Since version 1.6.9 (changeset 577), sudo calls pam_open_session() and
pam_close_session(). These rules were copied from logcheck-su.
---
rulefiles/linux/violations.ignore.d/logcheck-sudo | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rulefiles/linux/violations.ignore.d/logcheck-sudo
b/rulefiles/linux/violations.ignore.d/logcheck-sudo
index 79dcad1..1b9413a 100644
--- a/rulefiles/linux/violations.ignore.d/logcheck-sudo
+++ b/rulefiles/linux/violations.ignore.d/logcheck-sudo
@@ -1,2 +1,4 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
TTY=(unknown|(pts/|tty|vc/)[[:digit:]]+) ; PWD=[^;]+ ; USER=[._[:alnum:]-]+ ;
COMMAND=(/(usr|etc|bin|sbin)/|sudoedit ).*$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:].-]+ :
\(command continued\).*$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session opened for user [[:alnum:]-]+ by ([[:alnum:]-]+)?\(uid=[0-9]+\)$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_[[:alnum:]]+\(sudo:session\):
session closed for user [[:alnum:]-]+$
--
1.5.3.8
_______________________________________________
Logcheck-devel mailing list
Logcheck-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel
