Remove Kerberos filter-syslog rules for eklogind and kshd

c7d8e643 · Russ Allbery · 9ce1f8d8 · c7d8e643 · c7d8e643
Commit c7d8e643 authored 11 years ago by Russ Allbery
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,8 @@ release/002.000 (unreleased)
    Move campus anycast DNS servers to the bottom of the DNS server list
    for now.  These are not yet considered production DNS servers.
+    Remove Kerberos filter-syslog rules for eklogind and kshd.
 release/001.002 (2013-07-10)
    newsyslog::config now supports a new analyze_logs parameter, which

--- a/files/kerberos/etc/filter-syslog/kerberos
+++ b/files/kerberos/etc/filter-syslog/kerberos
-# /etc/filter-syslog/kerberos -- Kerberos daemon syslog filter rules.
+# Kerberos syslog filter rules.  -*- conf -*-
+#
-klogind: /^Authentication.*failed.*Software caused connection abort/
+# All this currently contains is the filter rules for ksu.
-klogind: /^Error reading message/
-klogind: /^Kerberos( 5)? authentication failed/
+ksu: /^\S+ to root on /dev/pts/\d+$/
-klogind: /^ROOT login by \S+/root@stanford\.edu/
+ksu: /^'ksu root' authenticated \S+/(root|admin)@stanford\.edu /
-klogind: /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
+ksu: /^Account root: authorization for \S+ successful$/
-klogind: /^connect from 172\.2[4567]\./
+ksu: /^Account root: authorization for \S+ for execution of \S+ successful$/
-klogind: /^connect from ::ffff:171\.6[4567]\./
+ksu: /^pam_unix\(ksu:session\): session (opened|closed) for user root/
-kshd:    /^Executing .* for principal \S+/root@stanford.edu /
+# Ignore failed ksu from systems administrators.  We all periodically mistype
-kshd:    /^Executing .* for principal host/\S+@stanford.edu /
+# our password.
-kshd:    /^Executing .* for principal service/\S+@stanford.edu /
-kshd:    /^Executing .* for principal webauth/\S+@stanford.edu /
-kshd:    /^Principal .* for local user root failed krb5_kuserok/
-kshd:    /^Shell process completed\.$/
-kshd:    /^connect from (171\.6[4567]\.|\S+\.(?i)stanford\.edu\Z)/
-kshd:    /^connect from 172\.2[4567]\./
-kshd:    /^connect from ::ffff:171\.6[4567]\./
-kshd:    /^kshd: .* failed: Software caused connection abort/
-kshd:    /^kshd: Permission denied\./
-kshd:    /^pam_unix\(ekshell:session\): session (opened|closed) /
-kshd:    /^read: Connection reset by peer$/
-login:   /^\S+ connecting securely from /
-login:   /^ROOT LOGIN pts/\d+/
-login:   /^pam_unix\(remote:session\): session (opened|closed) /
-ksu:     /^\S+ to root on /dev/pts/\d+$/
-ksu:     /^'ksu root' authenticated \S+/root@stanford\.edu /
-ksu:     /^Account root: authorization for \S+ successful$/
-ksu:     /^Account root: authorization for \S+ for execution of \S+ successful$/
-ksu:     /^pam_unix\(ksu:session\): session (opened|closed) for user root/
-xinetd:  /^START: eklogin pid=\d+ from=[a-f:\d.]+$/
-xinetd:  /^START: kshell pid=\d+ from=[a-f:\d.]+$/
-xinetd:  /^EXIT: eklogin( status=\d+)? pid=\d+ duration=\d+\((sec|min)\)$/
-xinetd:  /^EXIT: kshell status=\d+ pid=\d+ duration=\d+\((sec|min)\)$/
-# Messages generated by the PAM support on Red Hat.
-ekshell(pam_unix): /^session (opened|closed) for user/
-remote(pam_unix):  /^session (opened|closed) for user/
-# Ignore noise generated by port scans.
-klogind: /^Can't get peer name of remote host/
-klogind: /^get peer name failed 0/
-kshd:    /^connect second port: Connection (refused|timed out)$/
-# Ignore noise from refused connections due to hosts.allow configuration.
-klogind: /^refused connect from /
-kshd:    /^refused connect from /
-xinetd:  /^libwrap refused connection to (eklogin|kshell) /
-# Sometimes long tripwire updates truncate the kshd log line.
-kshd:    /^Executing -x cd /root/tmp && /afs/ir/site/leland/tripwire.*/
-# Ignore failed ksu from members of the UNIX team.  We all periodically
-# mistype our password.
 ksu: /^'ksu root' authentication failed for (darrenp1|digant|hallk|meeilee|pradtke|rra|sfeng|whm|vdc|yuelu) on /dev/pts/\d+$/