Review scope
Trace one unsupported PAM session-close line that is already committed in assets/mixed_auth_corpus.log.
Sample input
Mar 12 08:00:41 ubuntu-auth-01 pam_unix(sshd:session): session closed for user user001
This is the first pam_unix(sshd:session) session-close sample in the noisy auth corpus.
Expected output
In assets/mixed_auth_parser_coverage.json, the matching line is parser telemetry, not detector evidence:
category: unsupported_pam_variant
reason: unrecognized auth pattern: pam_unix_session_closed
- the line should not produce a finding or change brute-force detector counts
Acceptance criteria
- Name the exact fixture line under review.
- Confirm whether the warning category and reason match the coverage artifact.
- If anything is unclear, propose the smallest docs or fixture correction.
- Keep parsing and detection questions separate.
Boundaries
Use only checked-in sanitized fixtures. Do not attach real authentication logs, usernames, addresses, credentials, host identifiers, or machine screenshots.
Review scope
Trace one unsupported PAM session-close line that is already committed in
assets/mixed_auth_corpus.log.Sample input
This is the first
pam_unix(sshd:session)session-close sample in the noisy auth corpus.Expected output
In
assets/mixed_auth_parser_coverage.json, the matching line is parser telemetry, not detector evidence:category:unsupported_pam_variantreason:unrecognized auth pattern: pam_unix_session_closedAcceptance criteria
Boundaries
Use only checked-in sanitized fixtures. Do not attach real authentication logs, usernames, addresses, credentials, host identifiers, or machine screenshots.