Could you please file a bug in Ubuntu about this, openssh package? https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug We can take a look at what it would take to adopt that patch, and submit it to debian as well
On Thu, Oct 21, 2021 at 9:56 AM [email protected] <[email protected]> wrote: > > Hi Steve > > > On 21/10/2021 09:30, Li Zhijian wrote: > > Hi Steve > > > > > > Your reply was very much appreciated > > > > On 21/10/2021 01:05, Steve Grubb wrote: > >> Hello, > >> > >> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: > >>> I'm new to audit, then i observed that there is no LOGOUT event record > >>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and > >>> fedora33 have it. > >>> > >>> I google it but get no answer, so am I missing something about the audit > >>> rules or special audit configuration ? > >> The logout events are hardwired into programs. IOW, they do not come from > >> any > >> audit rules. You'd want to see which program the users login with. > > I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), > > both of them cannot generate LOGOUT event correctly. > > > > > > > >> It is > >> responsible for sending the logout event. You might check the source code > >> of > >> it or simply grep AUDIT_LOGOUT in the source. > > Yes, I believed that some program send logout event to auditd/kauditd, but > > i cannot find any clue so far. > > After taking a look into the openssh of fedora-33, indeed, as you said, > openssh of fedora-33 add extra patch to support LOGOUT event and etc > [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > > while other openssh shipped by debian and ubuntu didn't do that. > > I truly appreciate you again. > > Thanks > Zhijian > > > > > > > IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux > > and openssh, they both return nothing from them. > > > > [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r > > [lizhijian@yl util-linux-2.33]$ cd - > > ... > > [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r > > [lizhijian@yl openssh-7.9p1]$ > > > > even though i grep the openssh souce form centos, it also has no > > AUDIT_LOGOUT pattern in it. > > > > Thanks > > Zhijian > > > > > >> > >> If it is in the code, then you'd want to see what's happening in the code > >> when a user logs out. > >> > >> -Steve > >> > >>> Below are part of records of audit in my several OSes. > >>> > >>> debian 8 > >>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > >>> [sudo] password for lizhijian: > >>> 6 USER_START > >>> 6 USER_END > >>> 4 USER_ACCT > >>> 4 USER_CMD > >>> 2 USER_AUTH > >>> 2 USER_LOGIN > >>> > >>> ubuntu 18.04 > >>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > >>> 43241 USER_END > >>> 16946 USER_START > >>> 16718 USER_ACCT > >>> 658 USER_AUTH > >>> 543 USER_CMD > >>> 255 USER_LOGIN > >>> 9 USER_ROLE_CHANGE > >>> 5 USER_ERR > >>> 2 USER_CHAUTHTOK > >>> 1 ADD_USER > >>> > >>> fedora 33 > >>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > >>> 7356 CRYPTO_KEY_USER > >>> 2103 USER_START > >>> 1649 USER_END > >>> 1268 USER_ACCT > >>> 1108 USER_ROLE_CHANGE > >>> 1029 USER_AUTH > >>> 895 USER_LOGIN > >>> 789 USER_LOGOUT > >>> 60 USER_CMD > >>> 14 USER_ERR > >>> 3 USER_MGMT > >>> 3 USER_CHAUTHTOK > >>> 1 ADD_USER > >>> > >>> Thanks > >>> > >>> -- > >>> Linux-audit mailing list > >>> [email protected] > >>> https://listman.redhat.com/mailman/listinfo/linux-audit > >> > >> > >> > >> > >> > > > > -- > Linux-audit mailing list > [email protected] > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
