Skip to content

Commit 250b64e

Browse files
quentinmitquentinmit
committed
Handle sshd auto/spew from Buster
1 parent aacbe7d commit 250b64e

File tree

1 file changed

+9
-4
lines changed

1 file changed

+9
-4
lines changed

ansible/files/scripts-syslog.conf

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@ ruleset(name="zroot" queue.type="Direct") {
3131
then {
3232
call zpublic
3333
}
34+
35+
if ($programname == 'audit') then stop
36+
if ($programname == 'systemd-logind') then stop
37+
3438
# TODO: Look up ssh keys and annotate with whose key it is
3539
# Publicly log all root sessions, except cron or sudo
3640
if (re_match($msg, '^ pam_unix\\([^:]+:session\\): session \\S+ for user root')) then {
@@ -62,7 +66,8 @@ ruleset(name="zroot" queue.type="Direct") {
6266
if ($msg startswith ' Close session: ') then stop
6367
if (re_match($msg, '^ Connection from \\S+ port \\S+')) then stop
6468
if ($msg startswith ' Invalid user') then stop
65-
if ($msg startswith ' Disconnecting invalid user') then stop
69+
if ($msg startswith ' Did not receive identification string') then stop
70+
if ($msg startswith ' Disconnecting') then stop
6671
if ($msg startswith ' input_userauth_request: invalid user') then stop
6772
if ($msg startswith ' userauth_hostbased mismatch: ') then stop
6873
if ($msg startswith ' Received disconnect from ') then stop
@@ -71,9 +76,7 @@ ruleset(name="zroot" queue.type="Direct") {
7176
if ($msg startswith ' Postponed gssapi-with-mic for ') then stop
7277
if ($msg startswith ' Failed keyboard-interactive/pam') then stop
7378
if ($msg startswith ' fatal: Read from socket failed: Connection reset by peer') then stop
74-
if ($msg startswith ' error: kex_exchange_identification: read: Connection reset by peer') then stop
75-
if ($msg startswith ' error: kex_exchange_identification: read: Connection closed by remote host') then stop
76-
if ($msg startswith ' error: kex_exchange_identification: Connection closed by remote host') then stop
79+
if ($msg startswith ' error: kex_exchange_identification: ') then stop
7780
if ($msg startswith ' Connection reset by ') then stop
7881
if ($msg startswith ' reverse mapping checking getaddrinfo') then stop
7982
if ($msg startswith ' pam_succeed_if(sshd:auth):') then stop
@@ -109,6 +112,8 @@ ruleset(name="zroot" queue.type="Direct") {
109112
if \
110113
$syslogseverity <= '4' \
111114
or \
115+
$syslogfacility-text == 'auth' \
116+
or \
112117
$syslogfacility-text == 'authpriv' \
113118
or \
114119
($syslogfacility-text == 'kern' and ($msg contains 'Out of memory:' or $msg contains 'Killed process')) \

0 commit comments

Comments
 (0)