stanford-server (177) unstable; urgency=medium

  * Remove tripwire from the package (has not been used at Stanford for many years).
  * Remove usr/sbin/remctl-acl-update from package. This has been replaced by the
    script from remctl-acl-update-flex package.
  * Change /etc/cron.hourly/remctl-acl to a template that does not install
    any remctl ACL files. We do this because the the new
    remctl-acl-update-flex script requires explicit ACL files and, unlike
    the old usr/sbin/remctl-acl-update script, does not install any remctl
    ACL files by default. Thus system maintainers will have to change the
    hourly cron job themselves to suite their circumstances.
  * Readded comments to /usr/sbin/key-system that were removed in a previous
    release

 -- Lonlone Lee <lonlone@stanford.edu>  Fri, 19 Sep 2025 10:04:45 -0700

stanford-server (176) unstable; urgency=medium

  * Updated key-system script to use chrony instead of ntp.
    This was done because Trixie has deprecated ntp.

 -- Lonlone Lee <lonlone@stanford.edu>  Wed, 03 Sep 2025 20:29:31 -0700

stanford-server (175) unstable; urgency=medium

  * Added performance data to check_ossec_report and fixed a typo in the
    remctl configuration1

 -- Lonlone Lee <lonlone@stanford.edu>  Mon, 11 Nov 2024 13:49:26 -0800

stanford-server (174) unstable; urgency=medium

  * Added the monitor ossec-report command to the monitor-base remctl
    configuration.

 -- Lonlone Lee <lonlone@stanford.edu>  Mon, 11 Nov 2024 13:25:36 -0800

stanford-server (173) unstable; urgency=medium

  * Updated the /usr/sbin/monitor-base script to enable the check_ossec_report
    plugin.

 -- Lonlone Lee <lonlone@stanford.edu>  Thu, 24 Oct 2024 12:19:51 -0700

stanford-server (172) unstable; urgency=medium

  * Added /usr/lib/nagios/plugins/check_ossec_report: Nagios plugin to
    check on the file size of the OSSEC Report

 -- Lonlone Lee <lonlone@stanford.edu>  Thu, 24 Oct 2024 10:11:43 -0700

stanford-server (171) unstable; urgency=medium

  * Fixed typos in /usr/sbin/key-system

 -- Lonlone Lee <lonlone@stanford.edu>  Tue, 15 Aug 2023 15:58:09 -0700

stanford-server (170) unstable; urgency=medium

  * Updated /usr/sbin/key-system script to support the deprecation
    of init.d scripts to use the service command instead.  Also account
    for the lack of ntp user by replacing it with ntpsec.

 -- Lonlone Lee <lonlone@stanford.edu>  Tue, 15 Aug 2023 13:57:19 -0700

stanford-server (169) unstable; urgency=medium

  * [usr/sbin/check_cert_chain_expiration] Add some extra messages in
    verbose mode and include the subject of the certificate that is
    expiring in the WARN and CRITICAL messages.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Fri, 06 Jan 2023 17:41:48 -0800

stanford-server (168) unstable; urgency=medium

  * Added sslcert_file check to monitor-base script and remctl.  This will
    allow Nagios checks for SSL Certificate Expiration of files on servers.

 -- Lonlone Lee <lonlone@stanford.edu>  Fri, 01 Jul 2022 13:47:25 -0700

stanford-server (167) unstable; urgency=medium

  * Switch to /usr/sbin/remctl-acl-update-flex for remctl acl update
    script. (Late merge; work actually done in May 2021.)

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 09 May 2022 15:52:05 -0700

stanford-server (166) unstable; urgency=medium

  * Added a puppet client check to monitoring remctl and monitor-base script

 -- Lonlone Lee <lonlone@stanford.edu>  Wed, 27 Apr 2022 17:07:15 -0700

stanford-server (165) unstable; urgency=medium

  * Non-maintainer upload.
  * Combined debian and redhat build source directory

 -- Bruce Barnes <bnbarnes@stanford.edu>  Tue, 30 Nov 2021 11:50:13 -0800

stanford-server (164) unstable; urgency=medium

  * Add package dependency for remctl-acl-update-flex.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 12 May 2021 16:05:38 -0700

stanford-server (163) unstable; urgency=medium

  * Commented out 'use autodie' from the /usr/sbin/key-system script.
  * IEDO-900 was created in order to properly test this command before it's
    re-introduced.

 -- Lonlone Lee <lonlone@stanford.edu>  Wed, 10 Mar 2021 15:21:22 -0800

stanford-server (162) unstable; urgency=medium

  * Added file existance check for /var/lock/key-system to keep key-system
    script from erroring out.
  * The addition of autodie was causing a problem in /usr/sbin/key-system on line 90.

 -- Lonlone Lee <lonlone@stanford.edu>  Wed, 10 Mar 2021 13:31:51 -0800

stanford-server (161) unstable; urgency=medium

  * Updated check_procs_perf and check_service executability

 -- Lonlone Lee <lonlone@stanford.edu>  Tue, 09 Mar 2021 13:07:20 -0800

stanford-server (160) unstable; urgency=medium

  * Updated check_procs_perf for command line argument check

 -- Lonlone Lee <lonlone@stanford.edu>  Tue, 09 Mar 2021 11:36:43 -0800

stanford-server (159) unstable; urgency=medium

  * Added check_service and check_procs_perf Nagios plugins to remctl and
    monitor base for: IEDO-725, IEDO-792

 -- Lonlone Lee <lonlone@stanford.edu>  Tue, 09 Mar 2021 09:56:17 -0800

stanford-server (158) unstable; urgency=medium

  * Remove nagios-alert-wrapper (should not have ever been in this
    package).

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 08 Feb 2021 13:07:18 -0800

stanford-server (157) unstable; urgency=medium

  * Added new script nagios-alert-wrapper.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 08 Feb 2021 08:03:36 -0800

stanford-server (156+nmu1) unstable; urgency=medium

  * Added update as a new parameter to monitor-base and added it to remctl
    conf.d

 -- Lonlone Lee <lonlone@stanford.edu>  Thu, 08 Oct 2020 16:47:39 -0700

stanford-server (156) unstable; urgency=medium

  * restart-dns-cache: A wrapper script that restarts the dnsmasq and bind
    services.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 10 Sep 2020 15:43:55 -0700

stanford-server (155) unstable; urgency=medium

  * Add the remctl ACL group "iedo" to /usr/sbin/remctl-acl-update.

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Wed, 02 Sep 2020 11:39:11 -0700

stanford-server (154) unstable; urgency=medium

  * monitor-base: add the tcp monitor so that we can see if servers have
    access to services on other servers.

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Tue, 25 Feb 2020 15:05:36 -0800

stanford-server (153) unstable; urgency=medium

  * Ossec-syscheck: Default email to root

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Tue, 03 Dec 2019 09:53:42 -0800

stanford-server (152) unstable; urgency=medium

  *  More Updates to ossec script

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Thu, 21 Nov 2019 12:23:36 -0800

stanford-server (151) unstable; urgency=medium

  * ossec-syscheck: add ossec service status check

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Fri, 15 Nov 2019 17:26:05 -0800

stanford-server (150) unstable; urgency=medium

  * New script: ossec-syscheck script to perform some ossec related tasks

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Thu, 14 Nov 2019 13:03:12 -0800

stanford-server (149) unstable; urgency=medium

  * New script: merge-ossec-fragments to support the su_ossec Puppet module.

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Mon, 04 Nov 2019 13:21:12 -0800

stanford-server (148) unstable; urgency=medium

  * Add rsyslog-restart script to restart for programs like newsyslog that can only
    handle running a script with no arguments.

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Wed, 11 Sep 2019 09:42:32 -0700

stanford-server (147) unstable; urgency=medium

  * add reboot remctl conf to reboot the servers using remctl

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Tue, 10 Sep 2019 12:26:25 -0700

stanford-server (146) unstable; urgency=medium

  * debchange again to sign the package. Debsign checks the last commented user
    from the changelog file to sign the package.

 -- Srinivas Rao Puttagunta <psr123@stanford.edu>  Tue, 27 Aug 2019 10:55:34 -0700

stanford-server (145) unstable; urgency=medium

  * [/usr/sbin/monitor-base] Exclude the tracefs file system from the disk_check
    command (permissions issue).

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Tue, 27 Aug 2019 10:32:29 -0700

stanford-server (144) unstable; urgency=medium

  * Move puppet-backend3 and puppet-backend5 to the new package
    stanford-puppet-backend. [adamhl]
  * Add an ntp monitor to monitor-base that can be called by the Nagios
    server via remctl. [ljlgeek]

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Sat, 24 Aug 2019 12:45:36 -0700

stanford-server (143) unstable; urgency=medium

  * [puppet-backend5] Puppet agent 5.5.16 outputs server_list in a
    different format than previously, so deal with that.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 07 Aug 2019 14:03:22 -0700

stanford-server (142) unstable; urgency=medium

  * [remctl-acl-update] Suppress copying the "security" group from AFS for the
    Kerberos KDCs.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 30 Jan 2019 11:25:36 -0800

stanford-server (141) unstable; urgency=medium

  * [remctl-acl-update] Add debian-repo-managers to the list of remctl ACL
    files to automatically copy into /etc/remctl/acl whenever
    remctl-acl-update runs. This is an innocuous action as the
    debian-repo-managers ACL file will only have an effect if someone puts
    it into a remctl conf file.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Fri, 05 Oct 2018 13:34:01 -0700

stanford-server (140) unstable; urgency=medium

  * Split puppet-backend into two programs, one for the old Puppet 3
    infrastructure, and one for the new Puppet 5 infrastructure. Use
    Debian alternatives to help manage which one is used.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 11 Jan 2018 13:31:37 -0800

stanford-server (139) unstable; urgency=medium

  * [key-system] Revert mistaken commenting out of important code.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 03 Jul 2017 15:51:25 -0700

stanford-server (138) unstable; urgency=medium

  * [key-system] For Debian stretch (and later) add the "-u ntp" option to
    the ntpd command so we don't get file permission errors.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 03 Jul 2017 11:11:49 -0700

stanford-server (137) unstable; urgency=medium

  * [/usr/sbin/remctl-acl-update] Add new remctl ACL file acs-linux to the
    script. This change means that two new files /etc/remctl/acl/acs-linux
    and /etc/remctl/acl/acs-linux-root will be added to all systems
    running remctl-acl-update. Note that adding these files has no effect
    until they some remctl configuration uses them.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 23 Feb 2017 07:47:15 -0800

stanford-server (136) unstable; urgency=medium

  * Add new script: nagios-log-file-alerter. Used to help alert on scary
    things in log files. To support this, add a new remctl/conf.d file.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Sat, 01 Oct 2016 09:33:06 -0700

stanford-server (135) unstable; urgency=medium

  * Fix install of run-through-filter-syslog.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Fri, 01 Jul 2016 13:37:41 -0700

stanford-server (134) unstable; urgency=medium

  * Added new script: run-through-filter-syslog

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Fri, 01 Jul 2016 13:21:30 -0700

stanford-server (133) unstable; urgency=medium

  * Add new ACLs "as-cia", "as-linuxops", and "coreinfra" to the
  remctl-acl-update script.

 -- Karl Kornel <akkornel@stanford.edu>  Wed, 08 Jun 2016 08:54:30 -0700

stanford-server (132) unstable; urgency=medium

  * puppet-backend: add resources sub-command

 -- Jonathan David Lent <jlent@stanford.edu>  Thu, 04 Feb 2016 13:54:44 -0800

stanford-server (131) unstable; urgency=low

  * retire-system: remove Puppet 2.x remctl calls (jlent)

 -- Jonathan David Lent <jlent@stanford.edu>  Sat, 16 Jan 2016 20:02:03 -0800

stanford-server (130) unstable; urgency=medium

  * retire-system: reach out to the V3 puppet infrastructure, add output
    relevant to which puppet infra. to give any errors context, and
    explicitly check for swhois binary before trying to execute (jlent)

  * retire-system: Delete host's pam-duo object; handle case when Heimdal
    version of klist is run (adamhl)

 -- Jonathan David Lent <jlent@stanford.edu>  Tue, 17 Nov 2015 07:27:00 -0700

stanford-server (129) unstable; urgency=medium

  * Change DNS server name in sysname-check script.
  * stanford-server-packages: Pull in emacs-nox rather than emacs23-nox
    (requires that the distribution have an emacs-nox virtual package).

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Tue, 22 Sep 2015 11:00:14 -0700

stanford-server (128) unstable; urgency=low

  * Add racadm-update script that supports processing Dell racadm
    commands by scripting ssh.

 -- Bill MacAllister <whm@stanford.edu>  Sun, 03 May 2015 23:41:03 -0700

stanford-server (127) unstable; urgency=low

  * [puppet-backend] Add version -V option to show version of the
    puppet-backend script.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 30 Mar 2015 08:07:27 -0700

stanford-server (126) unstable; urgency=low

  * [puppet-backend] Fixed broken --force in Puppet 2.x (affects, e.g.,
    RHEL 5).

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Tue, 24 Feb 2015 10:20:48 -0800

stanford-server (125) unstable; urgency=low

  * [puppet-backend] Better command-line option parsing.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 04 Feb 2015 14:36:20 -0800

stanford-server (124) unstable; urgency=low

  [ Darren Patterson ]
  * fix for force run lock param

  [ Adam Henry Lewenberg ]
  * puppet-backend: refactor to support RHEL5 and RHEL6.
  * puppet-backend: add --puppet option to facter executable so we get
    Puppet-specific facts (e.g., su_admin0, su_group, etc.)

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 11 Dec 2014 13:30:52 -0800


stanford-server (123) unstable; urgency=low

  * puppet-backend: better handling of undefined lines in oneshot.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 19 Nov 2014 08:17:13 -0800

stanford-server (122) unstable; urgency=low

  * puppet-backend: ignore errors when getting Puppet version.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 19 Nov 2014 07:53:12 -0800

stanford-server (121) unstable; urgency=low

  * puppet-backend: remove unnecessary 'use JSON;' package include.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 19 Nov 2014 07:45:01 -0800

stanford-server (120) unstable; urgency=low

  [ Jon C. Robertson ]
  * remctl-acl-update: Added its-idg-windows and networking to the
    special ACL list.

  [ Adam Henry Lewenberg ]
  * puppet-backend: made Puppet 3 ready; perl-critiqued and perl-tidied
  * puppet-backend: better warning message when puppent agent PID does not
    exist; also removed Russ as Maintainer.
  * puppet-backend: also show which server is acting as this client's
    Puppet master when running status command
  * copy-puppet-repo: As the last step, change the owner and group of all
    remote files to root:root.

  [ Darren Patterson ]
  * hostname case fix in wallet-rekey-periodic

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Tue, 11 Nov 2014 14:31:09 -0800

stanford-server (116) unstable; urgency=low

  * dashboard-facter: Fixed name of command in remctl help.
  * Added libnet-remctl-perl version to requirements to make sure we get a
    version with Net::Remctl::Backend.

 -- Jon C. Robertson <jonrober@stanford.edu>  Wed, 20 Aug 2014 22:35:31 -0700

stanford-server (115) unstable; urgency=medium

  * Actually install dashboard-facter, dashboard-facter-wrapper, and the
    remctl configuration.

 -- Jon C. Robertson <jonrober@stanford.edu>  Wed, 20 Aug 2014 22:22:55 -0700

stanford-server (114) unstable; urgency=medium

  * dashboard-facter: Maintain external facts to be used by the
    dashboard to check various system compliances.
  * dashboard-facter-wrapper: Run dashboard facter against a number of
    systems to prime the pump for a new list.

 -- Jon C. Robertson <jonrober@stanford.edu>  Wed, 20 Aug 2014 21:55:24 -0700

stanford-server (113) unstable; urgency=low

  * /usr/bin/generate-conf: now does global replacement of the same variable
    defined in a template instead of just the first one.

 -- Xueshan Feng <sfeng@stanford.edu>  Mon, 07 Jul 2014 16:36:35 -0700

stanford-server (112) unstable; urgency=low

  [ Adam Henry Lewenberg ]
  * sysname-check: remove some Perl package dependencies so that
    sysname-check will run on RHEL.
  * sysname-check: add a check to verify that the local IP address is in
    the networking interfaces file.
  * copy-puppet-repo: new script to support puppet-dry-run

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 03 Apr 2014 08:31:31 -0700

stanford-server (111) unstable; urgency=low

  [ Adam Henry Lewenberg ]
  * wallet-object-is-newer: New script to determine if a wallet object is
    newer than a specified file.  Will help Puppet wallet define download
    wallet object when newer than target file.
  * sysname-check: Skip the WebAuth keytab test if /etc/webauth does not
    exist.
  * Install run-and-filter.

  [ Xueshan Feng ]
  * Added new puppet-dry-run script to do a dry run of Puppet against a
    local copy of the Puppet repository.

  [ Russ Allbery ]
  * Update standards version to 3.9.5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Sun, 30 Mar 2014 20:02:10 -0700

stanford-server (110) unstable; urgency=low

  * sysname-check: Removed dependency on Perl module
    Net::Address::IP::Local (this module not packaged for squeeze).

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Mon, 06 Jan 2014 10:51:09 -0800

stanford-server (109) unstable; urgency=low

  * Forgot to add sysname-check to installation files.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Wed, 18 Dec 2013 15:15:59 -0800

stanford-server (108) unstable; urgency=low

  * sysname-check: Add a new executable /usr/bin/sysname-check that
    verifies that the hostname is consistent in various locations:
    /etc/hostname, /etc/passwd, Puppet certificate, etc. Very useful
    feedback from Victor Chavez.

 -- Adam Henry Lewenberg <adamhl@stanford.edu>  Thu, 05 Dec 2013 07:22:38 -0800

stanford-server (107) unstable; urgency=low

  [ Adam Henry Lewenberg ]
  * run-and-filter: New script that runs a command and pipes output
    through grep -v -f filter_file. Useful for cron scripts when we want to
    stop some of the e-mails that now go to the alerts mailman lists.

  [ Russ Allbery ]
  * remctl-acl-update: Empty the systems, systems-root, and operations
    ACLs, skipping the systems ACLs if they contain includes of other
    files.  This is the first step towards a transition away from these
    generic files in favor of group-specific ACL files.
  * wallet-rekey-periodic: Explicitly set the PATH.  Add /usr/kerberos/bin
    for Red Hat systems.

 -- Russ Allbery <rra@debian.org>  Wed, 20 Nov 2013 14:14:32 -0800

stanford-server (106) unstable; urgency=low

  * horsewatcher-feed: Add support for authentication name in Zimbra log
    entries to avoid incorrectly identifying the viewing of another
    person's calendar as an authentication as that person.
  * rebuild-iptables: Remove support for including other files and, with
    that, support for the AFS directory of iptables fragments.
  * rebuild-iptables: Rewrite for current coding standards.  Add the -p
    option to print out the rules that would be installed without
    installing them.  Add more careful error checking.

 -- Russ Allbery <rra@debian.org>  Sat, 07 Sep 2013 12:27:38 -0700

stanford-server (105) unstable; urgency=low

  * Remove requirement to run retire-system on a bastion host.

 -- Bill MacAllister <whm@stanford.edu>  Mon, 05 Aug 2013 10:17:50 -0700

stanford-server (104) unstable; urgency=low

  * horsewatcher-feed: Capture all of the results of the regexes that
    parse Kerberos and WebLogin logs so that the check for root and admin
    instances doesn't lose the date and time.

 -- Russ Allbery <rra@debian.org>  Mon, 29 Jul 2013 11:39:12 -0700

stanford-server (103) unstable; urgency=low

  [ Jon C. Robertson ]
  * horsewatcher-feed: Include /root and /admin instance authentications
    in the feeds from the Kerberos KDC and WebLogin.

  [ Russ Allbery ]
  * Include man-db in the stanford-server-packages list.  It's apparently
    not always part of the base system on Ubuntu.
  * Drop at from stanford-server-packages.  We don't actually use this.

 -- Russ Allbery <rra@debian.org>  Sat, 27 Jul 2013 19:01:51 -0700

stanford-server (102) unstable; urgency=low

  * key-system: Use an explicit call to glob instead of the angle bracket
    syntax, since the latter confuses Test::MinimumVersion.
  * rotate-history: Delete.  We no longer use this script.
  * wallet-rekey-periodic: New script that rekeys system keytabs where
    possible if they either have DES keys or if the current day matches a
    random thirty-day period based on a hash of the hostname.
  * Install a cron job to run wallet-rekey-periodic.  Eventually, the
    management of the cron job will move to Puppet, but this is easier
    until the new stanford-server is deployed everywhere.
  * Add stanford-server-packages metapackage, which depends on the
    standard set of generic packages that we expect to have installed on
    every system, except for those that group naturally with some Puppet
    module.  Move some of the Depends and Recommends in stanford-server
    that aren't for specific functionality to stanford-server-packages
    instead.  The initial package list is based on the FAI package list,
    the debinit test Puppet manifest, and the packages installed by the
    defaults and base::os Puppet modules.
  * Improve and reword some documentation, add stopwords to all the shell
    scripts with POD documentation, and fix various typos and spelling
    errors.
  * Convert test suite to be based on libtest-stanford-idg-perl and add a
    test for the minimum Perl version.
  * Update debhelper compatibility level to V9.

 -- Russ Allbery <rra@debian.org>  Mon, 15 Jul 2013 13:48:12 -0700

stanford-server (101) unstable; urgency=low

  [ Michael Goll ]
  * check_hardware_health: Return unknown error status if supporting
    software not installed.

  [ Victor Chavez ]
  * patch-system: Added script to /usr/sbin.

  [ Darren Patterson ]
  * patch-system: Remove firmware update, which has been broken for some
    time.

  [ Russ Allbery ]
  * Drop the stanford-klogin package.  We no longer run eklogind or krshd
    on any host and have switched to Kerberized ssh everywhere.
  * Add missing stopwords to POD documentation now that Test::Spelling
    ignores the local dictionary.

 -- Russ Allbery <rra@debian.org>  Tue, 25 Jun 2013 18:02:51 -0700

stanford-server (100) unstable; urgency=low

  [ Jason Bishop ]
  * check_hardware_health: Add (untested on Debian) support for HP
    hardware health checks.
  * check_hardware_health: Check for physical disk predicted failures on
    Dell hardware.

  [ Michael Goll ]
  * Update check_ipmi_sel configuration file to add some common
    alert/clear pairs.

  [ Darren Patterson ]
  * retire-server: Support new bastion hosts and new out-of-date server
    location.

  [ Russ Allbery ]
  * check_ssl_local: Print out the expiration date in ISO date format.
  * Add required modules for the test suite to Build-Depends.
  * Update standards version to 3.9.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Mon, 11 Mar 2013 20:45:41 -0700

stanford-server (99) unstable; urgency=low

  * added check_filesystem_state plugin.

 -- Xueshan Feng <sfeng@stanford.edu>  Thu, 07 Feb 2013 22:34:39 -0800

stanford-server (98) unstable; urgency=low

  [ Russ Allbery ]
  * Update all Perl scripts to use strict, use warnings, and require Perl
    5.006 or later.
  * Add a more sophisticated test suite that checks POD syntax and
    spelling and verifies that all Perl scripts use strict and warnings as
    well as pass syntax checks.
  * Add stopwords to all POD documentation for the spelling test.

  [ Michael Goll ]
  * Update check_ipmi_sel nagios plugin to eliminate cleared events.

  [ Xueshan Feng ]
  * Add 'file-age' check in /usr/sbin/monitor-base.

 -- Xueshan Feng <sfeng@stanford.edu>  Thu, 07 Feb 2013 13:27:54 -0800

stanford-server (97) unstable; urgency=low

  * horsewatcher-feed: Updated logs for frog and high-precision
    timestamps for problem with setting hostname rather than HH:MM:SS.

 -- Jon C. Robertson <jonrober@stanford.edu>  Fri, 30 Nov 2012 13:59:47 -0800

stanford-server (96) unstable; urgency=low

  * horsewatcher-feed: More work on frog high-precision timestamps.
  * horsewatcher-feed: Updated name of SSL VPN log.

 -- Jon C. Robertson <jonrober@stanford.edu>  Thu, 15 Nov 2012 12:35:01 -0800

stanford-server (95) unstable; urgency=low

  [ Darren Patterson ]
  * Fix for PID discovery with puppet-backend on RHEL
  * Fix remctl-acl-builder to check if root ACL exists

  [ Jon C. Robertson ]
  * horsewatcher-feed: Update for high-precision timestamps in frog
    logs.

 -- Jon C. Robertson <jonrober@stanford.edu>  Wed, 14 Nov 2012 12:33:17 -0800

stanford-server (94) unstable; urgency=low

  * puppet-backend: Fix the pgrep regex for determining if the Puppet
    agent is running.  Improve the status output with lock text.  Various
    coding style cleanups.
  * Add dependency on libstanford-certtools-perl to make the show-pem
    script available everywhere.  We use SSL certificates widely enough
    that we may as well put it on every system.
  * Add curl dependency for the get-dell-warranty script.
  * Remove mention of krb5.conf from the package long description.  That's
    now handled via Puppet.

 -- Russ Allbery <rra@debian.org>  Wed, 31 Oct 2012 21:00:57 -0700

stanford-server (93) unstable; urgency=low

  [ Jon C. Robertson ]
  * rtripwire: Update list of ACLs to use individual group root PTS
    groups rather than itss:tss-cs-root.
  * horsewatcher-feed: Updated the SSL VPN handling to fix timestamp
    issues.

  [ Michael Goll ]
  * puppet-backend: Update status to work correctly under Redhat and
    provide more detailed locking.

 -- Jon C. Robertson <jonrober@stanford.edu>  Mon, 29 Oct 2012 15:28:30 -0700

stanford-server (92) unstable; urgency=low

  * horsewatcher-feed: Apply patch from David Hoffman to add support for
    parsing the SSL VPN logs.
  * Move retire-system to /usr/bin and move multipath-local-root-wwn to
    /usr/sbin, reflecting whether they must be run as root.  Install their
    man pages.
  * Add missing disk-rw and hardware-health commands to the monitor remctl
    configuration.
  * Add a small test suite to check the syntax of all Perl scripts during
    the package build.
  * Add libdate-calc-perl and libfile-tail-perl to Depends for
    horsewatcher-feed.
  * Remove Hua from Uploaders.

 -- Russ Allbery <rra@debian.org>  Wed, 10 Oct 2012 16:02:36 -0700

stanford-server (91) unstable; urgency=low

  * Added get-dell-warranty, multipath-local-root-wwn, and
    retire-system, moved from AFS.
  * remctl-acl-update: Added new its-sa-* acls to be automatically
    downloaded.

 -- Jon C. Robertson <jonrober@stanford.edu>  Thu, 06 Sep 2012 08:49:18 -0700

stanford-server (90) unstable; urgency=low

  * key-system: Remove /etc/profile.d/key-system.sh on success.  This file
    will be created by FAI so that key-system will be run automatically on
    the first login.

 -- Russ Allbery <rra@debian.org>  Tue, 17 Jul 2012 15:15:08 -0700

stanford-server (89) unstable; urgency=low

  * rtripwire: Call the remctl interface on devnull to set the last
    tripwire clean time after successfully updating tripwire.
  * rtripwire: The -s option now uses ssh and scp instead of rsh and rcp.

 -- Russ Allbery <rra@debian.org>  Tue, 17 Jul 2012 12:44:54 -0700

stanford-server (88) unstable; urgency=low

  [ Jason Bishop ]
  * Add hardware health checks plugin.  For now this means internal
    storage checks mostly.  To be expanded to (when appropriate) hardware
    event logs, batteries, power supplies, etc.

  [ Russ Allbery ]
  * Added POD documentation for check_hardware_health and document the
    additional option to monitor-base.

 -- Russ Allbery <rra@debian.org>  Mon, 16 Jul 2012 14:17:56 -0700

stanford-server (87) unstable; urgency=low

  * key-system: Synchronize the clock by stopping ntpd, running ntpd -q -g
    -x, and then starting it again.  Despite the fact that we start ntpd
    with the -g option, it doesn't seem to set the clock properly before
    key-system runs.
  * key-system: Remove the lock and re-enable echo on Ctrl-C.

 -- Russ Allbery <rra@debian.org>  Mon, 23 Apr 2012 20:40:54 -0700

stanford-server (86) unstable; urgency=low

  [ Russ Allbery ]
  * key-system: New script taken from the authconfig init script installed
    by genesis.  Sets the root password of the system and downloads the
    system keytab.  This version is modified to create a lock file, to use
    passwd if not run under init, to do nothing if the keytab already
    exists and it was run under init, to kill another running version if
    not run under init, and to be more robust in its error handling.
  * horsewatcher-feed: Yet another fix to the regex to parse Zimbra
    authentication logs.  Now it was failing to match lines that had no
    additional information after the IP address.
  * Restart any /service/horsewatcher-* services on upgrade or reconfigure
    since horsewatcher-feed may have changed.

  [ Huaqing Zheng ]
  * horsewatcher-feed: Add support for parsing Cyrus logs.

 -- Russ Allbery <rra@debian.org>  Thu, 19 Apr 2012 18:09:25 -0700

stanford-server (85) unstable; urgency=low

  * horsewatcher-feed: Fix parsing of WebLogin logs with request options
    set.  Fix parsing of Zimbra IMAP and POP logs with supplemental data
    after the authenticated identity.

 -- Russ Allbery <rra@debian.org>  Wed, 04 Apr 2012 14:20:16 -0700

stanford-server (84) unstable; urgency=low

  * Remove the supervise job to run remctld from the package, and stop
    supervise and remove the supervise directory on upgrade.  We now run
    remctld on the IANA-registered port via xinetd as configured in
    Puppet.
  * Remove uscpi-tcp dependency and move remctl-server to Recommends.

 -- Russ Allbery <rra@debian.org>  Tue, 27 Mar 2012 19:27:25 -0700

stanford-server (83) unstable; urgency=low

  * horsewatcher-feed: Work around a Sys::Syslog bug that adds a spurious
    nul to the end of TCP syslog messages by stripping the nul from all
    messages sent to sockets.  This should be okay for UDP, but will
    probably break logging to UNIX domain sockets (which we don't
    currently do).

 -- Russ Allbery <rra@debian.org>  Sun, 11 Mar 2012 22:24:29 -0700

stanford-server (82) unstable; urgency=low

  * horsewatcher-feed: Handle setting the destination host properly for
    the inet syslog method.

 -- Russ Allbery <rra@debian.org>  Tue, 06 Mar 2012 15:19:40 -0800

stanford-server (81) unstable; urgency=low

  * horsewatcher-feed: Fix last-minute typo in variable name.

 -- Russ Allbery <rra@debian.org>  Tue, 06 Mar 2012 15:06:35 -0800

stanford-server (80) unstable; urgency=low

  * horsewatcher-feed: Use a better way of specifying the host to which to
    send horsewatcher login data.
  * Remove krb5.conf from the stanford-server package and remove its
    Provides, Replaces, and Conflicts with krb5-config.  We manage
    krb5.conf via Puppet and having it as a configuration file as well
    just confuses matters.  krb5-config will do the right thing if we
    already have a krb5.conf file installed.
  * Stop disabling the remctl entries in inetd.conf in postinst.  The
    package uses port 4373 now, which isn't used by stanford-server's
    supervise job (which provoked the original conflict), and eventually
    we're going to stop managing this here and only manage it in Puppet.
  * On upgrade from older versions, preseed dash to use bash as /bin/sh.
  * Simplify the debconf dependency.  We use debconf-set-selections, which
    is only in the actual debconf package, and version 0.5 is ancient.

 -- Russ Allbery <rra@debian.org>  Tue, 06 Mar 2012 14:18:46 -0800

stanford-server (79) unstable; urgency=low

  [ Darren Patterson ]
  * Also run remctl-acl-update on reboot via cron to install the ACLs
    immediately after a new install.

  [ Russ Allbery ]
  * horsewatcher-feed: New program that monitors a log with File::Tail and
    sends login information to the central horsewatcher server.  Based on
    the version from the horsewatcher module in Puppet with additional
    options to specify the syslog method and the horsewatcher server and
    with more documentation added.
  * Remove ancient Breaks, Conflicts, and Replaces in stanford-klogin.
  * Update debian/copyright format to 1.0.
  * Update standards version to 3.9.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Thu, 01 Mar 2012 22:23:17 -0800

stanford-server (78) unstable; urgency=low

  * remctl-acl-update: Suppress an error message from grep when run
    without any existing ACLs.
  * Depend on stanford-keyring.  This won't help with initial
    bootstrapping, but it will help ensure that the package stays
    installed and make any problems more obvious.

 -- Russ Allbery <rra@debian.org>  Sun, 22 Jan 2012 17:34:18 -0800

stanford-server (77) unstable; urgency=low

  * Remove forwardable from the default krb5.conf, since this breaks
    wallet keying of the system at build time.  This will be restored once
    a version of wallet with support for setting the default ticket
    options is available.
  * check_swap_rate: Remove the -t option to set a timeout, which wasn't
    very useful.  Instead, add a -p option to set the period over which
    sar averages swap rates (5 seconds by default) and set the timeout to
    a couple of seconds longer than that.

 -- Russ Allbery <rra@debian.org>  Mon, 16 Jan 2012 20:37:16 -0800

stanford-server (76) unstable; urgency=low

  * monitor-base: Add swaprate command to run check_swap_rate.

 -- Russ Allbery <rra@debian.org>  Thu, 12 Jan 2012 14:34:59 -0800

stanford-server (75) unstable; urgency=low

  [ Darren Patterson ]
  * update check_ipmi_sel to detect VMs and not req libappconfig-perl.
  * update ipmi_sel conf to ignore more "normal" hardware log noise.

  [ Russ Allbery ]
  * check_swap_rate: New Nagios plugin to check the rate of swapping,
    based on work by Adam Lewenberg.
  * Merge Build-Depends and Build-Depends-Indep.  This isn't a meaningful
    distinction for arch: all packages.
  * Swap Hua and I between Maintainer and Uploaders.  I'm the primary
    package maintainer at this point.

 -- Russ Allbery <rra@debian.org>  Thu, 12 Jan 2012 13:39:05 -0800

stanford-server (74) unstable; urgency=low

  [ Darren Patterson ]
  * monitor-base: Added missing ipmi from short help.
  * Added patch-system script

  [ Russ Allbery ]
  * puppet-backend: Restart the Puppet agent after oneshot if the
    environment changed.
  * patch-system: Improve formatting of the manual page.

 -- Russ Allbery <rra@debian.org>  Mon, 05 Dec 2011 19:20:41 -0800

stanford-server (73) unstable; urgency=low

  * check-ssl-local: Move to /usr/lib/nagios/plugins/check_ssl_local and
    update monitor-base accordingly.
  * check_ipmi_sel: New Nagios plugin from Darren Patterson that runs
    ipmitool sel list and looks for errors, filtering out lines mentioned
    in a local configuration file.  Revise the original plugin to more
    closely follow our coding standards and the Nagios plugin exit status
    and output standards.
  * monitor-base: Fix arguments to check_ssl_local.  Sort the check
    commands.  Fix various syntax problems with the documentation.  Remove
    the old systory integration.  Add ipmi as a new monitoring command.
  * puppet-backend: If run in oneshot mode with an --environment option,
    determine the environment from that option when displaying the initial
    informative message about the environment for the run.  Avoids
    confusion when one runs oneshot with a specific environment and
    puppet-backend says that it's using the current default environment
    instead of the one specified.
  * remctl-acl-update: Decline to update the operations and systems ACLs
    if the systems ACL contains lines of the form file:/path, since that
    means it has been pointed at one of the group-specific ACLs.
  * rtripwire: remctl is now the default, and the -r option is ignored.
    Use -s to use the old rsh method.  Option parsing is now done via
    getopt and should work properly with multiple options.  Remove the old
    /afs/ir/site/sweet/tripwire paths, which are no longer used.
  * Add manpage generation infrastructure for the Nagios plugins and
    install man pages for them in section 8.
  * Add Recommends for libappconfig-perl and ipmitool for check_ipmi_sel.
  * Add Recommends of remctl-client for rtripwire.

 -- Russ Allbery <rra@debian.org>  Fri, 04 Nov 2011 15:11:28 -0700

stanford-server (72) unstable; urgency=low

  * missed adding localcert check to remctl conf

 -- Darren Patterson <darrenp1@stanford.edu>  Mon, 29 Aug 2011 11:48:34 -0700

stanford-server (71) unstable; urgency=low

  * added check-ssl-local nagios plugin

 -- Darren Patterson <darrenp1@stanford.edu>  Fri, 26 Aug 2011 15:39:54 -0700

stanford-server (70) unstable; urgency=low

  * remctl-acl-update: Add its-idg and its-sysadmin to the default ACL set
    to copy over.  Generate -root versions of those ACLs as well.  Don't
    skip all ACL updates if /admin principals are in the root .k5login;
    instead, just decline to update systems and operations ACLs.

 -- Russ Allbery <rra@debian.org>  Mon, 23 May 2011 19:29:52 -0700

stanford-server (69) unstable; urgency=low

  [ Russ Allbery ]
  * puppet-backend: Force PATH to be set in puppet-backend, since it may
    be called from xinetd without a PATH setting.
  * make-local-cert: Fix option parsing to work properly and add -c and -k
    options to specify the certificate and key directories.
  * Remove libpam-afs-session from the dependencies.  Installation of this
    should be handled by Puppet.
  * Update /etc/krb5.conf to the latest version from Puppet.
  * Update standards version to 3.9.2 (no changes required).

  [ Digant C Kasundra ]
  * puppet-backend: Avoid matching the pgrep spawned by the puppet-backend
    script when looking for whether the Puppet agent is running.
  * puppet-backend: Include the environment in puppet oneshot and status
    output.

 -- Russ Allbery <rra@debian.org>  Wed, 11 May 2011 13:25:30 -0700

stanford-server (68) unstable; urgency=low

  * puppet-backend: Strip admin instances as well as root instances when
    determining the remote user.  Use getpwuid instead of running whoami
    to determine the local username.
  * puppet-backend: Add documentation of the --force flag to oneshot in
    both the man page and in the help summary.
  * puppet-backend: Ignore the return status of Puppet in oneshot.  Puppet
    exits with a non-zero status if it has to make changes, so we should
    not report that as an error.  The Puppet agent will complain about its
    own errors if it really failed.

 -- Russ Allbery <rra@debian.org>  Tue, 01 Mar 2011 16:40:15 -0800

stanford-server (67) unstable; urgency=low

  * puppet-backend: fix bug where remote user names were not scrubbed

 -- Digant C Kasundra <digant@stanford.edu>  Tue, 22 Feb 2011 10:27:28 -0800

stanford-server (66) unstable; urgency=low

  * puppet-backend: added multilock support

 -- Digant C Kasundra <digant@stanford.edu>  Fri, 18 Feb 2011 17:10:12 -0800

stanford-server (65) unstable; urgency=low

  * puppet-backend: removed locktestlock method and added support for
    --force for oneshot

 -- Digant C Kasundra <digant@stanford.edu>  Fri, 18 Feb 2011 11:16:51 -0800

stanford-server (64) unstable; urgency=low

  * puppet-backend: Update the commands run by puppet-backend for the
    Puppet 2.6 agent.  Fix puppet-backend status to work correctly and
    improve the output of the locked reason when Puppet is locked because
    a run is in progress.
  * puppet-backend: Rewrite locktestrun to remove some race conditions and
    properly separate the standard output and standard error streams and
    to use a cleaner way of temporarily disabling the Puppet init script.
    Don't require a lock reason if Puppet is already locked.
  * puppet-backend: Stop parsing options to oneshot and instead just pass
    everything along to the Puppet agent.
  * puppet-backend: Add a restart command.
  * puppet-backend: For help, print out a more standard summary of the
    remctl commands and stop using Pod::Usage.
  * tripwire-backend: Set default values for ITS systems in the script and
    only read the configuration file if it exists.
  * tripwire-backend: Fix the remctl help output to follow our standard.
  * tripwire-backend: Force a sane PATH setting.
  * Remove the default /etc/tripwire/config file from this package.  This
    should be installed by Puppet.
  * Fix the dependency on libconfig-simple-perl so that it actually takes
    effect.
  * Remove stanford-server Conflicts with kftgt.  Only stanford-klogin
    actually conflicts.
  * Add Recommends on puppet (>> 2.6.3).
  * Switch to Debian source package format 3.0 (native).
  * Update standards version to 3.9.1.
    - Use Breaks rather than Conflicts for moving files.
  * Update debhelper compatibility level to V8 (no changes required).
  * Update format of debian/copyright file.

 -- Russ Allbery <rra@debian.org>  Fri, 03 Dec 2010 16:51:10 -0800

stanford-server (63) unstable; urgency=low

  * tripwire: tripwire-backend now runs the daily tripwire report itself;
    the cron file invokes tripwire-backend.  There's also a new config
    file in /etc/tripwire that decides where the report is mailed (so we
    can manage it in puppet).
  * monitor-base: added the 'disk-rw' check, which confirms that we're
    able to write to a given file system.

 -- Tim Skirvin <tskirvin@stanford.edu>  Mon, 01 Nov 2010 10:09:07 -0700

stanford-server (62) unstable; urgency=low

  * Added /usr/bin/generate-conf. The script generates configuration file on
    the fly using a data input file containing key=value pairs and a template
    file.

 -- Xueshan Feng <sfeng@stanford.edu>  Wed, 18 Aug 2010 18:16:14 -0700

stanford-server (61) unstable; urgency=low

  * Depend on stanford-ca-certificates, which will install and trust all
    local Stanford CA root certificates.
  * Force source format 1.0 for right now, since most people are building
    this package on lenny.
  * Update standards version to 3.8.4 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 11 May 2010 08:56:43 -0700

stanford-server (60) unstable; urgency=low

  * Updated puppet-backend to support locktestrun for clients with root
    access to easily determine what files puppet will overwrite.

 -- Darren Patterson <darrenp1@stanford.edu>  Mon, 10 May 2010 14:49:39 -0700

stanford-server (59) unstable; urgency=low

  * Move klogin and krsh into stanford-klogin.
  * Rework the build system to follow the model for building multiple
    binary packages.  This includes explicit *.install files, no use of
    rsync during the build, and generation of the man pages in
    usr/share/man in the source tree.
  * Add ${perl:Depends} to dependencies.

 -- Russ Allbery <rra@debian.org>  Tue, 12 Jan 2010 20:29:52 -0800

stanford-server (58) unstable; urgency=low

  * Build an empty stanford-klogin package that can be installed on all
    systems.  This is the first step in splitting klogin and krsh out of
    stanford-server and is done so that general package upgrades will pick
    up the new location of those binaries without requiring special work,
    since stanford-klogin will only be recommended by stanford-server.

 -- Russ Allbery <rra@debian.org>  Mon, 11 Jan 2010 16:35:16 -0800

stanford-server (57) unstable; urgency=low

  * Allow heimdal-clients to satisfy the krb5-user dependency, since that
    package is necessary on Heimdal KDCs and still provides ksu.
  * Recommend krb5-clients, required for klogin (which doesn't support the
    Heimdal versions yet).

 -- Russ Allbery <rra@debian.org>  Wed, 02 Dec 2009 15:42:49 -0800

stanford-server (56) unstable; urgency=low

  * Modified rebuild-iptables to get rid of SUL and use INPUT instead

 -- Digant C Kasundra <digant@stanford.edu>  Wed, 28 Oct 2009 16:43:17 -0700

stanford-server (55) unstable; urgency=low

  * Remove root account tcsh configuration files.  We now use bash
    everywhere for the root shell.
  * Remove configuration files that are now managed via Puppet:
    - /root/.bashrc
    - /etc/filter-syslog.conf and /etc/filter-syslog/*
    - /etc/newsyslog.*/*
  * Stop creating /root/.history-save.  Puppet installs the newsyslog
    configuration that uses it, so Puppet will create the directory.
  * Remove filter-syslog and newsyslog from the dependencies.
    Installation and configuration of those packages is done via Puppet.
  * No longer allow libpam-openafs-session as an alternative to
    libpam-afs-session.
  * Depend on krb5-user since the package changes the permissions of ksu.
  * Alphabetize dependencies.
  * Run postinst actions in all cases except abort-upgrade rather than
    only configure and reconfigure to more correctly handle the failure
    cases.  Make postinst robust against unrecognized arguments.
  * Remove old postinst code to delete a misspelled configuration file.
  * Simplify the postrm script.
  * Update to debhelper compatibility level V7.
    - Use rule minimization and overrides.
    - Add ${misc:Depends} to dependencies.
    - Use dh_lintian to install lintian overrides.
    - Use dh_link to handle symlink creation.
  * Rewrite debian/copyright in the new proposed format.
  * Remove Subversion Id strings from all files.
  * Update standards version to 3.8.3 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 15 Sep 2009 15:24:08 -0700

stanford-server (54) unstable; urgency=low

  [ Russ Allbery ]
  * make-local-cert: Incorporate further changes from Darren Patterson for
    certificate handling on RHEL.  Our RHEL systems now use the same paths
    as Debian, but still have some OS differences.
  * puppet-backend: Add a facter command to the remctl interface that runs
    facter and returns the results.

  [ Digant C Kasundra ]
  * puppet-backend: Added support for messages when locking puppet.  Locking
    and unlocking now directly manipulates the lock file and status will
    display the contents of said file.

 -- Digant C Kasundra <digant@stanford.edu>  Fri, 21 Aug 2009 15:21:25 -0700

stanford-server (53) unstable; urgency=low

  [ Huaqing Zheng ]
  * Depend on libpam-openafs-session so deborphan does not claim that
    libpam-openafs-session is orphaned.
  * Fix a typo in the monitor-base remctl configuration.

  [ Digant C Kasundra ]
  * Add locked/unlocked notification to status check of puppet-backed.

  [ Xueshan Feng ]
  * Added MySQL monitoring in monitor-base.

  [ Russ Allbery ]
  * make-local-cert: Include Darren Patterson's work adding Red Hat
    support to this script.
  * make-local-cert: Add a -m option to suppress creation of the generic
    links so that this script can be used to generate multiple
    certificates for the same host.
  * Update to the current version of /etc/krb5.conf, preserving the
    removal of the forwardable configuration for wallet.
  * Prefer libpam-afs-session to libpam-openafs-session.
  * Recommend nagios-plugins-standard for check_mysql.
  * Update standards version to 3.8.1 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue, 31 Mar 2009 20:48:11 -0700

stanford-server (52) unstable; urgency=low

  * krb5.conf should disable forwardable tickets here, since otherwise the
    current version of wallet can't cope.  Puppet will enable forwardable
    tickets later.

 -- Russ Allbery <rra@debian.org>  Tue, 13 Jan 2009 11:57:18 -0800

stanford-server (51) unstable; urgency=low

  * Fix a mistaken change to the aklog path introduced in the previous
    version.

 -- Russ Allbery <rra@debian.org>  Thu, 08 Jan 2009 12:00:18 -0800

stanford-server (50) unstable; urgency=low

  * Update to the krb5.conf that will be going into production on
    Saturday.  Removes some old Kerberos v4 settings, disables 524
    conversion for the Red Hat PAM module, adds the local NT and GUEST
    realms, and updates the domain-realm mappings.

 -- Russ Allbery <rra@debian.org>  Thu, 08 Jan 2009 11:41:27 -0800

stanford-server (49) unstable; urgency=low

  * klogin: Actually do DNS qualification of the hostname.  The code was
    there but it was never called, which meant klogin and krsh to names
    with DNS load-balancing didn't work.

 -- Russ Allbery <rra@debian.org>  Mon, 05 Jan 2009 14:07:20 -0800

stanford-server (48) unstable; urgency=low

  * rtripwire: Allow hostnames ending in *.sunet and *.oit.duke.edu in the
    database location code.
  * rtripwire: Don't automatically enable quiet mode with remctl mode; in
    fact, quiet mode isn't supported with remctl (at least yet).

 -- Russ Allbery <rra@debian.org>  Wed, 12 Nov 2008 17:06:52 -0800

stanford-server (47) unstable; urgency=low

  * tripwire-backend: Fix path to /etc/cron.daily/tripwire for the
    tripwire mail command.

 -- Russ Allbery <rra@debian.org>  Mon, 10 Nov 2008 18:11:23 -0800

stanford-server (46) unstable; urgency=low

  * tripwire-backend: New remctl backend that supports tripwire check,
    init, update, and mail operations, replacing the previous remctl
    configuration that only supported mail.
  * rtripwire: Add script from pubsw and update to remove -a support,
    require Kerberos v5, and add support for the new remctl interface when
    called with -r.
  * Generate man pages for all usr/bin and usr/sbin scripts rather than
    listing the scripts separately in debian/rules.

 -- Russ Allbery <rra@debian.org>  Mon, 10 Nov 2008 18:06:18 -0800

stanford-server (45) unstable; urgency=low

  * Added "monitor log" in monitor-base.

 -- Susan Feng <sfeng@stanford.edu>  Wed, 22 Oct 2008 13:13:57 -0700

stanford-server (44) unstable; urgency=low

  [ Huaqing Zheng ]
  * Add lsb-release to the dependencies since our base Debian os puppet
    model relies on lsb variables generated by facter.

  [ Tim Skirvin ]
  * Added /etc/remctl/conf.d/tripwire, so we can invoke the tripwire script
    remotely.

  [ Susan Feng ]
  * Modified /usr/sbin/monitor-base to use check_log for a pattern.

 -- Susan Feng <sfeng@stanford.edu>  Wed, 22 Oct 2008 12:57:03 -0700

stanford-server (43) unstable; urgency=low

  [ Digant C Kasundra ]
  * Fix the --summarize logic in puppet-backend to make it truly an
    option.

  [ Russ Allbery ]
  * Update standards version to 3.8.0 (no changes required).
  * Remove krb.conf and krb.realms and no longer provide, conflict with,
    or replace krb4-config.

 -- Russ Allbery <rra@debian.org>  Tue, 17 Jun 2008 15:56:21 -0700

stanford-server (42) unstable; urgency=low

  * Added new functions to puppet-backend to support use of traces,
    summarize, and list of classes in catalog

 -- Digant C Kasundra <digant@stanford.edu>  Tue, 27 May 2008 17:55:03 -0700

stanford-server (41) unstable; urgency=low

  * Don't use monitor ALL in the remctl configuration for monitor-base
    since some services add their own commands to the monitor type.
  * Fix the NAME section of the puppet-backend documentation.

 -- Russ Allbery <rra@debian.org>  Tue, 13 May 2008 19:48:51 -0700

stanford-server (40) unstable; urgency=low

  * monitor-base: Include NIC check from the Red Hat package and a help
    command.
  * Change the remctl monitor configuration to use a wildcard for the
    command and add systems-root to the ACL so that UNIX staff can run the
    commands manually if desired.
  * Update the mode of /var/log/btmp set by /etc/newsyslog.monthly/wtmp to
    match the current Puppet file.

 -- Russ Allbery <rra@debian.org>  Thu, 01 May 2008 09:34:44 -0700

stanford-server (39) unstable; urgency=low

  * service-restart: New simple wrapper script to restart a service and
    throw away the output, for use by newsyslog.
  * klogin: New stripped-down version of klogin and krsh that does
    hostname canonicalization but doesn't try to do Kerberos v4 ticket
    forwarding.
  * Conflict with and Replace kftgt because of the klogin wrapper.
  * Fix the spelling of /etc/newsyslog.monthly/wtmp and remove the old
    misnamed file.
  * Remove rotation of the lastlog file.  It's a database; the history is
    in wtmp.

