On 21/10/2021 21:54, Andreas Hasenack wrote:
> Could you please file a bug in Ubuntu about this, openssh package?
> https://bugs.launchpad.net/ubuntu/+source/openssh/+filebug
> We can take a look at what it would take to adopt that patch, and
> submit it to debian as well
Done
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1948357
Thanks
>
> On Thu, Oct 21, 2021 at 9:56 AM lizhij...@fujitsu.com
> <lizhij...@fujitsu.com> wrote:
>> Hi Steve
>>
>>
>> On 21/10/2021 09:30, Li Zhijian wrote:
>>> Hi Steve
>>>
>>>
>>> Your reply was very much appreciated
>>>
>>> On 21/10/2021 01:05, Steve Grubb wrote:
>>>> Hello,
>>>>
>>>> On Wednesday, October 20, 2021 10:55:02 AM EDT Li Zhijian wrote:
>>>>> I'm new to audit, then i observed that there is no LOGOUT event record
>>>>> in audit.log on my ubuntu 18.04 and debian 8 OSes, while the centos7.4 and
>>>>> fedora33 have it.
>>>>>
>>>>> I google it but get no answer, so am I missing something about the audit
>>>>> rules or special audit configuration ?
>>>> The logout events are hardwired into programs. IOW, they do not come from
>>>> any
>>>> audit rules. You'd want to see which program the users login with.
>>> I tried login/logout from /usr/bin/login(util-linux) and sshd(openssh),
>>> both of them cannot generate LOGOUT event correctly.
>>>
>>>
>>>
>>>> It is
>>>> responsible for sending the logout event. You might check the source code
>>>> of
>>>> it or simply grep AUDIT_LOGOUT in the source.
>>> Yes, I believed that some program send logout event to auditd/kauditd, but
>>> i cannot find any clue so far.
>> After taking a look into the openssh of fedora-33, indeed, as you said,
>> openssh of fedora-33 add extra patch to support LOGOUT event and etc
>> [root@iaas-rpma SOURCES]# grep USER_LOGOUT . -r
>> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
>> ./openssh-7.6p1-audit.patch:+ li->line, 1, AUDIT_USER_LOGOUT);
>> ./openssh-7.6p1-audit.patch:+ "ssh", 1, AUDIT_USER_LOGOUT);
>>
>> while other openssh shipped by debian and ubuntu didn't do that.
>>
>> I truly appreciate you again.
>>
>> Thanks
>> Zhijian
>>
>>
>>
>>> IIUC, for above login programs, i should grep AUDIT_LOGOUT in util-linux
>>> and openssh, they both return nothing from them.
>>>
>>> [lizhijian@yl util-linux-2.33]$ grep AUDIT_LOGOUT . -r
>>> [lizhijian@yl util-linux-2.33]$ cd -
>>> ...
>>> [lizhijian@yl openssh-7.9p1]$ grep AUDIT_LOGOUT . -r
>>> [lizhijian@yl openssh-7.9p1]$
>>>
>>> even though i grep the openssh souce form centos, it also has no
>>> AUDIT_LOGOUT pattern in it.
>>>
>>> Thanks
>>> Zhijian
>>>
>>>
>>>> If it is in the code, then you'd want to see what's happening in the code
>>>> when a user logs out.
>>>>
>>>> -Steve
>>>>
>>>>> Below are part of records of audit in my several OSes.
>>>>>
>>>>> debian 8
>>>>> lizhijian@lkp-bingo:~$ sudo aureport -e -i --summary | grep -i USER
>>>>> [sudo] password for lizhijian:
>>>>> 6 USER_START
>>>>> 6 USER_END
>>>>> 4 USER_ACCT
>>>>> 4 USER_CMD
>>>>> 2 USER_AUTH
>>>>> 2 USER_LOGIN
>>>>>
>>>>> ubuntu 18.04
>>>>> lizj@FNSTPC:~$ sudo aureport -e -i --summary | grep USER
>>>>> 43241 USER_END
>>>>> 16946 USER_START
>>>>> 16718 USER_ACCT
>>>>> 658 USER_AUTH
>>>>> 543 USER_CMD
>>>>> 255 USER_LOGIN
>>>>> 9 USER_ROLE_CHANGE
>>>>> 5 USER_ERR
>>>>> 2 USER_CHAUTHTOK
>>>>> 1 ADD_USER
>>>>>
>>>>> fedora 33
>>>>> [root@iaas-rpma linux]# aureport -e -i --summary | grep USER
>>>>> 7356 CRYPTO_KEY_USER
>>>>> 2103 USER_START
>>>>> 1649 USER_END
>>>>> 1268 USER_ACCT
>>>>> 1108 USER_ROLE_CHANGE
>>>>> 1029 USER_AUTH
>>>>> 895 USER_LOGIN
>>>>> 789 USER_LOGOUT
>>>>> 60 USER_CMD
>>>>> 14 USER_ERR
>>>>> 3 USER_MGMT
>>>>> 3 USER_CHAUTHTOK
>>>>> 1 ADD_USER
>>>>>
>>>>> Thanks
>>>>>
>>>>> --
>>>>> Linux-audit mailing list
>>>>> Linux-audit@redhat.com
>>>>> https://listman.redhat.com/mailman/listinfo/linux-audit
>>>>
>>>>
>>>>
>>>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit