From mboxrd@z Thu Jan  1 00:00:00 1970
From: Florin Andrei <florin@andrei.myip.org>
Subject: =?UTF-8?Q?USER=5FEND=20vs=20USER=5FLOGOUT?=
Date: Thu, 08 May 2014 10:45:37 -0700
Message-ID: <dc6c1db302530094dab8776ce5f62f3c@andrei.myip.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com
	[10.5.110.21])
	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s48HjglV031288
	for <linux-audit@redhat.com>; Thu, 8 May 2014 13:45:42 -0400
Received: from qmta05.emeryville.ca.mail.comcast.net
	(qmta05.emeryville.ca.mail.comcast.net [76.96.30.48])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s48HjeCO032246
	for <linux-audit@redhat.com>; Thu, 8 May 2014 13:45:41 -0400
Received: from localhost (localhost [127.0.0.1])
	by andrei.myip.org (Postfix) with ESMTP id C75A6FA0397
	for <linux-audit@redhat.com>; Thu,  8 May 2014 10:45:38 -0700 (PDT)
Received: from andrei.myip.org ([127.0.0.1])
	by localhost (weiqi.lan.home [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Gr8Z-hMtCcPw for <linux-audit@redhat.com>;
	Thu,  8 May 2014 10:45:37 -0700 (PDT)
Received: from andrei.myip.org (localhost [127.0.0.1])
	by andrei.myip.org (Postfix) with ESMTP id 3ACA6FA0262
	for <linux-audit@redhat.com>; Thu,  8 May 2014 10:45:37 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

For a group of cloud instances, I am looking to implement a policy 
whereby any instance will self-destroy if no users were logged into it 
via ssh for the last X hours. This requires me to track logout events. 
It seems like the audit log might provide this information.

However, looking at that log while a user logs out of an ssh session, I 
noticed two lines:

type=USER_END msg=audit(1399507220.412:179): pid=1327 uid=0 auid=0 ses=2 
  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? 
terminal=/dev/pts/0 res=success'
type=USER_LOGOUT msg=audit(1399507220.412:180): pid=1327 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? 
terminal=/dev/pts/0 res=success'

They appear to correspond to two other events recorded during the same 
user's login:

type=USER_LOGIN msg=audit(1399507218.420:173): pid=22523 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX 
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1399507218.420:174): pid=22523 uid=0 auid=0 
ses=2  msg='op=login id=0 exe="/usr/sbin/sshd" hostname=XXX.XXX.XXX.XXX 
addr=XXX.XXX.XXX.XXX terminal=/dev/pts/0 res=success'

What is the difference between USER_END and USER_LOGOUT? Which one 
should I track, in order to capture all session-end events, including 
the ssh connection being terminated without the user actually typing in 
"logout"?

-- 
Florin Andrei
http://florin.myip.org/