Security – auditctl – logging when a user logs out

auditloggingSecurity

Is it possible to log when a user logs out of a session on Linux using Auditctl?

My current audit.rules relating to users are:

-w /etc/login.defs -p xwa -k login
-w /etc/securetty -p xwa -k login
-w /var/log/faillog -p xwa -k login
-w /var/log/lastlog -p xwa -k login
-w /var/log/tallylog -p xwa -k login
-w /var/log/secure -p xwa -k login

I can't see anything obvious in /var/log that I can watch, so I assume this is going to need some more configuration?

Best Answer

This very much depend on what OS/distribution you are using:

Fedora 20 and RHEL7 use systemd, so all login/logout actions can be viewed using journalctl:

Jul 17 11:14:08 pris.crapsteak.org login[23256]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul 17 11:14:08 pris.crapsteak.org login[23256]: ROOT LOGIN ON tty2
Jul 17 11:14:26 pris.crapsteak.org login[23256]: pam_unix(login:session): session closed for user root

In RHEL6 these actions are logged to /var/log/auth.log.

For configuration specific to auditd, check out the excellent introduction to the audit system by Scott Pack, from the example configuration in that article:

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

The next three files (utmp, wtmp, btmp) store the current login state of each user, login/logout history, and failed login attempts respectively. So monitoring these will let us know any time an account is used, or failed login attempt, or more specifically whenever these files get changed which will include malicious covering of tracks.

Best Answer

Related Solutions

How to enable redmine (ruby on rails) logging

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic