No USER_LOGIN events in audit.log

Rocky Linux Help & Support
1

Hello,

I’m attempting to configure a closed room system using Rocky 8. We are migrating from using a CentOS 7 machine. I’m working with Rocky 8 in a VM currently and I’ve gotten my STIG compliance scores as high as I can and now are focusing on general OS monitoring and auditing.

We have a script which uses ‘ausearch’ to spit out a bunch of details for auditing; daemon start/end, login/logouts, failed sudo’s etc,. When running the script everything expected is returned - except the USER_LOGIN events.

Using “ausearch -m USER_LOGIN -i” always produces “no matched events” I see all the other events in the audit.log USER_START, USER_AUTH, USER_ACCT, but no USER_LOGIN. Similarly there are no USER_LOGOUT events. Since there are no USER_LOGIN events “aureport --login -i” produces “no events of interest were found”.

My initial thought was possible the hardened system is excluding these event from the audit.log, but even when starting with a fresh install no events are produced.

Has anyone encountered this or something similar?

Can someone confirm thire system does produce the USER_LOGIN/USER_LOGOUT events?

Thank you

2

Can you show what your audit rules look like? Knowing what the rule set is would help in troubleshooting this particular issue.

3

Tested here on RL9. Seems that only ssh and VT/TTY logins are logged …

4

Appreciate the responses.

@Ritov is right, using SSH or TTY does produce an event with USER_LOGIN, but login via the GUI does not…hmm.

@nazunalika Here are my rules, basically all were generated from a STIG remediation script

## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
--backlog_wait_time 60000
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-a always,exit -F arch=b32 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
-a always,exit -F arch=b64 -S rename -S renameat -S rmdir -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
--loginuid-immutable
-w /var/log/faillock -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
-a always,exit -F arch=b32 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules
-a always,exit -F arch=b64 -S finit_module -S init_module -F auid>=1000 -F auid!=unset -F key=modules
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid
-e 2
5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.