Skip to content

Trace pam_unix_session_closed through parser coverage #83

Description

@stacknil

Review scope

Trace one unsupported PAM session-close line that is already committed in assets/mixed_auth_corpus.log.

Sample input

Mar 12 08:00:41 ubuntu-auth-01 pam_unix(sshd:session): session closed for user user001

This is the first pam_unix(sshd:session) session-close sample in the noisy auth corpus.

Expected output

In assets/mixed_auth_parser_coverage.json, the matching line is parser telemetry, not detector evidence:

  • category: unsupported_pam_variant
  • reason: unrecognized auth pattern: pam_unix_session_closed
  • the line should not produce a finding or change brute-force detector counts

Acceptance criteria

  • Name the exact fixture line under review.
  • Confirm whether the warning category and reason match the coverage artifact.
  • If anything is unclear, propose the smallest docs or fixture correction.
  • Keep parsing and detection questions separate.

Boundaries

Use only checked-in sanitized fixtures. Do not attach real authentication logs, usernames, addresses, credentials, host identifiers, or machine screenshots.

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomershelp wantedExtra attention is neededparserParser and fixture coverage work

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions