This makes the PID part of PAM session rules optional, as sudo is now
calling pam_open_session() and pam_close_session() since 1.6.9, and does
not include a PID in its call to pam_start().
Signed-off-by: Frédéric Brière <[EMAIL PROTECTED]>
---
rulefiles/linux/ignore.d.server/logcheck | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/rulefiles/linux/ignore.d.server/logcheck
b/rulefiles/linux/ignore.d.server/logcheck
index a2272ec..390479b 100644
--- a/rulefiles/linux/ignore.d.server/logcheck
+++ b/rulefiles/linux/ignore.d.server/logcheck
@@ -1,8 +1,8 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session opened for user [.[:alnum:]-]+ by
(root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
\(pam_[[:alnum:]]+\) session closed for user [.[:alnum:]-]+$
# new pam format
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+(\[[0-9]+\])?)?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session
opened for user [.[:alnum:]-]+ by \(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ PAM_[^[:space:]]+: [^[:space:]]+ session
closed for user [.[:alnum:]-]+$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ identd\[[0-9]+\]: started$
--
1.5.3.8
_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
