From c7d8e643801bcee68c712883682ca0fc971c117d Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Sun, 14 Jul 2013 14:49:29 -0700
Subject: [PATCH] Remove Kerberos filter-syslog rules for eklogind and kshd

---
 NEWS                                      |  2 +
 files/kerberos/etc/filter-syslog/kerberos | 70 ++++-------------------
 2 files changed, 14 insertions(+), 58 deletions(-)

diff --git a/NEWS b/NEWS
index 3fd0327..a6e3ef8 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ release/002.000 (unreleased)
     Move campus anycast DNS servers to the bottom of the DNS server list
     for now.  These are not yet considered production DNS servers.
 
+    Remove Kerberos filter-syslog rules for eklogind and kshd.
+
 release/001.002 (2013-07-10)
 
     newsyslog::config now supports a new analyze_logs parameter, which
diff --git a/files/kerberos/etc/filter-syslog/kerberos b/files/kerberos/etc/filter-syslog/kerberos
index e475256..0cf340a 100644
--- a/files/kerberos/etc/filter-syslog/kerberos
+++ b/files/kerberos/etc/filter-syslog/kerberos
@@ -1,59 +1,13 @@
-# /etc/filter-syslog/kerberos -- Kerberos daemon syslog filter rules.
-
-klogind: /^Authentication.*failed.*Software caused connection abort/
-klogind: /^Error reading message/
-klogind: /^Kerberos( 5)? authentication failed/
-klogind: /^ROOT login by \S+/root@stanford\.edu/
-klogind: /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
-klogind: /^connect from 172\.2[4567]\./
-klogind: /^connect from ::ffff:171\.6[4567]\./
-
-kshd:    /^Executing .* for principal \S+/root@stanford.edu /
-kshd:    /^Executing .* for principal host/\S+@stanford.edu /
-kshd:    /^Executing .* for principal service/\S+@stanford.edu /
-kshd:    /^Executing .* for principal webauth/\S+@stanford.edu /
-kshd:    /^Principal .* for local user root failed krb5_kuserok/
-kshd:    /^Shell process completed\.$/
-kshd:    /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
-kshd:    /^connect from 172\.2[4567]\./
-kshd:    /^connect from ::ffff:171\.6[4567]\./
-kshd:    /^kshd: .* failed: Software caused connection abort/
-kshd:    /^kshd: Permission denied\./
-kshd:    /^pam_unix\(ekshell:session\): session (opened|closed) /
-kshd:    /^read: Connection reset by peer$/
-
-login:   /^\S+ connecting securely from /
-login:   /^ROOT LOGIN pts/\d+/
-login:   /^pam_unix\(remote:session\): session (opened|closed) /
-
-ksu:     /^\S+ to root on /dev/pts/\d+$/
-ksu:     /^'ksu root' authenticated \S+/root@stanford\.edu /
-ksu:     /^Account root: authorization for \S+ successful$/
-ksu:     /^Account root: authorization for \S+ for execution of \S+ successful$/
-ksu:     /^pam_unix\(ksu:session\): session (opened|closed) for user root/
-
-xinetd:  /^START: eklogin pid=\d+ from=[a-f:\d.]+$/
-xinetd:  /^START: kshell pid=\d+ from=[a-f:\d.]+$/
-xinetd:  /^EXIT: eklogin( status=\d+)? pid=\d+ duration=\d+\((sec|min)\)$/
-xinetd:  /^EXIT: kshell status=\d+ pid=\d+ duration=\d+\((sec|min)\)$/
-
-# Messages generated by the PAM support on Red Hat.
-ekshell(pam_unix): /^session (opened|closed) for user/
-remote(pam_unix):  /^session (opened|closed) for user/
-
-# Ignore noise generated by port scans.
-klogind: /^Can't get peer name of remote host/
-klogind: /^get peer name failed 0/
-kshd:    /^connect second port: Connection (refused|timed out)$/
-
-# Ignore noise from refused connections due to hosts.allow configuration.
-klogind: /^refused connect from /
-kshd:    /^refused connect from /
-xinetd:  /^libwrap refused connection to (eklogin|kshell) /
-
-# Sometimes long tripwire updates truncate the kshd log line.
-kshd:    /^Executing -x cd /root/tmp && /afs/ir/site/leland/tripwire.*/
-
-# Ignore failed ksu from members of the UNIX team.  We all periodically
-# mistype our password.
+# Kerberos syslog filter rules.  -*- conf -*-
+#
+# All this currently contains is the filter rules for ksu.
+
+ksu: /^\S+ to root on /dev/pts/\d+$/
+ksu: /^'ksu root' authenticated \S+/(root|admin)@stanford\.edu /
+ksu: /^Account root: authorization for \S+ successful$/
+ksu: /^Account root: authorization for \S+ for execution of \S+ successful$/
+ksu: /^pam_unix\(ksu:session\): session (opened|closed) for user root/
+
+# Ignore failed ksu from systems administrators.  We all periodically mistype
+# our password.
 ksu: /^'ksu root' authentication failed for (darrenp1|digant|hallk|meeilee|pradtke|rra|sfeng|whm|vdc|yuelu) on /dev/pts/\d+$/
-- 
GitLab