Frédéric Brière
2008-Jan-25 05:53 UTC
[Logcheck-devel] [PATCH] Removed the old PAM session syntax rules, which are covered by the new syntax
These two rules are actually covered by the next ones, as the only
difference is "session" being replaced with "[[:alnum:]]+".
Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net>
---
rulefiles/linux/ignore.d.server/logcheck | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/logcheck
b/rulefiles/linux/ignore.d.server/logcheck
index 767e27f..a2272ec 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,7 +1,5 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by
(root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:session\): session opened for user [.[:alnum:]-]+
by (root|LOGIN)?\(uid=0\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:session\): session closed for user
[.[:alnum:]-]+$
# new pam format
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
--
1.5.3.8
Frédéric Brière
2008-Jan-25 05:53 UTC
[Logcheck-devel] [PATCH] Made PID optional in PAM session rules
This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().
Signed-off-by: Fr?d?ric Bri?re <fbriere at fbriere.net>
---
rulefiles/linux/ignore.d.server/logcheck | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/logcheck
b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..390479b 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,8 +1,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by
(root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
# new pam format
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session
opened for user [.[:alnum:]-]+ by \(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session
closed for user [.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ identd\[[0-9]+\]: started$
--
1.5.3.8
martin f krafft
2008-Mar-05 09:08 UTC
[Logcheck-devel] thanks for your help, and hints for the future rules, which are covered by the new syntax
Fr?d?ric, you've done a really cool job with all the patches, I hope I finally managed to apply them all. I think you should get an alioth account so that we can just let you commit directly to the Git tree. Thanks again! -- .''`. martin f. krafft <madduck at debian.org> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems micro$oft could shit in a box, and most people would buy it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/) Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20080305/fcbf56ad/attachment.pgp
Frédéric Brière
2008-Mar-15 03:22 UTC
[Logcheck-devel] [PATCH] Made PID optional in PAM session rules
Fr?d?ric Bri?re <fbriere at fbriere.net> wrote:> This makes the PID part of PAM session rules optional, as sudo is now > calling pam_open_session() and pam_close_session() since 1.6.9, and does > not include a PID in its call to pam_start().Not anymore; 1.6.9p11-2 added pam_permit.so to sudo.pam, thus bypassing any session opening. We can just forget this patch, then. (Unless there are backporters who care about this three-month period.) -- < DanielS> still, throne of blood sounds like a movie about overfiend and virgins or some crap -- in #debian-devel
Frédéric Brière
2008-Mar-15 03:38 UTC
[Logcheck-devel] [PATCH] Removed the old PAM session syntax rules, which are covered by the new syntax
Fr?d?ric Bri?re <fbriere at fbriere.net> wrote:> These two rules are actually covered by the next ones, as the only > difference is "session" being replaced with "[[:alnum:]]+".I don't know if you missed this patch or intentionally left it out, but I'm going to be bold and commit it. Feel free to revert if you object. -- <maswan> Joy: Lets fork cat! :) <maswan> Joy: imagine a big pitchfork and a dead kitten on top of it.. with blood running down..