* why no LOGOUT event record on some OSes
@ 2021-10-20 14:55 Li Zhijian
2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M.
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Li Zhijian @ 2021-10-20 14:55 UTC (permalink / raw)
To: linux-audit; +Cc: Li Zhijian
Hi guys
I'm new to audit, then i observed that there is no LOGOUT event record
in audit.log
on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33
have it.
I google it but get no answer, so am I missing something about the audit
rules or
special audit configuration ?
Below are part of records of audit in my several OSes.
debian 8
lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
[sudo] password for lizhijian:
6 USER_START
6 USER_END
4 USER_ACCT
4 USER_CMD
2 USER_AUTH
2 USER_LOGIN
ubuntu 18.04
lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
Thanks
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [EXT] why no LOGOUT event record on some OSes
2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian
@ 2021-10-20 16:06 ` Wieprecht, Karen M.
2021-10-20 16:38 ` Richard Guy Briggs
2021-10-20 17:05 ` Steve Grubb
2 siblings, 0 replies; 10+ messages in thread
From: Wieprecht, Karen M. @ 2021-10-20 16:06 UTC (permalink / raw)
To: Li Zhijian, linux-audit; +Cc: Li Zhijian
Are you always seeing this discrepancy or just on one sample Ubuntu scan? Possible reasons if you are seeing it on just the current scan, system may have rebooted after users logged in but before they logged out (no logout records would be generated). You might also try looking at the data with ausearch. Perhaps aureport on Ubuntu doesn't report the logout records, but ausearch should show them to you if they exist (and I would expect them to exist). Another thing to look at: make sure your audit rules file is configured correctly to collect logout activity.
Karen Wieprecht
-----Original Message-----
From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On Behalf Of Li Zhijian
Sent: Wednesday, October 20, 2021 10:55 AM
To: linux-audit@redhat.com
Cc: Li Zhijian <lizhijian@cn.fujitsu.com>
Subject: [EXT] why no LOGOUT event record on some OSes
APL external email warning: Verify sender linux-audit-bounces@redhat.com before clicking links or attachments
Hi guys
I'm new to audit, then i observed that there is no LOGOUT event record in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33 have it.
I google it but get no answer, so am I missing something about the audit rules or special audit configuration ?
Below are part of records of audit in my several OSes.
debian 8
lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER [sudo] password for lizhijian:
6 USER_START
6 USER_END
4 USER_ACCT
4 USER_CMD
2 USER_AUTH
2 USER_LOGIN
ubuntu 18.04
lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
Thanks
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian
2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M.
@ 2021-10-20 16:38 ` Richard Guy Briggs
2021-10-21 1:39 ` lizhijian
2021-10-20 17:05 ` Steve Grubb
2 siblings, 1 reply; 10+ messages in thread
From: Richard Guy Briggs @ 2021-10-20 16:38 UTC (permalink / raw)
To: Li Zhijian; +Cc: linux-audit, Li Zhijian
On 2021-10-20 22:55, Li Zhijian wrote:
> Hi guys
>
> I'm new to audit, then i observed that there is no LOGOUT event record
> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
> and fedora33 have it.
>
> I google it but get no answer, so am I missing something about the
> audit rules or special audit configuration ?
>
> Below are part of records of audit in my several OSes.
>
> debian 8
This debian is 3 major releases behind which may explain.
> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> [sudo] password for lizhijian:
> 6 USER_START
> 6 USER_END
> 4 USER_ACCT
> 4 USER_CMD
> 2 USER_AUTH
> 2 USER_LOGIN
>
> ubuntu 18.04
> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> 43241 USER_END
> 16946 USER_START
> 16718 USER_ACCT
> 658 USER_AUTH
> 543 USER_CMD
> 255 USER_LOGIN
> 9 USER_ROLE_CHANGE
> 5 USER_ERR
> 2 USER_CHAUTHTOK
> 1 ADD_USER
>
> fedora 33
> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
> 7356 CRYPTO_KEY_USER
> 2103 USER_START
> 1649 USER_END
> 1268 USER_ACCT
> 1108 USER_ROLE_CHANGE
> 1029 USER_AUTH
> 895 USER_LOGIN
> 789 USER_LOGOUT
> 60 USER_CMD
> 14 USER_ERR
> 3 USER_MGMT
> 3 USER_CHAUTHTOK
> 1 ADD_USER
>
> Thanks
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian
2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M.
2021-10-20 16:38 ` Richard Guy Briggs
@ 2021-10-20 17:05 ` Steve Grubb
2021-10-21 1:31 ` lizhijian
2 siblings, 1 reply; 10+ messages in thread
From: Steve Grubb @ 2021-10-20 17:05 UTC (permalink / raw)
To: linux-audit; +Cc: Li Zhijian, Li Zhijian
Hello,
On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
> I'm new to audit, then i observed that there is no LOGOUT event record
> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
> fedora33 have it.
>
> I google it but get no answer, so am I missing something about the audit
> rules or special audit configuration ?
The logout events are hardwired into programs. IOW, they do not come from any
audit rules. You'd want to see which program the users login with. It is
responsible for sending the logout event. You might check the source code of
it or simply grep AUDIT_LOGOUT in the source.
If it is in the code, then you'd want to see what's happening in the code
when a user logs out.
-Steve
> Below are part of records of audit in my several OSes.
>
> debian 8
> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> [sudo] password for lizhijian:
> 6 USER_START
> 6 USER_END
> 4 USER_ACCT
> 4 USER_CMD
> 2 USER_AUTH
> 2 USER_LOGIN
>
> ubuntu 18.04
> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> 43241 USER_END
> 16946 USER_START
> 16718 USER_ACCT
> 658 USER_AUTH
> 543 USER_CMD
> 255 USER_LOGIN
> 9 USER_ROLE_CHANGE
> 5 USER_ERR
> 2 USER_CHAUTHTOK
> 1 ADD_USER
>
> fedora 33
> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
> 7356 CRYPTO_KEY_USER
> 2103 USER_START
> 1649 USER_END
> 1268 USER_ACCT
> 1108 USER_ROLE_CHANGE
> 1029 USER_AUTH
> 895 USER_LOGIN
> 789 USER_LOGOUT
> 60 USER_CMD
> 14 USER_ERR
> 3 USER_MGMT
> 3 USER_CHAUTHTOK
> 1 ADD_USER
>
> Thanks
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-20 17:05 ` Steve Grubb
@ 2021-10-21 1:31 ` lizhijian
2021-10-21 3:56 ` lizhijian
0 siblings, 1 reply; 10+ messages in thread
From: lizhijian @ 2021-10-21 1:31 UTC (permalink / raw)
To: Steve Grubb, linux-audit; +Cc: Li Zhijian, lizhijian
Hi Steve
Your reply was very much appreciated
On 21/10/2021 01:05, Steve Grubb wrote:
> Hello,
>
> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>> fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the audit
>> rules or special audit configuration ?
> The logout events are hardwired into programs. IOW, they do not come from any
> audit rules. You'd want to see which program the users login with.
I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
> It is
> responsible for sending the logout event. You might check the source code of
> it or simply grep AUDIT_LOGOUT in the source.
Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.
IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
[lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
[lizhijian@yl util-linux-2.33]$ cd -
...
[lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
[lizhijian@yl openssh-7.9p1]$
even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
Thanks
Zhijian
>
> If it is in the code, then you'd want to see what's happening in the code
> when a user logs out.
>
> -Steve
>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6 USER_START
>> 6 USER_END
>> 4 USER_ACCT
>> 4 USER_CMD
>> 2 USER_AUTH
>> 2 USER_LOGIN
>>
>> ubuntu 18.04
>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241 USER_END
>> 16946 USER_START
>> 16718 USER_ACCT
>> 658 USER_AUTH
>> 543 USER_CMD
>> 255 USER_LOGIN
>> 9 USER_ROLE_CHANGE
>> 5 USER_ERR
>> 2 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> fedora 33
>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356 CRYPTO_KEY_USER
>> 2103 USER_START
>> 1649 USER_END
>> 1268 USER_ACCT
>> 1108 USER_ROLE_CHANGE
>> 1029 USER_AUTH
>> 895 USER_LOGIN
>> 789 USER_LOGOUT
>> 60 USER_CMD
>> 14 USER_ERR
>> 3 USER_MGMT
>> 3 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> Thanks
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://listman.redhat.com/mailman/listinfo/linux-audit
>
>
>
>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-20 16:38 ` Richard Guy Briggs
@ 2021-10-21 1:39 ` lizhijian
2021-10-21 12:38 ` Richard Guy Briggs
0 siblings, 1 reply; 10+ messages in thread
From: lizhijian @ 2021-10-21 1:39 UTC (permalink / raw)
To: Richard Guy Briggs, Li Zhijian; +Cc: linux-audit, lizhijian
Hi RGB
thank you.
On 21/10/2021 00:38, Richard Guy Briggs wrote:
> On 2021-10-20 22:55, Li Zhijian wrote:
>> Hi guys
>>
>> I'm new to audit, then i observed that there is no LOGOUT event record
>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
>> and fedora33 have it.
>>
>> I google it but get no answer, so am I missing something about the
>> audit rules or special audit configuration ?
>>
>> Below are part of records of audit in my several OSes.
>>
>> debian 8
> This debian is 3 major releases behind which may explain.
My fault, i missed that i have upgraded it to debian 9.4 month ago
lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a
Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux
lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version
aureport version 2.6.7
BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation.
Thanks
Zhijian
>
>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>> [sudo] password for lizhijian:
>> 6 USER_START
>> 6 USER_END
>> 4 USER_ACCT
>> 4 USER_CMD
>> 2 USER_AUTH
>> 2 USER_LOGIN
>>
>> ubuntu 18.04
>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>> 43241 USER_END
>> 16946 USER_START
>> 16718 USER_ACCT
>> 658 USER_AUTH
>> 543 USER_CMD
>> 255 USER_LOGIN
>> 9 USER_ROLE_CHANGE
>> 5 USER_ERR
>> 2 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> fedora 33
>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>> 7356 CRYPTO_KEY_USER
>> 2103 USER_START
>> 1649 USER_END
>> 1268 USER_ACCT
>> 1108 USER_ROLE_CHANGE
>> 1029 USER_AUTH
>> 895 USER_LOGIN
>> 789 USER_LOGOUT
>> 60 USER_CMD
>> 14 USER_ERR
>> 3 USER_MGMT
>> 3 USER_CHAUTHTOK
>> 1 ADD_USER
>>
>> Thanks
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-21 1:31 ` lizhijian
@ 2021-10-21 3:56 ` lizhijian
2021-10-21 13:54 ` Andreas Hasenack
0 siblings, 1 reply; 10+ messages in thread
From: lizhijian @ 2021-10-21 3:56 UTC (permalink / raw)
To: Steve Grubb, linux-audit; +Cc: Li Zhijian, lizhijian
Hi Steve
On 21/10/2021 09:30, Li Zhijian wrote:
> Hi Steve
>
>
> Your reply was very much appreciated
>
> On 21/10/2021 01:05, Steve Grubb wrote:
>> Hello,
>>
>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>>> I'm new to audit, then i observed that there is no LOGOUT event record
>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>>> fedora33 have it.
>>>
>>> I google it but get no answer, so am I missing something about the audit
>>> rules or special audit configuration ?
>> The logout events are hardwired into programs. IOW, they do not come from any
>> audit rules. You'd want to see which program the users login with.
> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
>
>
>
>> It is
>> responsible for sending the logout event. You might check the source code of
>> it or simply grep AUDIT_LOGOUT in the source.
> Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.
After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc
[root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r
./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT);
./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
while other openssh shipped by debian and ubuntu didn't do that.
I truly appreciate you again.
Thanks
Zhijian
>
> IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
>
> [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
> [lizhijian@yl util-linux-2.33]$ cd -
> ...
> [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
> [lizhijian@yl openssh-7.9p1]$
>
> even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
>
> Thanks
> Zhijian
>
>
>>
>> If it is in the code, then you'd want to see what's happening in the code
>> when a user logs out.
>>
>> -Steve
>>
>>> Below are part of records of audit in my several OSes.
>>>
>>> debian 8
>>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>>> [sudo] password for lizhijian:
>>> 6 USER_START
>>> 6 USER_END
>>> 4 USER_ACCT
>>> 4 USER_CMD
>>> 2 USER_AUTH
>>> 2 USER_LOGIN
>>>
>>> ubuntu 18.04
>>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>>> 43241 USER_END
>>> 16946 USER_START
>>> 16718 USER_ACCT
>>> 658 USER_AUTH
>>> 543 USER_CMD
>>> 255 USER_LOGIN
>>> 9 USER_ROLE_CHANGE
>>> 5 USER_ERR
>>> 2 USER_CHAUTHTOK
>>> 1 ADD_USER
>>>
>>> fedora 33
>>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>>> 7356 CRYPTO_KEY_USER
>>> 2103 USER_START
>>> 1649 USER_END
>>> 1268 USER_ACCT
>>> 1108 USER_ROLE_CHANGE
>>> 1029 USER_AUTH
>>> 895 USER_LOGIN
>>> 789 USER_LOGOUT
>>> 60 USER_CMD
>>> 14 USER_ERR
>>> 3 USER_MGMT
>>> 3 USER_CHAUTHTOK
>>> 1 ADD_USER
>>>
>>> Thanks
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://listman.redhat.com/mailman/listinfo/linux-audit
>>
>>
>>
>>
>>
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-21 1:39 ` lizhijian
@ 2021-10-21 12:38 ` Richard Guy Briggs
0 siblings, 0 replies; 10+ messages in thread
From: Richard Guy Briggs @ 2021-10-21 12:38 UTC (permalink / raw)
To: lizhijian; +Cc: linux-audit, Li Zhijian
On 2021-10-21 01:39, lizhijian@fujitsu.com wrote:
> On 21/10/2021 00:38, Richard Guy Briggs wrote:
> > On 2021-10-20 22:55, Li Zhijian wrote:
> >> Hi guys
> Hi RGB
Hi Zhijian,
> >> I'm new to audit, then i observed that there is no LOGOUT event record
> >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4
> >> and fedora33 have it.
> >>
> >> I google it but get no answer, so am I missing something about the
> >> audit rules or special audit configuration ?
> >>
> >> Below are part of records of audit in my several OSes.
> >>
> >> debian 8
> > This debian is 3 major releases behind which may explain.
> My fault, i missed that i have upgraded it to debian 9.4 month ago
11 Bullseye was released two months ago and debian releases are much
longer than other distros and tends to hold new stuff back in testing
and development branches.
Ubuntu is up to release 21.
Even fedora is up to f35.
> lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a
> No LSB modules are available.
> Distributor ID: Debian
> Description: Debian GNU/Linux 9.4 (stretch)
> Release: 9.4
> Codename: stretch
> lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a
> Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux
> lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version
> aureport version 2.6.7
>
> BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation.
>
> Thanks
> Zhijian
>
> >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> >> [sudo] password for lizhijian:
> >> 6 USER_START
> >> 6 USER_END
> >> 4 USER_ACCT
> >> 4 USER_CMD
> >> 2 USER_AUTH
> >> 2 USER_LOGIN
> >>
> >> ubuntu 18.04
> >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> >> 43241 USER_END
> >> 16946 USER_START
> >> 16718 USER_ACCT
> >> 658 USER_AUTH
> >> 543 USER_CMD
> >> 255 USER_LOGIN
> >> 9 USER_ROLE_CHANGE
> >> 5 USER_ERR
> >> 2 USER_CHAUTHTOK
> >> 1 ADD_USER
> >>
> >> fedora 33
> >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
> >> 7356 CRYPTO_KEY_USER
> >> 2103 USER_START
> >> 1649 USER_END
> >> 1268 USER_ACCT
> >> 1108 USER_ROLE_CHANGE
> >> 1029 USER_AUTH
> >> 895 USER_LOGIN
> >> 789 USER_LOGOUT
> >> 60 USER_CMD
> >> 14 USER_ERR
> >> 3 USER_MGMT
> >> 3 USER_CHAUTHTOK
> >> 1 ADD_USER
> >>
> > - RGB
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-21 3:56 ` lizhijian
@ 2021-10-21 13:54 ` Andreas Hasenack
2021-10-22 7:18 ` lizhijian
0 siblings, 1 reply; 10+ messages in thread
From: Andreas Hasenack @ 2021-10-21 13:54 UTC (permalink / raw)
To: lizhijian; +Cc: linux-audit
Could you please file a bug in Ubuntu about this, openssh package?
https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug
We can take a look at what it would take to adopt that patch, and
submit it to debian as well
On Thu, Oct 21, 2021 at 9:56 AM lizhijian@fujitsu.com
<lizhijian@fujitsu.com> wrote:
>
> Hi Steve
>
>
> On 21/10/2021 09:30, Li Zhijian wrote:
> > Hi Steve
> >
> >
> > Your reply was very much appreciated
> >
> > On 21/10/2021 01:05, Steve Grubb wrote:
> >> Hello,
> >>
> >> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
> >>> I'm new to audit, then i observed that there is no LOGOUT event record
> >>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
> >>> fedora33 have it.
> >>>
> >>> I google it but get no answer, so am I missing something about the audit
> >>> rules or special audit configuration ?
> >> The logout events are hardwired into programs. IOW, they do not come from any
> >> audit rules. You'd want to see which program the users login with.
> > I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
> >
> >
> >
> >> It is
> >> responsible for sending the logout event. You might check the source code of
> >> it or simply grep AUDIT_LOGOUT in the source.
> > Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.
>
> After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc
> [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r
> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
> ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT);
> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
>
> while other openssh shipped by debian and ubuntu didn't do that.
>
> I truly appreciate you again.
>
> Thanks
> Zhijian
>
>
>
> >
> > IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
> >
> > [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
> > [lizhijian@yl util-linux-2.33]$ cd -
> > ...
> > [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
> > [lizhijian@yl openssh-7.9p1]$
> >
> > even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
> >
> > Thanks
> > Zhijian
> >
> >
> >>
> >> If it is in the code, then you'd want to see what's happening in the code
> >> when a user logs out.
> >>
> >> -Steve
> >>
> >>> Below are part of records of audit in my several OSes.
> >>>
> >>> debian 8
> >>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
> >>> [sudo] password for lizhijian:
> >>> 6 USER_START
> >>> 6 USER_END
> >>> 4 USER_ACCT
> >>> 4 USER_CMD
> >>> 2 USER_AUTH
> >>> 2 USER_LOGIN
> >>>
> >>> ubuntu 18.04
> >>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
> >>> 43241 USER_END
> >>> 16946 USER_START
> >>> 16718 USER_ACCT
> >>> 658 USER_AUTH
> >>> 543 USER_CMD
> >>> 255 USER_LOGIN
> >>> 9 USER_ROLE_CHANGE
> >>> 5 USER_ERR
> >>> 2 USER_CHAUTHTOK
> >>> 1 ADD_USER
> >>>
> >>> fedora 33
> >>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
> >>> 7356 CRYPTO_KEY_USER
> >>> 2103 USER_START
> >>> 1649 USER_END
> >>> 1268 USER_ACCT
> >>> 1108 USER_ROLE_CHANGE
> >>> 1029 USER_AUTH
> >>> 895 USER_LOGIN
> >>> 789 USER_LOGOUT
> >>> 60 USER_CMD
> >>> 14 USER_ERR
> >>> 3 USER_MGMT
> >>> 3 USER_CHAUTHTOK
> >>> 1 ADD_USER
> >>>
> >>> Thanks
> >>>
> >>> --
> >>> Linux-audit mailing list
> >>> Linux-audit@redhat.com
> >>> https://listman.redhat.com/mailman/listinfo/linux-audit
> >>
> >>
> >>
> >>
> >>
> >
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes
2021-10-21 13:54 ` Andreas Hasenack
@ 2021-10-22 7:18 ` lizhijian
0 siblings, 0 replies; 10+ messages in thread
From: lizhijian @ 2021-10-22 7:18 UTC (permalink / raw)
To: Andreas Hasenack; +Cc: linux-audit
On 21/10/2021 21:54, Andreas Hasenack wrote:
> Could you please file a bug in Ubuntu about this, openssh package?
