Are you always seeing this discrepancy or just on one sample Ubuntu scan? Possible reasons if you are seeing it on just the current scan, system may have rebooted after users logged in but before they logged out (no logout records would be generated). You might also try looking at the data with ausearch. Perhaps aureport on Ubuntu doesn't report the logout records, but ausearch should show them to you if they exist (and I would expect them to exist). Another thing to look at: make sure your audit rules file is configured correctly to collect logout activity.
Karen Wieprecht -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Li Zhijian Sent: Wednesday, October 20, 2021 10:55 AM To: [email protected] Cc: Li Zhijian <[email protected]> Subject: [EXT] why no LOGOUT event record on some OSes APL external email warning: Verify sender [email protected] before clicking links or attachments Hi guys I'm new to audit, then i observed that there is no LOGOUT event record in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33 have it. I google it but get no answer, so am I missing something about the audit rules or special audit configuration ? Below are part of records of audit in my several OSes. debian 8 lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER [sudo] password for lizhijian: 6 USER_START 6 USER_END 4 USER_ACCT 4 USER_CMD 2 USER_AUTH 2 USER_LOGIN ubuntu 18.04 lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER 43241 USER_END 16946 USER_START 16718 USER_ACCT 658 USER_AUTH 543 USER_CMD 255 USER_LOGIN 9 USER_ROLE_CHANGE 5 USER_ERR 2 USER_CHAUTHTOK 1 ADD_USER fedora 33 [root@iaas-rpma linux]# aureport -e -i --summary | grep USER 7356 CRYPTO_KEY_USER 2103 USER_START 1649 USER_END 1268 USER_ACCT 1108 USER_ROLE_CHANGE 1029 USER_AUTH 895 USER_LOGIN 789 USER_LOGOUT 60 USER_CMD 14 USER_ERR 3 USER_MGMT 3 USER_CHAUTHTOK 1 ADD_USER Thanks -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
