From 7c2cb7e228acdc4bc339a75043b90be18e3166ab Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Fri, 3 Mar 2017 10:32:12 -0800
Subject: [PATCH] change how we define sunetids ignored by filter-syslog for
 ssh auth failures

---
 NEWS                                          | 10 ++++++++
 manifests/ssh.pp                              | 13 ++++++----
 .../ssh/etc/filter-syslog/ssh.erb             | 24 ++++++++++++++-----
 3 files changed, 37 insertions(+), 10 deletions(-)
 rename files/ssh/etc/filter-syslog/ssh => templates/ssh/etc/filter-syslog/ssh.erb (81%)

diff --git a/NEWS b/NEWS
index 826acbb..9c6719e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,13 @@
+release/005.007 (unreleased)
+
+    [ssh] Change the method by which we specify a list of sunetids to
+    filter via filter-syslog. If you install this version of base you will
+    need to add to hiera the list of sunetids whose authentication failure
+    warnings you want to continue ignoring. Otherwise, your root mail get
+    noisier. Because this only affects filter-syslog it has no affect on
+    the actual ssh service running on the server, so it is a very
+    low-impact change. [adamhl]
+
 release/005.006 (2017-02-16)
 
     [kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
diff --git a/manifests/ssh.pp b/manifests/ssh.pp
index a3ebd84..55ab8c8 100644
--- a/manifests/ssh.pp
+++ b/manifests/ssh.pp
@@ -14,10 +14,15 @@
 # sudo, see the base::sudo class.
 # Default: false
 
+# $filter_sunetids: ignore "authentication failure" messages for this list
+# of sunetids.
+# Default: the empty array (so don't filter any such messages)
+
 class base::ssh(
-  $pam_afs   = true,
-  $pam_duo   = false,
-  $pam_slurm = false
+  $pam_afs         = true,
+  $pam_duo         = false,
+  $pam_slurm       = false,
+  $filter_sunetids = [],
 ){
 
   # Install the openssh server package.
@@ -102,6 +107,6 @@ class base::ssh(
 
   # Ignore routine ssh messages.
   file { '/etc/filter-syslog/ssh':
-    source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh',
+    content => template('base/ssh/etc/filter-syslog/ssh.erb'),
   }
 }
diff --git a/files/ssh/etc/filter-syslog/ssh b/templates/ssh/etc/filter-syslog/ssh.erb
similarity index 81%
rename from files/ssh/etc/filter-syslog/ssh
rename to templates/ssh/etc/filter-syslog/ssh.erb
index a9aff7a..ff03126 100644
--- a/files/ssh/etc/filter-syslog/ssh
+++ b/templates/ssh/etc/filter-syslog/ssh.erb
@@ -64,12 +64,24 @@ sshd: /^Disconnecting: Too many authentication failures for \S+$/
 
 # Ignore failed logins by ACS and other AS and ITS staff.  We all mistype
 # passwords occasionally.
-sshd: /^sshd\(pam_unix\): authentication failure; .* user=(adamhl|atayts|bxk|chekh|chom|jmcdermo|jcowart|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)$/
-sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(adamhl|atayts|bxk|chekh|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)( |\Z)/
-sshd: /^Disconnecting: Too many authentication failures for (adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl) \[preauth\]$/
-sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl) from [a-f:\d.]+ port \d+ ssh2$/
-sshd: /^PAM \d+ more authentication failures?; .* user=(adamhl|atayts|bxk|chehk|chom|jcowart|jmcdermo|jonrober|ktai|laltman|martinp|nbfa|saracook|sfeng|swl)$/
-sshd: /^error: PAM: Authentication failure for (adamhl|atayts|bxk|chekh|chom||jcowart|jonrober|jmcdermo|ktai|laltman|nbfa|saracook|sfeng|swl) from [a-z:\d.-]+$/
+<%-
+  # Create an "OR" of all the sunetids we can ignore.
+  if (@filter_sunetids.length > 0) then
+    ignore_or_string = @filter_sunetids.join("|")
+-%>
+sshd: /^sshd\(pam_unix\): authentication failure; .* user=(<%= ignore_or_string %>)$/
+sshd: /^pam_(unix|krb5)\(sshd:auth\): authentication failure;.* (logname|user)=(<%= ignore_or_string %>)( |\Z)/
+sshd: /^Disconnecting: Too many authentication failures for (<%= ignore_or_string %>) \[preauth\]$/
+sshd: /^Failed (password|gssapi-with-mic|keyboard-interactive/pam) for (<%= ignore_or_string %>) from [a-f:\d.]+ port \d+ ssh2$/
+sshd: /^PAM \d+ more authentication failures?; .* user=(<%= ignore_or_string %>)$/
+sshd: /^error: PAM: Authentication failure for (<%= ignore_or_string %>) from [a-z:\d.-]+$/
+<%-
+  else
+-%>
+# Puppet Note: No sunetids provided, so skipping.
+<%-
+  end
+-%>
 
 # Ignore GSS-API failures as root.  This is normally because people try to
 # use their normal credentials for root access.
-- 
GitLab