[645] | 1 | #!/usr/bin/perl |
---|
| 2 | |
---|
| 3 | use strict; |
---|
| 4 | use warnings; |
---|
| 5 | use Sys::Hostname; |
---|
[666] | 6 | use Time::HiRes qw(ualarm); |
---|
[770] | 7 | use File::Temp; |
---|
[645] | 8 | |
---|
[666] | 9 | our $ZCLASS = "scripts-auto"; |
---|
| 10 | our @USERS = qw/root logview/; |
---|
[783] | 11 | my $k5login; |
---|
| 12 | open $k5login, '/root/.k5login'; |
---|
| 13 | our @RECIPIENTS = map {chomp; m|([^/@]*)| && $1} <$k5login>; |
---|
| 14 | close $k5login; |
---|
[666] | 15 | |
---|
| 16 | our %USERS; |
---|
| 17 | @USERS{@USERS} = undef; |
---|
| 18 | |
---|
[783] | 19 | sub zwrite($;$$@) { |
---|
| 20 | my ($message, $class, $instance, @recipients) = @_; |
---|
[666] | 21 | $class ||= $ZCLASS; |
---|
[665] | 22 | $instance ||= 'root.'.hostname; |
---|
[784] | 23 | open(ZWRITE, "|-", qw|/usr/bin/zwrite -d -n -O log -c|, $class, '-i', $instance, '-s', hostname, @recipients) or die "Couldn't open zwrite"; |
---|
[645] | 24 | print ZWRITE $message; |
---|
| 25 | close(ZWRITE); |
---|
| 26 | } |
---|
| 27 | |
---|
[666] | 28 | my %toclass; |
---|
[645] | 29 | |
---|
[770] | 30 | my %sshkeys; |
---|
| 31 | |
---|
| 32 | sub buildKeyMap($) { |
---|
| 33 | my ($file) = @_; |
---|
| 34 | open (KEYS, $file) or warn "Couldn't open $file: $!"; |
---|
| 35 | while (<KEYS>) { |
---|
| 36 | chomp; |
---|
| 37 | my ($fingerprint, $comment) = parseKey($_); |
---|
| 38 | $sshkeys{$fingerprint} = $comment; |
---|
| 39 | } |
---|
| 40 | close(KEYS); |
---|
| 41 | } |
---|
| 42 | |
---|
| 43 | sub parseKey($) { |
---|
| 44 | my ($key) = @_; |
---|
| 45 | my $tmp = new File::Temp; |
---|
| 46 | print $tmp $key; |
---|
| 47 | close $tmp; |
---|
| 48 | open (KEYGEN, "-|", qw(/usr/bin/ssh-keygen -l -f), $tmp) or die "Couldn't call ssh-keygen: $!"; |
---|
| 49 | my ($line) = <KEYGEN>; |
---|
| 50 | close(KEYGEN); |
---|
| 51 | my (undef, $fingerprint, undef) = split(' ', $line, 3); |
---|
| 52 | my (undef, undef, $comment) = split(' ', $key, 3); |
---|
[784] | 53 | #print "$fingerprint $comment"; |
---|
[770] | 54 | return ($fingerprint, $comment); |
---|
| 55 | } |
---|
| 56 | |
---|
[938] | 57 | buildKeyMap("/root/.ssh/authorized_keys"); |
---|
[770] | 58 | buildKeyMap("/root/.ssh/authorized_keys2"); |
---|
| 59 | |
---|
[666] | 60 | while (1) { |
---|
| 61 | my @message = scalar(<>); |
---|
| 62 | eval { |
---|
| 63 | local $SIG{ALRM} = sub { die "alarm\n" }; # NB: \n required |
---|
| 64 | ualarm(500*1000); |
---|
| 65 | while (<>) { push @message, $_; } |
---|
| 66 | }; |
---|
| 67 | chomp @message; |
---|
| 68 | map { s/^(.*?): // } @message; |
---|
| 69 | %toclass = (); |
---|
| 70 | foreach my $message (@message) { |
---|
| 71 | sub sendmsg ($;$) { |
---|
| 72 | my ($message, $class) = @_; |
---|
| 73 | $class ||= $ZCLASS; |
---|
| 74 | $toclass{$class} .= $message."\n"; |
---|
[645] | 75 | } |
---|
[666] | 76 | if ($message =~ m|Accepted (\S+) for (\S+)|) { |
---|
| 77 | sendmsg($message) if exists $USERS{$2} |
---|
| 78 | } elsif ($message =~ m|Authorized to (\S+),|) { |
---|
| 79 | sendmsg($message) if exists $USERS{$1}; |
---|
| 80 | } elsif ($message =~ m|Root (\S+) shell|) { |
---|
| 81 | sendmsg($message); |
---|
[667] | 82 | } elsif ($message =~ m|session \S+ for user (\S+)|) { |
---|
| 83 | sendmsg($message) if exists $USERS{$1}; |
---|
[770] | 84 | } elsif ($message =~ m|^Found matching (\w+) key: (\S+)|) { |
---|
| 85 | if ($sshkeys{$2}) { |
---|
| 86 | sendmsg($message." (".$sshkeys{$2}.")"); |
---|
| 87 | } else { |
---|
| 88 | sendmsg($message." (UNKNOWN KEY)"); |
---|
| 89 | } |
---|
[817] | 90 | } elsif ($message =~ m|^Out of memory:|) { |
---|
| 91 | sendmsg($message); |
---|
[883] | 92 | } elsif ($message =~ m|^giving \S+ admin rights|) { |
---|
| 93 | sendmsg($message); |
---|
[666] | 94 | } elsif ($message =~ m|^Connection closed|) { |
---|
| 95 | # Do nothing |
---|
[770] | 96 | } elsif ($message =~ m|^Closing connection to |) { |
---|
| 97 | } elsif ($message =~ m|^Connection from (\S+) port (\S+)|) { |
---|
[666] | 98 | } elsif ($message =~ m|^Invalid user|) { |
---|
| 99 | } elsif ($message =~ m|^input_userauth_request: invalid user|) { |
---|
| 100 | } elsif ($message =~ m|^Received disconnect from|) { |
---|
[1331] | 101 | } elsif ($message =~ m|^Postponed keyboard-interactive|) { |
---|
[1584] | 102 | } elsif ($message =~ m|^Failed keyboard-interactive/pam|) { |
---|
[668] | 103 | } elsif ($message =~ m|^fatal: Read from socket failed: Connection reset by peer$|) { |
---|
[690] | 104 | } elsif ($message =~ m|^reverse mapping checking getaddrinfo|) { |
---|
| 105 | } elsif ($message =~ m|^pam_succeed_if\(sshd\:auth\)\:|) { |
---|
[749] | 106 | } elsif ($message =~ m|^error: PAM: Authentication failure|) { |
---|
| 107 | } elsif ($message =~ m|^pam_unix\(sshd:auth\): authentication failure|) { |
---|
[738] | 108 | } elsif ($message =~ m|^Postponed keyboard-interactive for invalid user |) { |
---|
| 109 | } elsif ($message =~ m|^Failed keyboard-interactive/pam for invalid user |) { |
---|
[770] | 110 | } elsif ($message =~ m|^Postponed gssapi-with-mic for |) { |
---|
[739] | 111 | } elsif ($message =~ m|^Address \S+ maps to \S+, but this does not map back to the address|) { |
---|
[853] | 112 | } elsif ($message =~ m|^User child is on pid \d+$|) { |
---|
| 113 | } elsif ($message =~ m|^Transferred: sent \d+, received \d+ bytes$|) { |
---|
[939] | 114 | } elsif ($message =~ m|^Setting tty modes failed: Invalid argument$|) { |
---|
[1272] | 115 | } elsif ($message =~ m|^ *nrpe .* COMMAND=/etc/nagios/check_ldap_mmr.real$|) { |
---|
[1305] | 116 | } elsif ($message =~ m|^ *root : TTY=|) { |
---|
[1693] | 117 | } elsif ($message =~ m|^Set /proc/self/oom_adj to 0|) { |
---|
[666] | 118 | } else { |
---|
[770] | 119 | sendmsg($message, "scripts-spew"); |
---|
[646] | 120 | } |
---|
[645] | 121 | } |
---|
[665] | 122 | |
---|
[666] | 123 | foreach my $class (keys %toclass) { |
---|
[784] | 124 | if ($class eq "scripts-auto") { |
---|
| 125 | zwrite($toclass{$class}, $class); |
---|
| 126 | } else { |
---|
| 127 | zwrite($toclass{$class}, $class, undef, @RECIPIENTS); |
---|
| 128 | } |
---|
[666] | 129 | } |
---|
[645] | 130 | } |
---|