[Logcheck-devel] Bug#464895: logcheck-database: ignore PAM session messages from sudo
Russ Allbery
rra at debian.org
Sat Feb 9 17:46:29 UTC 2008
Package: logcheck-database
Version: 1.2.63
Severity: wishlist
Tags: patch
The new pam_unix module logs session calls via syslog, resulting in new
log messagse for each sudo job that calls the pam_unix session handler.
(This was previously sent only to the mailing list. Putting it into the
BTS so that it's not lost since it doesn't appear to have been applied
yet.)
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
* logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
-------------- next part --------------
>From c2785e1ecb0d3948c47aeb01cdcb2369ca1d3110 Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra at debian.org>
Date: Wed, 26 Dec 2007 20:01:07 -0800
Subject: [PATCH] Ignore PAM session messages from sudo.
The new pam_unix module logs session calls via syslog, resulting in new
log messagse for each sudo job that calls the pam_unix session handler.
---
rulefiles/linux/violations.ignore.d/logcheck-sudo | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 79dcad1..771def3 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : \(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session opened for user [_[:alnum:].-]+ by [_[:alnum:].-]+\(uid=[[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session closed for user [_[:alnum:].-]+$
--
1.5.3.8
More information about the Logcheck-devel
mailing list