Russ Allbery
2007-Dec-27 04:08 UTC
[Logcheck-devel] [PATCH] Ignore PAM session messages from sudo.
The new pam_unix module logs session calls via syslog, resulting in new log messagse for each sudo job that calls the pam_unix session handler. Signed-off-by: Russ Allbery <rra at debian.org> --- rulefiles/linux/violations.ignore.d/logcheck-sudo | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo b/rulefiles/linux/violations.ignore.d/logcheck-sudo index 79dcad1..771def3 100644 --- a/rulefiles/linux/violations.ignore.d/logcheck-sudo +++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo @@ -1,2 +1,4 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session opened for user [_[:alnum:].-]+ by [_[:alnum:].-]+\(uid=[[:digit:]]+\)$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session closed for user [_[:alnum:].-]+$ -- 1.5.3.7