Hi, I just locked myself out of a system and found the reason to be that apparently, some ssh versions produce the following message for every su command:
pam_systemd(su:session): Failed to create session: No such file or directory This apparently triggers rule id 5716 which matches ^Failed in auth.log. Now it seems I can't do anything against the above pam_systemd message (see also http://ubuntu-bugs.narkive.com/P3rO1nNZ/bug-1318168-re-su-failed-to-create-session-no-such-file-or-directory) but how can I best avoid ossec triggering on this, without removing the rule entirely since I still want it to trigger on other failures? Thanks, Armin -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
