[Logcheck-devel] [PATCH] Made PID optional in PAM session rules
Frédéric Brière
fbriere at fbriere.net
Fri Jan 25 05:53:13 UTC 2008
This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().
Signed-off-by: Frédéric Brière <fbriere at fbriere.net>
---
rulefiles/linux/ignore.d.server/logcheck | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/logcheck b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..390479b 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,8 +1,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
# new pam format
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session opened for user [.[:alnum:]-]+ by \(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session closed for user [.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ identd\[[0-9]+\]: started$
--
1.5.3.8
More information about the Logcheck-devel
mailing list