Is it possible to log when a user logs out of a session on Linux using Auditctl?
My current audit.rules relating to users are:
-w /etc/login.defs -p xwa -k login
-w /etc/securetty -p xwa -k login
-w /var/log/faillog -p xwa -k login
-w /var/log/lastlog -p xwa -k login
-w /var/log/tallylog -p xwa -k login
-w /var/log/secure -p xwa -k login
I can't see anything obvious in /var/log that I can watch, so I assume this is going to need some more configuration?
This very much depend on what OS/distribution you are using:
Fedora 20 and RHEL7 use systemd, so all login/logout actions can be viewed using journalctl:
Jul 17 11:14:08 pris.crapsteak.org login[23256]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jul 17 11:14:08 pris.crapsteak.org login[23256]: ROOT LOGIN ON tty2
Jul 17 11:14:26 pris.crapsteak.org login[23256]: pam_unix(login:session): session closed for user root
In RHEL6 these actions are logged to /var/log/auth.log.
For configuration specific to auditd, check out the excellent introduction to the audit system by Scott Pack, from the example configuration in that article:
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
The next three files (utmp, wtmp, btmp) store the current login state of each user, login/logout history, and failed login attempts respectively. So monitoring these will let us know any time an account is used, or failed login attempt, or more specifically whenever these files get changed which will include malicious covering of tracks.
