Hi Steve Your reply was very much appreciated
On 21/10/2021 01:05, Steve Grubb wrote: > Hello, > > On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >> I'm new to audit, then i observed that there is no LOGOUT event record >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >> fedora33 have it. >> >> I google it but get no answer, so am I missing something about the audit >> rules or special audit configuration ? > The logout events are hardwired into programs. IOW, they do not come from any > audit rules. You'd want to see which program the users login with. I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. > It is > responsible for sending the logout event. You might check the source code of > it or simply grep AUDIT_LOGOUT in the source. Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r [lizhijian@yl util-linux-2.33]$ cd - ... [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r [lizhijian@yl openssh-7.9p1]$ even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. Thanks Zhijian > > If it is in the code, then you'd want to see what's happening in the code > when a user logs out. > > -Steve > >> Below are part of records of audit in my several OSes. >> >> debian 8 >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >> [sudo] password for lizhijian: >> 6 USER_START >> 6 USER_END >> 4 USER_ACCT >> 4 USER_CMD >> 2 USER_AUTH >> 2 USER_LOGIN >> >> ubuntu 18.04 >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >> 43241 USER_END >> 16946 USER_START >> 16718 USER_ACCT >> 658 USER_AUTH >> 543 USER_CMD >> 255 USER_LOGIN >> 9 USER_ROLE_CHANGE >> 5 USER_ERR >> 2 USER_CHAUTHTOK >> 1 ADD_USER >> >> fedora 33 >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >> 7356 CRYPTO_KEY_USER >> 2103 USER_START >> 1649 USER_END >> 1268 USER_ACCT >> 1108 USER_ROLE_CHANGE >> 1029 USER_AUTH >> 895 USER_LOGIN >> 789 USER_LOGOUT >> 60 USER_CMD >> 14 USER_ERR >> 3 USER_MGMT >> 3 USER_CHAUTHTOK >> 1 ADD_USER >> >> Thanks >> >> -- >> Linux-audit mailing list >> [email protected] >> https://listman.redhat.com/mailman/listinfo/linux-audit > > > > > -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
