Context Navigation

source: branches/fc13-dev/server/fedora/config/etc/syslog-ng/d_zroot.pl @ 1625

Last change on this file since 1625 was 1584, checked in by geofft, 14 years ago
d_zroot: Also punt the logic for counting failed root logins This updates r1583, whose intent was to drop all such messages. Since we don't permit password logins for root any more than we do for other accounts, there's no need to zephyr about either.
Property svn:executable set to ``*
File size: 4.2 KB

Line
1	#!/usr/bin/perl
2
3	use strict;
4	use warnings;
5	use Sys::Hostname;
6	use Time::HiRes qw(ualarm);
7	use File::Temp;
8
9	our $ZCLASS = "scripts-auto";
10	our @USERS = qw/root logview/;
11	my $k5login;
12	open $k5login, '/root/.k5login';
13	our @RECIPIENTS = map {chomp; m\|([^/@]*)\| && $1} <$k5login>;
14	close $k5login;
15
16	our %USERS;
17	@USERS{@USERS} = undef;
18
19	sub zwrite($;$$@) {
20	my ($message, $class, $instance, @recipients) = @_;
21	$class \|\|= $ZCLASS;
22	$instance \|\|= 'root.'.hostname;
23	open(ZWRITE, "\|-", qw\|/usr/bin/zwrite -d -n -O log -c\|, $class, '-i', $instance, '-s', hostname, @recipients) or die "Couldn't open zwrite";
24	print ZWRITE $message;
25	close(ZWRITE);
26	}
27
28	my %toclass;
29
30	my %sshkeys;
31
32	sub buildKeyMap($) {
33	my ($file) = @_;
34	open (KEYS, $file) or warn "Couldn't open $file: $!";
35	while (<KEYS>) {
36	chomp;
37	my ($fingerprint, $comment) = parseKey($_);
38	$sshkeys{$fingerprint} = $comment;
39	}
40	close(KEYS);
41	}
42
43	sub parseKey($) {
44	my ($key) = @_;
45	my $tmp = new File::Temp;
46	print $tmp $key;
47	close $tmp;
48	open (KEYGEN, "-\|", qw(/usr/bin/ssh-keygen -l -f), $tmp) or die "Couldn't call ssh-keygen: $!";
49	my ($line) = <KEYGEN>;
50	close(KEYGEN);
51	my (undef, $fingerprint, undef) = split(' ', $line, 3);
52	my (undef, undef, $comment) = split(' ', $key, 3);
53	#print "$fingerprint $comment";
54	return ($fingerprint, $comment);
55	}
56
57	buildKeyMap("/root/.ssh/authorized_keys");
58	buildKeyMap("/root/.ssh/authorized_keys2");
59
60	while (1) {
61	my @message = scalar(<>);
62	eval {
63	local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required
64	ualarm(500*1000);
65	while (<>) { push @message, $_; }
66	};
67	chomp @message;
68	map { s/^(.*?): // } @message;
69	%toclass = ();
70	foreach my $message (@message) {
71	sub sendmsg ($;$) {
72	my ($message, $class) = @_;
73	$class \|\|= $ZCLASS;
74	$toclass{$class} .= $message."\n";
75	}
76	if ($message =~ m\|Accepted (\S+) for (\S+)\|) {
77	sendmsg($message) if exists $USERS{$2}
78	} elsif ($message =~ m\|Authorized to (\S+),\|) {
79	sendmsg($message) if exists $USERS{$1};
80	} elsif ($message =~ m\|Root (\S+) shell\|) {
81	sendmsg($message);
82	} elsif ($message =~ m\|session \S+ for user (\S+)\|) {
83	sendmsg($message) if exists $USERS{$1};
84	} elsif ($message =~ m\|^Found matching (\w+) key: (\S+)\|) {
85	if ($sshkeys{$2}) {
86	sendmsg($message." (".$sshkeys{$2}.")");
87	} else {
88	sendmsg($message." (UNKNOWN KEY)");
89	}
90	} elsif ($message =~ m\|^Out of memory:\|) {
91	sendmsg($message);
92	} elsif ($message =~ m\|^giving \S+ admin rights\|) {
93	sendmsg($message);
94	} elsif ($message =~ m\|^Connection closed\|) {
95	# Do nothing
96	} elsif ($message =~ m\|^Closing connection to \|) {
97	} elsif ($message =~ m\|^Connection from (\S+) port (\S+)\|) {
98	} elsif ($message =~ m\|^Invalid user\|) {
99	} elsif ($message =~ m\|^input_userauth_request: invalid user\|) {
100	} elsif ($message =~ m\|^Received disconnect from\|) {
101	} elsif ($message =~ m\|^Postponed keyboard-interactive\|) {
102	} elsif ($message =~ m\|^Failed keyboard-interactive/pam\|) {
103	} elsif ($message =~ m\|^fatal: Read from socket failed: Connection reset by peer$\|) {
104	} elsif ($message =~ m\|^reverse mapping checking getaddrinfo\|) {
105	} elsif ($message =~ m\|^pam_succeed_if\(sshd\:auth\)\:\|) {
106	} elsif ($message =~ m\|^error: PAM: Authentication failure\|) {
107	} elsif ($message =~ m\|^pam_unix\(sshd:auth\): authentication failure\|) {
108	} elsif ($message =~ m\|^Postponed keyboard-interactive for invalid user \|) {
109	} elsif ($message =~ m\|^Failed keyboard-interactive/pam for invalid user \|) {
110	} elsif ($message =~ m\|^Postponed gssapi-with-mic for \|) {
111	} elsif ($message =~ m\|^Address \S+ maps to \S+, but this does not map back to the address\|) {
112	} elsif ($message =~ m\|^User child is on pid \d+$\|) {
113	} elsif ($message =~ m\|^Transferred: sent \d+, received \d+ bytes$\|) {
114	} elsif ($message =~ m\|^Setting tty modes failed: Invalid argument$\|) {
115	} elsif ($message =~ m\|^ nrpe . COMMAND=/etc/nagios/check_ldap_mmr.real$\|) {
116	} elsif ($message =~ m\|^ *root : TTY=\|) {
117	} else {
118	sendmsg($message, "scripts-spew");
119	}
120	}
121
122	foreach my $class (keys %toclass) {
123	if ($class eq "scripts-auto") {
124	zwrite($toclass{$class}, $class);
125	} else {
126	zwrite($toclass{$class}, $class, undef, @RECIPIENTS);
127	}
128	}
129	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: