[Logcheck-devel] [PATCH] Made PID optional in PAM session rules

Fri Jan 25 05:53:13 UTC 2008

This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().


Signed-off-by: Frédéric Brière <fbriere at fbriere.net>
---
 rulefiles/linux/ignore.d.server/logcheck |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rulefiles/linux/ignore.d.server/logcheck b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..390479b 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,8 +1,8 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
 # new pam format
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user [.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?: pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user [.[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session opened for user [.[:alnum:]-]+ by \(uid=0\)$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session closed for user [.[:alnum:]-]+$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ identd\[[0-9]+\]: started$
-- 
1.5.3.8



