okay, that was a little hasty. I now think I understand a little
better. The above filters are present to ensure that every sudo event
is handled at the violations layer and not below that.
So, instead of changing these lines, can I suggest we add an extra entry
to /etc/logcheck/violations.ignore.d/logcheck-sudo to match these
Jun 27 16:02:18 cuimhne sudo: pam_unix(sudo:session): session opened for user
root by gavinmc(uid=0)
Jun 27 16:02:18 cuimhne sudo: pam_unix(sudo:session): session closed for user
root
Jun 27 16:03:41 cuimhne sudo: pam_unix(sudo:session): session opened for user
root by gavinmc(uid=0)
Jun 27 16:03:41 cuimhne sudo: pam_unix(sudo:session): session closed for user
root
possibly these?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session
opened for user root by [[:alnum:]]+\(uid=0\)
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo: pam_unix\(sudo:session\): session
closed for user root
--
every sudo log is a violation
https://bugs.launchpad.net/bugs/243693
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
