Re: why no LOGOUT event record on some OSes

On 21/10/2021 00:38, Richard Guy Briggs wrote: > On 2021-10-20 22:55, Li Zhijian wrote: >> Hi guys

Hi RGB

>> I'm new to audit, then i observed that there is no LOGOUT event record >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 >> and fedora33 have it. >> >> I google it but get no answer, so am I missing something about the >> audit rules or special audit configuration ? >> >> Below are part of records of audit in my several OSes. >> >> debian 8 > This debian is 3 major releases behind which may explain. My fault, i missed that i have upgraded it to debian 9.4 month ago

lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description:    Debian GNU/Linux 9.4 (stretch) Release:        9.4 Codename:       stretch lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version aureport version 2.6.7 BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation. Thanks Zhijian >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >> [sudo] password for lizhijian: >> 6  USER_START >> 6  USER_END >> 4  USER_ACCT >> 4  USER_CMD >> 2  USER_AUTH >> 2  USER_LOGIN >> >> ubuntu 18.04 >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >> 43241  USER_END >> 16946  USER_START >> 16718  USER_ACCT >> 658  USER_AUTH >> 543  USER_CMD >> 255  USER_LOGIN >> 9  USER_ROLE_CHANGE >> 5  USER_ERR >> 2  USER_CHAUTHTOK >> 1  ADD_USER >> >> fedora 33 >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >> 7356  CRYPTO_KEY_USER >> 2103  USER_START >> 1649  USER_END >> 1268  USER_ACCT >> 1108  USER_ROLE_CHANGE >> 1029  USER_AUTH >> 895  USER_LOGIN >> 789  USER_LOGOUT >> 60  USER_CMD >> 14  USER_ERR >> 3  USER_MGMT >> 3  USER_CHAUTHTOK >> 1  ADD_USER >> > - RGB