Re: why no LOGOUT event record on some OSes

Thu, 21 Oct 2021 05:56:10 -0700 

Hi RGB


thank you.


On 21/10/2021 00:38, Richard Guy Briggs wrote:
> On 2021-10-20 22:55, Li Zhijian wrote:
>> Hi guys
>>
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
>> and fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the
>> audit rules or special audit configuration ?
>>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
> This debian is 3 major releases behind which may explain.
My fault, i missed that i have upgraded it to debian 9.4 month ago

lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.4 (stretch)
Release:        9.4
Codename:       stretch
lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a
Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 
GNU/Linux
lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version
aureport version 2.6.7


BTW: I first notice this behavior in my rootfs from buildroot for an embedded 
device , which is not consistent with my expectation.

Thanks
Zhijian

>
>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6  USER_START
>> 6  USER_END
>> 4  USER_ACCT
>> 4  USER_CMD
>> 2  USER_AUTH
>> 2  USER_LOGIN
>>
>> ubuntu 18.04
>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241  USER_END
>> 16946  USER_START
>> 16718  USER_ACCT
>> 658  USER_AUTH
>> 543  USER_CMD
>> 255  USER_LOGIN
>> 9  USER_ROLE_CHANGE
>> 5  USER_ERR
>> 2  USER_CHAUTHTOK
>> 1  ADD_USER
>>
>> fedora 33
>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356  CRYPTO_KEY_USER
>> 2103  USER_START
>> 1649  USER_END
>> 1268  USER_ACCT
>> 1108  USER_ROLE_CHANGE
>> 1029  USER_AUTH
>> 895  USER_LOGIN
>> 789  USER_LOGOUT
>> 60  USER_CMD
>> 14  USER_ERR
>> 3  USER_MGMT
>> 3  USER_CHAUTHTOK
>> 1  ADD_USER
>>
>> Thanks
> - RGB
>
> --
> Richard Guy Briggs <r...@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to