Frédéric Brière
2008-Feb-04 04:17 UTC
[Logcheck-devel] [PATCH] Ignore PAM session messages triggered by sudo
Since version 1.6.9 (changeset 577), sudo calls pam_open_session() and
pam_close_session(). These rules were copied from logcheck-su.
---
rulefiles/linux/violations.ignore.d/logcheck-sudo | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo
b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 79dcad1..1b9413a 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ;
COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command
continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$
--
1.5.3.8