USER_END vs USER_LOGOUT

USER_END vs USER_LOGOUT

[Florin Andrei]

For a group of cloud instances, I am looking to implement a policy 
whereby any instance will self-destroy if no users were logged into it 
via ssh for the last X hours. This requires me to track logout events. 
It seems like the audit log might provide this information.

However, looking at that log while a user logs out of an ssh session, I 
noticed two lines:

type=USER_END msg=audit(1399507220.412:179): pid=1327 uid=0 auid=0 ses=2 
  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
type=USER_LOGOUT msg=audit(1399507220.412:180): pid=1327 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? 
terminal=/dev/pts/0 res=success'

They appear to correspond to two other events recorded during the same 
user's login:

type=USER_LOGIN msg=audit(1399507218.420:173): pid=22523 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX 
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1399507218.420:174): pid=22523 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX 
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'

What is the difference between USER_END and USER_LOGOUT? Which one 
should I track, in order to capture all session-end events, including 
the ssh connection being terminated without the user actually typing in 
"logout"?

-- 
Florin Andrei
http://florin.myip.org/

Re: USER_END vs USER_LOGOUT

[Steve Grubb]

On Thu, 08 May 2014 10:45:37 -0700
Florin Andrei <florin@andrei.myip.org> wrote:
> What is the difference between USER_END and USER_LOGOUT?

LOGOUT means a user that was logged in has logged out. USER_END means a
session for that user has just ended. It could be a login or could be a
cron job.

-Steve