1 | #!/usr/bin/perl |
---|
2 | |
---|
3 | use strict; |
---|
4 | use warnings; |
---|
5 | use Sys::Hostname; |
---|
6 | use Time::HiRes qw(ualarm); |
---|
7 | use File::Temp; |
---|
8 | |
---|
9 | our $ZCLASS = "scripts-auto"; |
---|
10 | our @USERS = qw/root logview/; |
---|
11 | my $k5login; |
---|
12 | open $k5login, '/root/.k5login'; |
---|
13 | our @RECIPIENTS = map {chomp; m|([^/@]*)| && $1} <$k5login>; |
---|
14 | close $k5login; |
---|
15 | |
---|
16 | our %USERS; |
---|
17 | @USERS{@USERS} = undef; |
---|
18 | |
---|
19 | sub zwrite($;$$\@) { |
---|
20 | my ($message, $class, $instance, $recipref) = @_; |
---|
21 | my @recipients = (); |
---|
22 | if (defined($recipref)) { |
---|
23 | if (@$recipref) { |
---|
24 | @recipients = @$recipref; |
---|
25 | } else { |
---|
26 | $message = '@b(Empty recipient list specified, message redacted)'; |
---|
27 | $class = $ZCLASS; |
---|
28 | } |
---|
29 | } |
---|
30 | $class ||= $ZCLASS; |
---|
31 | $instance ||= 'root.'.hostname; |
---|
32 | open(ZWRITE, "|-", qw|/usr/bin/zwrite -d -n -O log -c|, $class, '-i', $instance, '-s', hostname, @recipients) or die "Couldn't open zwrite"; |
---|
33 | print ZWRITE $message; |
---|
34 | close(ZWRITE); |
---|
35 | } |
---|
36 | |
---|
37 | unless (@RECIPIENTS) { |
---|
38 | # Also give a warning at startup |
---|
39 | zwrite('@b(No .k5login found, sensitive logs will not be zephyred)', $ZCLASS); |
---|
40 | } |
---|
41 | |
---|
42 | my %toclass; |
---|
43 | |
---|
44 | my %sshkeys; |
---|
45 | |
---|
46 | sub buildKeyMap($) { |
---|
47 | my ($file) = @_; |
---|
48 | open (KEYS, $file) or (warn "Couldn't open $file: $!\n" and return); |
---|
49 | while (<KEYS>) { |
---|
50 | chomp; |
---|
51 | my ($fingerprint, $comment) = parseKey($_); |
---|
52 | $sshkeys{$fingerprint} = $comment; |
---|
53 | } |
---|
54 | close(KEYS); |
---|
55 | } |
---|
56 | |
---|
57 | sub parseKey($) { |
---|
58 | my ($key) = @_; |
---|
59 | my $tmp = new File::Temp; |
---|
60 | print $tmp $key; |
---|
61 | close $tmp; |
---|
62 | open (KEYGEN, "-|", qw(/usr/bin/ssh-keygen -l -f), $tmp) or die "Couldn't call ssh-keygen: $!"; |
---|
63 | my ($line) = <KEYGEN>; |
---|
64 | close(KEYGEN); |
---|
65 | my (undef, $fingerprint, undef) = split(' ', $line, 3); |
---|
66 | my (undef, undef, $comment) = split(' ', $key, 3); |
---|
67 | #print "$fingerprint $comment"; |
---|
68 | return ($fingerprint, $comment); |
---|
69 | } |
---|
70 | |
---|
71 | buildKeyMap("/root/.ssh/authorized_keys"); |
---|
72 | buildKeyMap("/root/.ssh/authorized_keys2"); |
---|
73 | |
---|
74 | my @message; |
---|
75 | |
---|
76 | while (my $line = <>) { |
---|
77 | @message = $line; |
---|
78 | eval { |
---|
79 | local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required |
---|
80 | ualarm(500*1000); |
---|
81 | while (<>) { push @message, $_; } |
---|
82 | }; |
---|
83 | chomp @message; |
---|
84 | map { s/^(.*?): // } @message; |
---|
85 | %toclass = (); |
---|
86 | foreach my $message (@message) { |
---|
87 | sub sendmsg ($;$) { |
---|
88 | my ($message, $class) = @_; |
---|
89 | $class ||= $ZCLASS; |
---|
90 | $toclass{$class} .= $message."\n"; |
---|
91 | } |
---|
92 | if ($message =~ m|Accepted (\S+) for (\S+)|) { |
---|
93 | sendmsg($message) if exists $USERS{$2} |
---|
94 | } elsif ($message =~ m|Authorized to (\S+),|) { |
---|
95 | sendmsg($message) if exists $USERS{$1}; |
---|
96 | } elsif ($message =~ m|Root (\S+) shell|) { |
---|
97 | sendmsg($message); |
---|
98 | } elsif ($message =~ m|pam_unix\(([^:]+):session\): session \S+ for user (\S+)|) { |
---|
99 | sendmsg($message) if $1 ne "cron" and exists $USERS{$2}; |
---|
100 | } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { |
---|
101 | if ($sshkeys{$2}) { |
---|
102 | sendmsg($message." (".$sshkeys{$2}.")"); |
---|
103 | } else { |
---|
104 | sendmsg($message." (UNKNOWN KEY)"); |
---|
105 | } |
---|
106 | } elsif ($message =~ m|^Out of memory:|) { |
---|
107 | sendmsg($message); |
---|
108 | } elsif ($message =~ m|^giving \S+ admin rights|) { |
---|
109 | sendmsg($message); |
---|
110 | } elsif ($message =~ m|^Connection closed|) { |
---|
111 | # Do nothing |
---|
112 | } elsif ($message =~ m|^Closing connection to |) { |
---|
113 | } elsif ($message =~ m|^Connection from (\S+) port (\S+)|) { |
---|
114 | } elsif ($message =~ m|^Invalid user|) { |
---|
115 | } elsif ($message =~ m|^input_userauth_request: invalid user|) { |
---|
116 | } elsif ($message =~ m|^Received disconnect from|) { |
---|
117 | } elsif ($message =~ m|^Postponed keyboard-interactive|) { |
---|
118 | } elsif ($message =~ m|^Failed keyboard-interactive/pam|) { |
---|
119 | } elsif ($message =~ m|^fatal: Read from socket failed: Connection reset by peer$|) { |
---|
120 | } elsif ($message =~ m|^reverse mapping checking getaddrinfo|) { |
---|
121 | } elsif ($message =~ m|^pam_succeed_if\(sshd\:auth\)\:|) { |
---|
122 | } elsif ($message =~ m|^error: PAM: Authentication failure|) { |
---|
123 | } elsif ($message =~ m|^pam_unix\(sshd:auth\): authentication failure|) { |
---|
124 | } elsif ($message =~ m|^pam_unix\(sshd:auth\): check pass; user unknown|) { |
---|
125 | } elsif ($message =~ m|^Postponed keyboard-interactive for invalid user |) { |
---|
126 | } elsif ($message =~ m|^Failed keyboard-interactive/pam for invalid user |) { |
---|
127 | } elsif ($message =~ m|^Postponed gssapi-with-mic for |) { |
---|
128 | } elsif ($message =~ m|^Address \S+ maps to \S+, but this does not map back to the address|) { |
---|
129 | } elsif ($message =~ m|^Nasty PTR record .* is set up for .*, ignoring|) { |
---|
130 | } elsif ($message =~ m|^User child is on pid \d+$|) { |
---|
131 | } elsif ($message =~ m|^Transferred: sent \d+, received \d+ bytes$|) { |
---|
132 | } elsif ($message =~ m|^Setting tty modes failed: Invalid argument$|) { |
---|
133 | } elsif ($message =~ m|^ *nrpe .* COMMAND=/etc/nagios/check_ldap_mmr.real$|) { |
---|
134 | } elsif ($message =~ m|^ *root : TTY=|) { |
---|
135 | } elsif ($message =~ m|^Set /proc/self/oom_adj to |) { |
---|
136 | } elsif ($message =~ m|^Set /proc/self/oom_score_adj to |) { |
---|
137 | } elsif ($message =~ m|^fatal: mm_request_receive: read: Connection reset by peer$|) { |
---|
138 | } elsif ($message =~ m|^selinux sandbox not useful \[preauth\]$|) { |
---|
139 | } else { |
---|
140 | sendmsg($message, "scripts-spew"); |
---|
141 | } |
---|
142 | } |
---|
143 | |
---|
144 | foreach my $class (keys %toclass) { |
---|
145 | if ($class eq $ZCLASS) { |
---|
146 | zwrite($toclass{$class}, $class); |
---|
147 | } else { |
---|
148 | zwrite($toclass{$class}, $class, undef, @RECIPIENTS); |
---|
149 | } |
---|
150 | } |
---|
151 | } |
---|