
##
## su/login/sudo rules include rules
## (c)2005 by Tadeusz Pietraszek (tadek@pietraszek.org)
##

##
## The idea is to have all kinds of messages here, interesting ones
## go to mail/critical/..., uninteresting ones go to trash
## There's also a catch rule for all other loginsusudo stuff
##


group ^login\(pam_unix\):
critical ^login\(pam_unix\): session opened for user root by root\(uid=0\)
critical ^login\(pam_unix\): session opened for user root by \(uid=0\)
report   ^login\(pam_unix\): session closed for user (.+)
report   ^login\(pam_unix\): session opened for user (.+)
group_end

report   ^passwd\(pam_unix\):

group ^su: \(pam_unix\)
root,report   ^su: \(pam_unix\) session opened for user root
report        ^su: \(pam_unix\) session opened for user (.+)
report        ^su: \(pam_unix\) session closed for user (.+)
group_end

group ^su:
#catch all su
report ^su:
group_end

critical ^(?:/usr/bin)?sudo:


