From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit Prelude Logout Tracking Date: Thu, 19 Feb 2009 09:36:10 -0500 Message-ID: <200902190936.11184.sgrubb@redhat.com> References: <499C848C.6020401@groupw.com> <1234999521.11692.118.camel@homeserver> <499D6C14.5060205@groupw.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <499D6C14.5060205@groupw.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday 19 February 2009 09:26:28 am Dan Gruhn wrote: > Although this seemed like the right place to look, I don't see > USER_LOGOUT events in my audit logs, They are not used. I decided later that it was not needed for analysis. When you login, there is always a session open event (user_start). This is associated with a user_login event. So, when you see the session closed event (user_end), the logout has occurred. However...what if gdm dies? What if the kernel oopses? You have no ending marker. So, what I did recently was patch upstart so that it logs system boot & shutdown events. This way you can tell when the system malfunctioned. The logic for the analysis is in the aulast program, which is in 1.7.11. However, you don't have a patched upstart daemon for RHEL5 since it uses the older SysVinit package. One thing to note, preikka/prelude is an IDS system. Not all audit events are IDS events. Only a handful really qualify as Intrusion Detection worthy. So, you really can't use prewikka as an audit log browser. -Steve