# [solved] Tenshi does not consider some rules

## Jimini

Hey folks,

I have a really small problem with tenshi. Its config contains the following rules (amongst others):

```
group ^nfs

trash ^rpc.mountd:*

trash ^rpc.mountd: authenticated (?:un)?mount request from .+:.+ for .+ \(.+\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/share/public/music \(/home/share/public\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Pidgin \(/home/laura/Profile/Pidgin\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Bilder \(/home/laura/Profile/Bilder\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Mails \(/home/laura/Profile/Mails\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Xchat \(/home/laura/Profile/Xchat\)

group_end
```

But tenshi still sends me reports containing

 *Quote:*   

>     1: rpc.mountd: authenticated mount request from 10.0.0.5:868 for /home/share/public/videos (/home/share/public)
> 
>     1: rpc.mountd: authenticated mount request from 10.0.0.5:892 for /home/laura/Profile/Mails (/home/laura/Profile/Mails)
> 
>     1: rpc.mountd: authenticated mount request from 10.0.0.5:903 for /home/laura/Profile/Xchat (/home/laura/Profile/Xchat)
> ...

 

What am I doing wrong?

Best regards,

Jimini

----------

## Jimini

Another bunch of rules which seem to be ignored:

```
group ^su\(pam_unix\):

trash ^su: Successful su for root by jimini

trash ^su: pam_unix\(su:session\): session opened for user root by jimini\(uid=1002\)

trash ^su: pam_unix\(su:session\): session closed for user root

trash ^su: \+ /dev/pts/0 jimini:root

group_end
```

And here is the report:

 *Quote:*   

> 2: su: pam_unix(su:session): session closed for user root
> 
>     1: su: + /dev/pts/0 jimini:root
> 
>     1: su: pam_unix(su:session): session opened for user root by jimini(uid=1002)
> ...

 

Best regards,

Jimini

----------

## Jimini

Andrea Barisani from Inverse Path helped me to solve my problem - it was really simple.

1)

```
group ^nfs

trash ^rpc.mountd:*

trash ^rpc.mountd: authenticated (?:un)?mount request from .+:.+ for .+ \(.+\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/share/public/music \(/home/share/public\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Pidgin \(/home/laura/Profile/Pidgin\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Bilder \(/home/laura/Profile/Bilder\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Mails \(/home/laura/Profile/Mails\)

trash ^rpc.mountd: authenticated mount request from 10.0.0.5:.+ for /home/laura/Profile/Xchat \(/home/laura/Profile/Xchat\)

group_end
```

=> instead of "group ^nfs" I have to use "group ^rpc.mountd" for these rules.

2)

```
group ^su\(pam_unix\)

trash ^su: pam_unix\(su:session\): session opened for user root by jimini\(uid=$

trash ^su: pam_unix\(su:session\): session closed for user root

critical ^login\(pam_unix\): session opened for user root by root\(uid=0\)

critical ^login\(pam_unix\): session opened for user root by \(uid=0\)

group_end
```

=> instead of "^su\(pam-unix\):" the groups name has to be "^su\(pam_unix\)"

Best regards,

Jimini

----------

