Hi RGB
thank you. On 21/10/2021 00:38, Richard Guy Briggs wrote: > On 2021-10-20 22:55, Li Zhijian wrote: >> Hi guys >> >> I'm new to audit, then i observed that there is no LOGOUT event record >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 >> and fedora33 have it. >> >> I google it but get no answer, so am I missing something about the >> audit rules or special audit configuration ? >> >> Below are part of records of audit in my several OSes. >> >> debian 8 > This debian is 3 major releases behind which may explain. My fault, i missed that i have upgraded it to debian 9.4 month ago lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.4 (stretch) Release: 9.4 Codename: stretch lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version aureport version 2.6.7 BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation. Thanks Zhijian > >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >> [sudo] password for lizhijian: >> 6 USER_START >> 6 USER_END >> 4 USER_ACCT >> 4 USER_CMD >> 2 USER_AUTH >> 2 USER_LOGIN >> >> ubuntu 18.04 >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >> 43241 USER_END >> 16946 USER_START >> 16718 USER_ACCT >> 658 USER_AUTH >> 543 USER_CMD >> 255 USER_LOGIN >> 9 USER_ROLE_CHANGE >> 5 USER_ERR >> 2 USER_CHAUTHTOK >> 1 ADD_USER >> >> fedora 33 >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >> 7356 CRYPTO_KEY_USER >> 2103 USER_START >> 1649 USER_END >> 1268 USER_ACCT >> 1108 USER_ROLE_CHANGE >> 1029 USER_AUTH >> 895 USER_LOGIN >> 789 USER_LOGOUT >> 60 USER_CMD >> 14 USER_ERR >> 3 USER_MGMT >> 3 USER_CHAUTHTOK >> 1 ADD_USER >> >> Thanks > - RGB > > -- > Richard Guy Briggs <r...@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit