Hi Steve >> >> >> Your reply was very much appreciated >> >> On 21/10/2021 01:05, Steve Grubb wrote: >>> Hello, >>> >>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >>>> I'm new to audit, then i observed that there is no LOGOUT event record >>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >>>> fedora33 have it. >>>> >>>> I google it but get no answer, so am I missing something about the audit >>>> rules or special audit configuration ? >>> The logout events are hardwired into programs. IOW, they do not come from any >>> audit rules. You'd want to see which program the users login with. >> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. >> >> >> >>> It is >>> responsible for sending the logout event. You might check the source code of >>> it or simply grep AUDIT_LOGOUT in the source. >> Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. > After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc > [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > > while other openssh shipped by debian and ubuntu didn't do that. > > I truly appreciate you again. > > Thanks > Zhijian > > > >> IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. >> >> [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r >> [lizhijian@yl util-linux-2.33]$ cd - >> ... >> [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r >> [lizhijian@yl openssh-7.9p1]$ >> >> even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. >> >> Thanks >> Zhijian >> >> >>> If it is in the code, then you'd want to see what's happening in the code >>> when a user logs out. >>> >>> -Steve >>> >>>> Below are part of records of audit in my several OSes. >>>> >>>> debian 8 >>>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >>>> [sudo] password for lizhijian: >>>> 6 USER_START >>>> 6 USER_END >>>> 4 USER_ACCT >>>> 4 USER_CMD >>>> 2 USER_AUTH >>>> 2 USER_LOGIN >>>> >>>> ubuntu 18.04 >>>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >>>> 43241 USER_END >>>> 16946 USER_START >>>> 16718 USER_ACCT >>>> 658 USER_AUTH >>>> 543 USER_CMD >>>> 255 USER_LOGIN >>>> 9 USER_ROLE_CHANGE >>>> 5 USER_ERR >>>> 2 USER_CHAUTHTOK >>>> 1 ADD_USER >>>> >>>> fedora 33 >>>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >>>> 7356 CRYPTO_KEY_USER >>>> 2103 USER_START >>>> 1649 USER_END >>>> 1268 USER_ACCT >>>> 1108 USER_ROLE_CHANGE >>>> 1029 USER_AUTH >>>> 895 USER_LOGIN >>>> 789 USER_LOGOUT >>>> 60 USER_CMD >>>> 14 USER_ERR >>>> 3 USER_MGMT >>>> 3 USER_CHAUTHTOK >>>> 1 ADD_USER >>>> >>>> Thanks >>>> >>>> -- >>>> Linux-audit mailing list >>>> Linux-audit(a)redhat.com >>>> https://listman.redhat.com/mailman/listinfo/linux-audit >>> >>> >>> >>> > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit