* why no LOGOUT event record on some OSes
@ 2021-10-20 14:55 Li Zhijian
2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M.
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Li Zhijian @ 2021-10-20 14:55 UTC (permalink / raw)
To: linux-audit; +Cc: Li Zhijian
Hi guys
I'm new to audit, then i observed that there is no LOGOUT event record
in audit.log
on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33
have it.
I google it but get no answer, so am I missing something about the audit
rules or
special audit configuration ?
Below are part of records of audit in my several OSes.
debian 8
lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
[sudo] password for lizhijian:
6 USER_START
6 USER_END
4 USER_ACCT
4 USER_CMD
2 USER_AUTH
2 USER_LOGIN
ubuntu 18.04
lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
43241 USER_END
16946 USER_START
16718 USER_ACCT
658 USER_AUTH
543 USER_CMD
255 USER_LOGIN
9 USER_ROLE_CHANGE
5 USER_ERR
2 USER_CHAUTHTOK
1 ADD_USER
fedora 33
[root@iaas-rpma linux]# aureport -e -i --summary | grep USER
7356 CRYPTO_KEY_USER
2103 USER_START
1649 USER_END
1268 USER_ACCT
1108 USER_ROLE_CHANGE
1029 USER_AUTH
895 USER_LOGIN
789 USER_LOGOUT
60 USER_CMD
14 USER_ERR
3 USER_MGMT
3 USER_CHAUTHTOK
1 ADD_USER
Thanks
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 10+ messages in thread* RE: [EXT] why no LOGOUT event record on some OSes 2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian @ 2021-10-20 16:06 ` Wieprecht, Karen M. 2021-10-20 16:38 ` Richard Guy Briggs 2021-10-20 17:05 ` Steve Grubb 2 siblings, 0 replies; 10+ messages in thread From: Wieprecht, Karen M. @ 2021-10-20 16:06 UTC (permalink / raw) To: Li Zhijian, linux-audit@redhat.com; +Cc: Li Zhijian Are you always seeing this discrepancy or just on one sample Ubuntu scan? Possible reasons if you are seeing it on just the current scan, system may have rebooted after users logged in but before they logged out (no logout records would be generated). You might also try looking at the data with ausearch. Perhaps aureport on Ubuntu doesn't report the logout records, but ausearch should show them to you if they exist (and I would expect them to exist). Another thing to look at: make sure your audit rules file is configured correctly to collect logout activity. Karen Wieprecht -----Original Message----- From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On Behalf Of Li Zhijian Sent: Wednesday, October 20, 2021 10:55 AM To: linux-audit@redhat.com Cc: Li Zhijian <lizhijian@cn.fujitsu.com> Subject: [EXT] why no LOGOUT event record on some OSes APL external email warning: Verify sender linux-audit-bounces@redhat.com before clicking links or attachments Hi guys I'm new to audit, then i observed that there is no LOGOUT event record in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and fedora33 have it. I google it but get no answer, so am I missing something about the audit rules or special audit configuration ? Below are part of records of audit in my several OSes. debian 8 lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER [sudo] password for lizhijian: 6 USER_START 6 USER_END 4 USER_ACCT 4 USER_CMD 2 USER_AUTH 2 USER_LOGIN ubuntu 18.04 lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER 43241 USER_END 16946 USER_START 16718 USER_ACCT 658 USER_AUTH 543 USER_CMD 255 USER_LOGIN 9 USER_ROLE_CHANGE 5 USER_ERR 2 USER_CHAUTHTOK 1 ADD_USER fedora 33 [root@iaas-rpma linux]# aureport -e -i --summary | grep USER 7356 CRYPTO_KEY_USER 2103 USER_START 1649 USER_END 1268 USER_ACCT 1108 USER_ROLE_CHANGE 1029 USER_AUTH 895 USER_LOGIN 789 USER_LOGOUT 60 USER_CMD 14 USER_ERR 3 USER_MGMT 3 USER_CHAUTHTOK 1 ADD_USER Thanks -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian 2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M. @ 2021-10-20 16:38 ` Richard Guy Briggs 2021-10-21 1:39 ` lizhijian 2021-10-20 17:05 ` Steve Grubb 2 siblings, 1 reply; 10+ messages in thread From: Richard Guy Briggs @ 2021-10-20 16:38 UTC (permalink / raw) To: Li Zhijian; +Cc: linux-audit, Li Zhijian On 2021-10-20 22:55, Li Zhijian wrote: > Hi guys > > I'm new to audit, then i observed that there is no LOGOUT event record > in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 > and fedora33 have it. > > I google it but get no answer, so am I missing something about the > audit rules or special audit configuration ? > > Below are part of records of audit in my several OSes. > > debian 8 This debian is 3 major releases behind which may explain. > lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > [sudo] password for lizhijian: > 6 USER_START > 6 USER_END > 4 USER_ACCT > 4 USER_CMD > 2 USER_AUTH > 2 USER_LOGIN > > ubuntu 18.04 > lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > 43241 USER_END > 16946 USER_START > 16718 USER_ACCT > 658 USER_AUTH > 543 USER_CMD > 255 USER_LOGIN > 9 USER_ROLE_CHANGE > 5 USER_ERR > 2 USER_CHAUTHTOK > 1 ADD_USER > > fedora 33 > [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > 7356 CRYPTO_KEY_USER > 2103 USER_START > 1649 USER_END > 1268 USER_ACCT > 1108 USER_ROLE_CHANGE > 1029 USER_AUTH > 895 USER_LOGIN > 789 USER_LOGOUT > 60 USER_CMD > 14 USER_ERR > 3 USER_MGMT > 3 USER_CHAUTHTOK > 1 ADD_USER > > Thanks - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-20 16:38 ` Richard Guy Briggs @ 2021-10-21 1:39 ` lizhijian 2021-10-21 12:38 ` Richard Guy Briggs 0 siblings, 1 reply; 10+ messages in thread From: lizhijian @ 2021-10-21 1:39 UTC (permalink / raw) To: Richard Guy Briggs, Li Zhijian Cc: linux-audit@redhat.com, lizhijian@fujitsu.com Hi RGB thank you. On 21/10/2021 00:38, Richard Guy Briggs wrote: > On 2021-10-20 22:55, Li Zhijian wrote: >> Hi guys >> >> I'm new to audit, then i observed that there is no LOGOUT event record >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 >> and fedora33 have it. >> >> I google it but get no answer, so am I missing something about the >> audit rules or special audit configuration ? >> >> Below are part of records of audit in my several OSes. >> >> debian 8 > This debian is 3 major releases behind which may explain. My fault, i missed that i have upgraded it to debian 9.4 month ago lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 9.4 (stretch) Release: 9.4 Codename: stretch lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version aureport version 2.6.7 BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation. Thanks Zhijian > >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >> [sudo] password for lizhijian: >> 6 USER_START >> 6 USER_END >> 4 USER_ACCT >> 4 USER_CMD >> 2 USER_AUTH >> 2 USER_LOGIN >> >> ubuntu 18.04 >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >> 43241 USER_END >> 16946 USER_START >> 16718 USER_ACCT >> 658 USER_AUTH >> 543 USER_CMD >> 255 USER_LOGIN >> 9 USER_ROLE_CHANGE >> 5 USER_ERR >> 2 USER_CHAUTHTOK >> 1 ADD_USER >> >> fedora 33 >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >> 7356 CRYPTO_KEY_USER >> 2103 USER_START >> 1649 USER_END >> 1268 USER_ACCT >> 1108 USER_ROLE_CHANGE >> 1029 USER_AUTH >> 895 USER_LOGIN >> 789 USER_LOGOUT >> 60 USER_CMD >> 14 USER_ERR >> 3 USER_MGMT >> 3 USER_CHAUTHTOK >> 1 ADD_USER >> >> Thanks > - RGB > > -- > Richard Guy Briggs <rgb@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-21 1:39 ` lizhijian @ 2021-10-21 12:38 ` Richard Guy Briggs 0 siblings, 0 replies; 10+ messages in thread From: Richard Guy Briggs @ 2021-10-21 12:38 UTC (permalink / raw) To: lizhijian@fujitsu.com; +Cc: linux-audit@redhat.com, Li Zhijian On 2021-10-21 01:39, lizhijian@fujitsu.com wrote: > On 21/10/2021 00:38, Richard Guy Briggs wrote: > > On 2021-10-20 22:55, Li Zhijian wrote: > >> Hi guys > Hi RGB Hi Zhijian, > >> I'm new to audit, then i observed that there is no LOGOUT event record > >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 > >> and fedora33 have it. > >> > >> I google it but get no answer, so am I missing something about the > >> audit rules or special audit configuration ? > >> > >> Below are part of records of audit in my several OSes. > >> > >> debian 8 > > This debian is 3 major releases behind which may explain. > My fault, i missed that i have upgraded it to debian 9.4 month ago 11 Bullseye was released two months ago and debian releases are much longer than other distros and tends to hold new stuff back in testing and development branches. Ubuntu is up to release 21. Even fedora is up to f35. > lizhijian@lkp-bingo:~/lkp/lkp-tests$ lsb_release -a > No LSB modules are available. > Distributor ID: Debian > Description: Debian GNU/Linux 9.4 (stretch) > Release: 9.4 > Codename: stretch > lizhijian@lkp-bingo:~/lkp/lkp-tests$ uname -a > Linux lkp-bingo 4.9.0-16-amd64 #1 SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux > lizhijian@lkp-bingo:~/lkp/lkp-tests$ aureport --version > aureport version 2.6.7 > > BTW: I first notice this behavior in my rootfs from buildroot for an embedded device , which is not consistent with my expectation. > > Thanks > Zhijian > > >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > >> [sudo] password for lizhijian: > >> 6 USER_START > >> 6 USER_END > >> 4 USER_ACCT > >> 4 USER_CMD > >> 2 USER_AUTH > >> 2 USER_LOGIN > >> > >> ubuntu 18.04 > >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > >> 43241 USER_END > >> 16946 USER_START > >> 16718 USER_ACCT > >> 658 USER_AUTH > >> 543 USER_CMD > >> 255 USER_LOGIN > >> 9 USER_ROLE_CHANGE > >> 5 USER_ERR > >> 2 USER_CHAUTHTOK > >> 1 ADD_USER > >> > >> fedora 33 > >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > >> 7356 CRYPTO_KEY_USER > >> 2103 USER_START > >> 1649 USER_END > >> 1268 USER_ACCT > >> 1108 USER_ROLE_CHANGE > >> 1029 USER_AUTH > >> 895 USER_LOGIN > >> 789 USER_LOGOUT > >> 60 USER_CMD > >> 14 USER_ERR > >> 3 USER_MGMT > >> 3 USER_CHAUTHTOK > >> 1 ADD_USER > >> > > - RGB - RGB -- Richard Guy Briggs <rgb@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian 2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M. 2021-10-20 16:38 ` Richard Guy Briggs @ 2021-10-20 17:05 ` Steve Grubb 2021-10-21 1:31 ` lizhijian 2 siblings, 1 reply; 10+ messages in thread From: Steve Grubb @ 2021-10-20 17:05 UTC (permalink / raw) To: linux-audit; +Cc: Li Zhijian, Li Zhijian Hello, On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: > I'm new to audit, then i observed that there is no LOGOUT event record > in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and > fedora33 have it. > > I google it but get no answer, so am I missing something about the audit > rules or special audit configuration ? The logout events are hardwired into programs. IOW, they do not come from any audit rules. You'd want to see which program the users login with. It is responsible for sending the logout event. You might check the source code of it or simply grep AUDIT_LOGOUT in the source. If it is in the code, then you'd want to see what's happening in the code when a user logs out. -Steve > Below are part of records of audit in my several OSes. > > debian 8 > lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > [sudo] password for lizhijian: > 6 USER_START > 6 USER_END > 4 USER_ACCT > 4 USER_CMD > 2 USER_AUTH > 2 USER_LOGIN > > ubuntu 18.04 > lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > 43241 USER_END > 16946 USER_START > 16718 USER_ACCT > 658 USER_AUTH > 543 USER_CMD > 255 USER_LOGIN > 9 USER_ROLE_CHANGE > 5 USER_ERR > 2 USER_CHAUTHTOK > 1 ADD_USER > > fedora 33 > [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > 7356 CRYPTO_KEY_USER > 2103 USER_START > 1649 USER_END > 1268 USER_ACCT > 1108 USER_ROLE_CHANGE > 1029 USER_AUTH > 895 USER_LOGIN > 789 USER_LOGOUT > 60 USER_CMD > 14 USER_ERR > 3 USER_MGMT > 3 USER_CHAUTHTOK > 1 ADD_USER > > Thanks > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-20 17:05 ` Steve Grubb @ 2021-10-21 1:31 ` lizhijian 2021-10-21 3:56 ` lizhijian 0 siblings, 1 reply; 10+ messages in thread From: lizhijian @ 2021-10-21 1:31 UTC (permalink / raw) To: Steve Grubb, linux-audit@redhat.com; +Cc: Li Zhijian, lizhijian@fujitsu.com Hi Steve Your reply was very much appreciated On 21/10/2021 01:05, Steve Grubb wrote: > Hello, > > On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >> I'm new to audit, then i observed that there is no LOGOUT event record >> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >> fedora33 have it. >> >> I google it but get no answer, so am I missing something about the audit >> rules or special audit configuration ? > The logout events are hardwired into programs. IOW, they do not come from any > audit rules. You'd want to see which program the users login with. I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. > It is > responsible for sending the logout event. You might check the source code of > it or simply grep AUDIT_LOGOUT in the source. Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r [lizhijian@yl util-linux-2.33]$ cd - ... [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r [lizhijian@yl openssh-7.9p1]$ even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. Thanks Zhijian > > If it is in the code, then you'd want to see what's happening in the code > when a user logs out. > > -Steve > >> Below are part of records of audit in my several OSes. >> >> debian 8 >> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >> [sudo] password for lizhijian: >> 6 USER_START >> 6 USER_END >> 4 USER_ACCT >> 4 USER_CMD >> 2 USER_AUTH >> 2 USER_LOGIN >> >> ubuntu 18.04 >> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >> 43241 USER_END >> 16946 USER_START >> 16718 USER_ACCT >> 658 USER_AUTH >> 543 USER_CMD >> 255 USER_LOGIN >> 9 USER_ROLE_CHANGE >> 5 USER_ERR >> 2 USER_CHAUTHTOK >> 1 ADD_USER >> >> fedora 33 >> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >> 7356 CRYPTO_KEY_USER >> 2103 USER_START >> 1649 USER_END >> 1268 USER_ACCT >> 1108 USER_ROLE_CHANGE >> 1029 USER_AUTH >> 895 USER_LOGIN >> 789 USER_LOGOUT >> 60 USER_CMD >> 14 USER_ERR >> 3 USER_MGMT >> 3 USER_CHAUTHTOK >> 1 ADD_USER >> >> Thanks >> >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://listman.redhat.com/mailman/listinfo/linux-audit > > > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-21 1:31 ` lizhijian @ 2021-10-21 3:56 ` lizhijian 2021-10-21 13:54 ` Andreas Hasenack 0 siblings, 1 reply; 10+ messages in thread From: lizhijian @ 2021-10-21 3:56 UTC (permalink / raw) To: Steve Grubb, linux-audit@redhat.com; +Cc: Li Zhijian, lizhijian@fujitsu.com Hi Steve On 21/10/2021 09:30, Li Zhijian wrote: > Hi Steve > > > Your reply was very much appreciated > > On 21/10/2021 01:05, Steve Grubb wrote: >> Hello, >> >> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >>> I'm new to audit, then i observed that there is no LOGOUT event record >>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >>> fedora33 have it. >>> >>> I google it but get no answer, so am I missing something about the audit >>> rules or special audit configuration ? >> The logout events are hardwired into programs. IOW, they do not come from any >> audit rules. You'd want to see which program the users login with. > I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. > > > >> It is >> responsible for sending the logout event. You might check the source code of >> it or simply grep AUDIT_LOGOUT in the source. > Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); while other openssh shipped by debian and ubuntu didn't do that. I truly appreciate you again. Thanks Zhijian > > IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. > > [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r > [lizhijian@yl util-linux-2.33]$ cd - > ... > [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r > [lizhijian@yl openssh-7.9p1]$ > > even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. > > Thanks > Zhijian > > >> >> If it is in the code, then you'd want to see what's happening in the code >> when a user logs out. >> >> -Steve >> >>> Below are part of records of audit in my several OSes. >>> >>> debian 8 >>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >>> [sudo] password for lizhijian: >>> 6 USER_START >>> 6 USER_END >>> 4 USER_ACCT >>> 4 USER_CMD >>> 2 USER_AUTH >>> 2 USER_LOGIN >>> >>> ubuntu 18.04 >>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >>> 43241 USER_END >>> 16946 USER_START >>> 16718 USER_ACCT >>> 658 USER_AUTH >>> 543 USER_CMD >>> 255 USER_LOGIN >>> 9 USER_ROLE_CHANGE >>> 5 USER_ERR >>> 2 USER_CHAUTHTOK >>> 1 ADD_USER >>> >>> fedora 33 >>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >>> 7356 CRYPTO_KEY_USER >>> 2103 USER_START >>> 1649 USER_END >>> 1268 USER_ACCT >>> 1108 USER_ROLE_CHANGE >>> 1029 USER_AUTH >>> 895 USER_LOGIN >>> 789 USER_LOGOUT >>> 60 USER_CMD >>> 14 USER_ERR >>> 3 USER_MGMT >>> 3 USER_CHAUTHTOK >>> 1 ADD_USER >>> >>> Thanks >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://listman.redhat.com/mailman/listinfo/linux-audit >> >> >> >> >> > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-21 3:56 ` lizhijian @ 2021-10-21 13:54 ` Andreas Hasenack 2021-10-22 7:18 ` lizhijian 0 siblings, 1 reply; 10+ messages in thread From: Andreas Hasenack @ 2021-10-21 13:54 UTC (permalink / raw) To: lizhijian@fujitsu.com; +Cc: linux-audit@redhat.com Could you please file a bug in Ubuntu about this, openssh package? https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug We can take a look at what it would take to adopt that patch, and submit it to debian as well On Thu, Oct 21, 2021 at 9:56 AM lizhijian@fujitsu.com <lizhijian@fujitsu.com> wrote: > > Hi Steve > > > On 21/10/2021 09:30, Li Zhijian wrote: > > Hi Steve > > > > > > Your reply was very much appreciated > > > > On 21/10/2021 01:05, Steve Grubb wrote: > >> Hello, > >> > >> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: > >>> I'm new to audit, then i observed that there is no LOGOUT event record > >>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and > >>> fedora33 have it. > >>> > >>> I google it but get no answer, so am I missing something about the audit > >>> rules or special audit configuration ? > >> The logout events are hardwired into programs. IOW, they do not come from any > >> audit rules. You'd want to see which program the users login with. > > I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. > > > > > > > >> It is > >> responsible for sending the logout event. You might check the source code of > >> it or simply grep AUDIT_LOGOUT in the source. > > Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. > > After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc > [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); > ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); > > while other openssh shipped by debian and ubuntu didn't do that. > > I truly appreciate you again. > > Thanks > Zhijian > > > > > > > IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. > > > > [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r > > [lizhijian@yl util-linux-2.33]$ cd - > > ... > > [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r > > [lizhijian@yl openssh-7.9p1]$ > > > > even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. > > > > Thanks > > Zhijian > > > > > >> > >> If it is in the code, then you'd want to see what's happening in the code > >> when a user logs out. > >> > >> -Steve > >> > >>> Below are part of records of audit in my several OSes. > >>> > >>> debian 8 > >>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER > >>> [sudo] password for lizhijian: > >>> 6 USER_START > >>> 6 USER_END > >>> 4 USER_ACCT > >>> 4 USER_CMD > >>> 2 USER_AUTH > >>> 2 USER_LOGIN > >>> > >>> ubuntu 18.04 > >>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER > >>> 43241 USER_END > >>> 16946 USER_START > >>> 16718 USER_ACCT > >>> 658 USER_AUTH > >>> 543 USER_CMD > >>> 255 USER_LOGIN > >>> 9 USER_ROLE_CHANGE > >>> 5 USER_ERR > >>> 2 USER_CHAUTHTOK > >>> 1 ADD_USER > >>> > >>> fedora 33 > >>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER > >>> 7356 CRYPTO_KEY_USER > >>> 2103 USER_START > >>> 1649 USER_END > >>> 1268 USER_ACCT > >>> 1108 USER_ROLE_CHANGE > >>> 1029 USER_AUTH > >>> 895 USER_LOGIN > >>> 789 USER_LOGOUT > >>> 60 USER_CMD > >>> 14 USER_ERR > >>> 3 USER_MGMT > >>> 3 USER_CHAUTHTOK > >>> 1 ADD_USER > >>> > >>> Thanks > >>> > >>> -- > >>> Linux-audit mailing list > >>> Linux-audit@redhat.com > >>> https://listman.redhat.com/mailman/listinfo/linux-audit > >> > >> > >> > >> > >> > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: why no LOGOUT event record on some OSes 2021-10-21 13:54 ` Andreas Hasenack @ 2021-10-22 7:18 ` lizhijian 0 siblings, 0 replies; 10+ messages in thread From: lizhijian @ 2021-10-22 7:18 UTC (permalink / raw) To: Andreas Hasenack; +Cc: linux-audit@redhat.com On 21/10/2021 21:54, Andreas Hasenack wrote: > Could you please file a bug in Ubuntu about this, openssh package? > https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug > We can take a look at what it would take to adopt that patch, and > submit it to debian as well Done https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1948357 Thanks > > On Thu, Oct 21, 2021 at 9:56 AM lizhijian@fujitsu.com > <lizhijian@fujitsu.com> wrote: >> Hi Steve >> >> >> On 21/10/2021 09:30, Li Zhijian wrote: >>> Hi Steve >>> >>> >>> Your reply was very much appreciated >>> >>> On 21/10/2021 01:05, Steve Grubb wrote: >>>> Hello, >>>> >>>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote: >>>>> I'm new to audit, then i observed that there is no LOGOUT event record >>>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and >>>>> fedora33 have it. >>>>> >>>>> I google it but get no answer, so am I missing something about the audit >>>>> rules or special audit configuration ? >>>> The logout events are hardwired into programs. IOW, they do not come from any >>>> audit rules. You'd want to see which program the users login with. >>> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh), both of them cannot generate LOGOUT event correctly. >>> >>> >>> >>>> It is >>>> responsible for sending the logout event. You might check the source code of >>>> it or simply grep AUDIT_LOGOUT in the source. >>> Yes, I believed that some program send logout event to auditd/kauditd, but i cannot find any clue so far. >> After taking a look into the openssh of fedora-33, indeed, as you said, openssh of fedora-33 add extra patch to support LOGOUT event and etc >> [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r >> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); >> ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT); >> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT); >> >> while other openssh shipped by debian and ubuntu didn't do that. >> >> I truly appreciate you again. >> >> Thanks >> Zhijian >> >> >> >>> IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux and openssh, they both return nothing from them. >>> >>> [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r >>> [lizhijian@yl util-linux-2.33]$ cd - >>> ... >>> [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r >>> [lizhijian@yl openssh-7.9p1]$ >>> >>> even though i grep the openssh souce form centos, it also has no AUDIT_LOGOUT pattern in it. >>> >>> Thanks >>> Zhijian >>> >>> >>>> If it is in the code, then you'd want to see what's happening in the code >>>> when a user logs out. >>>> >>>> -Steve >>>> >>>>> Below are part of records of audit in my several OSes. >>>>> >>>>> debian 8 >>>>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER >>>>> [sudo] password for lizhijian: >>>>> 6 USER_START >>>>> 6 USER_END >>>>> 4 USER_ACCT >>>>> 4 USER_CMD >>>>> 2 USER_AUTH >>>>> 2 USER_LOGIN >>>>> >>>>> ubuntu 18.04 >>>>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER >>>>> 43241 USER_END >>>>> 16946 USER_START >>>>> 16718 USER_ACCT >>>>> 658 USER_AUTH >>>>> 543 USER_CMD >>>>> 255 USER_LOGIN >>>>> 9 USER_ROLE_CHANGE >>>>> 5 USER_ERR >>>>> 2 USER_CHAUTHTOK >>>>> 1 ADD_USER >>>>> >>>>> fedora 33 >>>>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER >>>>> 7356 CRYPTO_KEY_USER >>>>> 2103 USER_START >>>>> 1649 USER_END >>>>> 1268 USER_ACCT >>>>> 1108 USER_ROLE_CHANGE >>>>> 1029 USER_AUTH >>>>> 895 USER_LOGIN >>>>> 789 USER_LOGOUT >>>>> 60 USER_CMD >>>>> 14 USER_ERR >>>>> 3 USER_MGMT >>>>> 3 USER_CHAUTHTOK >>>>> 1 ADD_USER >>>>> >>>>> Thanks >>>>> >>>>> -- >>>>> Linux-audit mailing list >>>>> Linux-audit@redhat.com >>>>> https://listman.redhat.com/mailman/listinfo/linux-audit >>>> >>>> >>>> >>>> >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://listman.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-10-22 13:55 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-10-20 14:55 why no LOGOUT event record on some OSes Li Zhijian 2021-10-20 16:06 ` [EXT] " Wieprecht, Karen M. 2021-10-20 16:38 ` Richard Guy Briggs 2021-10-21 1:39 ` lizhijian 2021-10-21 12:38 ` Richard Guy Briggs 2021-10-20 17:05 ` Steve Grubb 2021-10-21 1:31 ` lizhijian 2021-10-21 3:56 ` lizhijian 2021-10-21 13:54 ` Andreas Hasenack 2021-10-22 7:18 ` lizhijian
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.