[Logcheck-devel] Bug#464895: logcheck-database: ignore PAM session messages from sudo

Sat, 09 Feb 2008 09:52:17 -0800 

Package: logcheck-database
Version: 1.2.63
Severity: wishlist
Tags: patch

The new pam_unix module logs session calls via syslog, resulting in new
log messagse for each sudo job that calls the pam_unix session handler.

(This was previously sent only to the mailing list.  Putting it into the
BTS so that it's not lost since it doesn't appear to have been applied
yet.)

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-- debconf information:
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note:
  logcheck-database/conffile-cleanup: false

>From c2785e1ecb0d3948c47aeb01cdcb2369ca1d3110 Mon Sep 17 00:00:00 2001
From: Russ Allbery <[EMAIL PROTECTED]>
Date: Wed, 26 Dec 2007 20:01:07 -0800
Subject: [PATCH] Ignore PAM session messages from sudo.

The new pam_unix module logs session calls via syslog, resulting in new
log messagse for each sudo job that calls the pam_unix session handler.
---
 rulefiles/linux/violations.ignore.d/logcheck-sudo |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo 
b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 79dcad1..771def3 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,2 +1,4 @@
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ; 
COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
 ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ : 
\(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session 
opened for user [_[:alnum:].-]+ by [_[:alnum:].-]+\(uid=[[:digit:]]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session 
closed for user [_[:alnum:].-]+$
-- 
1.5.3.8


_______________________________________________
Logcheck-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel

Reply via email to