> https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug
> We can take a look at what it would take to adopt that patch, and
> submit it to debian as well
Done
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1948357
Thanks
>
> On Thu, Oct 21, 2021 at 9:56 AM lizhijian@fujitsu.com
> <lizhijian@fujitsu.com> wrote:
>> Hi Steve
>>
>>
>> On 21/10/2021 09:30, Li Zhijian wrote:
>>> Hi Steve
>>>
>>>
>>> Your reply was very much appreciated
>>>
>>> On 21/10/2021 01:05, Steve Grubb wrote:
>>>> Hello,
>>>>
>>>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>>>>> I'm new to audit, then i observed that there is no LOGOUT event record
>>>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>>>>> fedora33 have it.
>>>>>
>>>>> I google it but get no answer, so am I missing something about the audit
>>>>> rules or special audit configuration ?
>>>> The logout events are hardwired into programs. IOW, they do not come from any
>>>> audit rules. You'd want to see which program the users login with.
>>> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly.
>>>
>>>
>>>
>>>> It is
>>>> responsible for sending the logout event. You might check the source code of
>>>> it or simply grep AUDIT_LOGOUT in the source.
>>> Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far.
>> After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc
>> [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r
>> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
>> ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT);
>> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
>>
>> while other openssh shipped by debian and ubuntu didn't do that.
>>
>> I truly appreciate you again.
>>
>> Thanks
>> Zhijian
>>
>>
>>
>>> IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them.
>>>
>>> [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
>>> [lizhijian@yl util-linux-2.33]$ cd -
>>> ...
>>> [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
>>> [lizhijian@yl openssh-7.9p1]$
>>>
>>> even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it.
>>>
>>> Thanks
>>> Zhijian
>>>
>>>
>>>> If it is in the code, then you'd want to see what's happening in the code
>>>> when a user logs out.
>>>>
>>>> -Steve
>>>>
>>>>> Below are part of records of audit in my several OSes.
>>>>>
>>>>> debian 8
>>>>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>>>>> [sudo] password for lizhijian:
>>>>> 6 USER_START
>>>>> 6 USER_END
>>>>> 4 USER_ACCT
>>>>> 4 USER_CMD
>>>>> 2 USER_AUTH
>>>>> 2 USER_LOGIN
>>>>>
>>>>> ubuntu 18.04
>>>>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>>>>> 43241 USER_END
>>>>> 16946 USER_START
>>>>> 16718 USER_ACCT
>>>>> 658 USER_AUTH
>>>>> 543 USER_CMD
>>>>> 255 USER_LOGIN
>>>>> 9 USER_ROLE_CHANGE
>>>>> 5 USER_ERR
>>>>> 2 USER_CHAUTHTOK
>>>>> 1 ADD_USER
>>>>>
>>>>> fedora 33
>>>>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>>>>> 7356 CRYPTO_KEY_USER
>>>>> 2103 USER_START
>>>>> 1649 USER_END
>>>>> 1268 USER_ACCT
>>>>> 1108 USER_ROLE_CHANGE
>>>>> 1029 USER_AUTH
>>>>> 895 USER_LOGIN
>>>>> 789 USER_LOGOUT
>>>>> 60 USER_CMD
>>>>> 14 USER_ERR
>>>>> 3 USER_MGMT
>>>>> 3 USER_CHAUTHTOK
>>>>> 1 ADD_USER
>>>>>
>>>>> Thanks
>>>>>
>>>>> --
>>>>> Linux-audit mailing list
>>>>> Linux-audit@redhat.com
>>>>> https://listman.redhat.com/mailman/listinfo/linux-audit
>>>>
>>>>
>>>>
>>>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-10-22 13:55 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian
2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M.
2021-10-20 16:38 ` Richard Guy Briggs
2021-10-21 1:39 ` lizhijian
2021-10-21 12:38 ` Richard Guy Briggs
2021-10-20 17:05 ` Steve Grubb
2021-10-21 1:31 ` lizhijian
2021-10-21 3:56 ` lizhijian
2021-10-21 13:54 ` Andreas Hasenack
2021-10-22 7:18 ` lizhijian
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).