For a group of cloud instances, I am looking to implement a policy
whereby any instance will self-destroy if no users were logged into it
via ssh for the last X hours. This requires me to track logout events.
It seems like the audit log might provide this information.
However, looking at that log while a user logs out of an ssh session, I
noticed two lines:
type=USER_END msg=audit(1399507220.412:179): pid=1327 uid=0 auid=0 ses=2
msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=?
terminal=/dev/pts/0 res=success'
type=USER_LOGOUT msg=audit(1399507220.412:180): pid=1327 uid=0 auid=0
ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=?
terminal=/dev/pts/0 res=success'
They appear to correspond to two other events recorded during the same
user's login:
type=USER_LOGIN msg=audit(1399507218.420:173): pid=22523 uid=0 auid=0
ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1399507218.420:174): pid=22523 uid=0 auid=0
ses=2 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'
What is the difference between USER_END and USER_LOGOUT? Which one
should I track, in order to capture all session-end events, including
the ssh connection being terminated without the user actually typing in
"logout"?
--
Florin Andrei
http://florin.myip.org/
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