 -- Russ Allbery <rra@debian.org>  Mon, 07 Apr 2008 16:38:12 -0700

stanford-server (38) unstable; urgency=low

  * Disable the port 4373 remctld in inetd.conf as well.

 -- Russ Allbery <rra@debian.org>  Fri, 08 Feb 2008 20:33:58 -0800

stanford-server (37) unstable; urgency=low

  * puppet-backend: Use --test instead of --verbose --onetime to implement
    onetime.  This works correctly for both 0.23 and 0.24 and always
    implies --ignorecache.  Remove the --ignorecache option.

 -- Russ Allbery <rra@debian.org>  Tue, 29 Jan 2008 17:03:09 -0800

stanford-server (36) unstable; urgency=low

  * puppet-backend: Line-buffer the grep used to filter out Ruby
    warnings.  Without line buffering, we don't see puppetd output until
    the command finishes.

 -- Russ Allbery <rra@debian.org>  Mon, 28 Jan 2008 19:13:03 -0800

stanford-server (35) unstable; urgency=low

  * make-local-cert: Create certificates under /etc/ssl instead of
    /etc/apache2/ssl, give the certificate a *.pem extension to match
    current Debian practice, and hard-code the subject that we want to use
    so that we don't need a separate configuration file.  Also create the
    OpenSSL certificate hash symlink in /etc/ssl/certs.
  * puppet-backend: Add --ignorecache option to oneshot.
  * Update krb5.conf from the current Puppet version, which adds wallet
    configuration, more realm mappings, and noaddresses.
  * Update the root bashrc from the current Puppet version, which fixes
    the noclobber setting for non-interactive shells.
  * Recommend openssl, required by make-local-cert.

 -- Russ Allbery <rra@debian.org>  Fri, 25 Jan 2008 16:08:41 -0800

stanford-server (34) unstable; urgency=low

  * Add make-local-cert script and configuration for easy generation of
    self-signed certificates.
  * Update .bashrc to the latest Puppet version, fixing behavior for
    non-interactive shells, adding (unnecessary) afspath and noafspath
    aliases, and not limiting core dumps.
  * Support the reconfigure argument to postinst.
  * Depend on update-inetd | inet-superserver instead of netbase to get
    update-inetd.  This is correct for etch and later, but will not work
    with sarge.
  * Use stamp files in the package build process.
  * Add build-arch and build-indep targets.
  * Add more specifics to the package description and remove READM.Debian,
    which was just a copy of the same information.
  * Minor debian/rules reformatting.
  * Wrap Depends.
  * Update standards version to 3.7.3 (no changes required).
  * Update debhelper compatibility level to V5 (no changes required).

 -- Russ Allbery <rra@debian.org>  Fri, 11 Jan 2008 16:40:47 -0800

stanford-server (33) unstable; urgency=low

  * Fixed the version command to puppet-backend.

 -- Jon C. Robertson <jonrober@stanford.edu>  Tue, 23 Oct 2007 08:36:41 -0700

stanford-server (32) unstable; urgency=low

  * Reject unknown TCP connections with tcp-reset rather than with ICMP
    port unreachable to match standard TCP behavior and not confuse the
    firewall.

 -- Russ Allbery <rra@debian.org>  Thu, 11 Oct 2007 16:18:32 -0700

stanford-server (31) unstable; urgency=low

  * Added new command to puppet backend to show version of puppet client

 -- Digant Kasundra <digant@stanford.edu>  Thu,  4 Oct 2007 11:20:27 -0700

stanford-server (30) unstable; urgency=low

  * Modify krb5.conf to set renewable_lifetime to 7 days, change the
    format of the ticket_lifetime variable, and add passwd_change
    policy section.

 -- Huaqing Zheng <morpheus@stanford.edu>  Sat, 28 Jul 2007 02:14:23 -0700

stanford-server (29) unstable; urgency=low

  * Set the environment variable in so bash history have timestamps.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu, 07 Jun 2007 17:26:18 -0700

stanford-server (28) unstable; urgency=low

  * Use hostname -f to get full name of the host in tripwire cron job.

 -- Susan Feng <sfeng@stanford.edu>  Fri, 25 May 2007 17:14:56 -0700

stanford-server (27) unstable; urgency=low

  * Change the syslog rotation policy to rotate and filter /var/log/messages
    instead.
  * Install bash initialization file for the root user.
  * Enable Id keyword substitution on a number of configuration files.

 -- Huaqing Zheng <morpheus@stanford.edu>  Fri, 18 May 2007 15:46:08 -0700

stanford-server (26) unstable; urgency=low

  * remctl-acl-update: Add security and helpdesk-all to the default set of
    ACLs to copy.
  * remctl-acl-update: Add a patch from Xueshan Feng to allow
    specification of particular ACLs on the command-line to copy over
    instead of the default ones.
  * krb5.conf: Add SLAC.STANFORD.EDU realm information.
  * krb5.conf: Tell Heimdal libkafs to not try to use krb524d.

 -- Russ Allbery <rra@debian.org>  Sat, 28 Apr 2007 19:56:34 -0700

stanford-server (25) unstable; urgency=low

  [ Huaqing Zheng ]
  * Add Id keyword substition for certain configuration files.
  * Filter out remctld port scan warnings in syslog.
  * Minor bug fixes.

  [ Russ Allbery ]
  * Have remctl-acl-update exit silently if /root/.k5login or the AFS
    source directory for ACLs don't exist.
  * Fix the introductory comment in remctl-acl-update.  It no longer looks
    in pubsw.
  * Fix a typo in the SUCHDAMAGE.ORG Kerberos configuration.

 -- Russ Allbery <rra@debian.org>  Fri,  2 Mar 2007 21:46:07 -0800

stanford-server (24) unstable; urgency=low

  [ Russ Allbery ]
  * Point remctl-acl-update at the full AFS path rather than relying on
    the /usr/pubsw link.
  * Put the Windows domains in krb5.conf in a more sensible order.

  [ Huaqing Zheng ]
  * Update the afs filter rules so that they are masking out the kernel
    warning messages correctly.

 -- Huaqing Zheng <morpheus@stanford.edu>  Mon, 12 Feb 2007 16:11:29 -0800

stanford-server (23) unstable; urgency=low

  * Add Digant's puppet-backend script and its remctl configuration.
  * Add an aptitude remctl command to run aptitude.
  * Add remctl-acl-update, which copies the operations and systems remctl
    ACLs from AFS into /etc/remctl/acl hourly and generates systems-root
    containing only the root instances from the systems ACL.
  * Update rebuild-iptables to the latest version, which will load the
    iptables rules after updating them.
  * When bringing up a network interface, try to load a general iptables
    ruleset as well as the interface-specific one.  We're currently only
    using the general ruleset.
  * Add ticket_lifetime to [libdefaults] in krb5.conf for general Kerberos
    applications and compatibility with Mac and Windows.
  * Add CS.STANFORD.EDU, OPENLDAP.ORG, and SUCHDAMAGE.ORG realms to
    krb5.conf.
  * Add pam-krb5 and pam-afs-session configuration to krb5.conf.
  * Reordered the krb5.conf file a bit more to match what's in Puppet.
  * Use the package version for the version in generated man pages.
  * Remove unnecessary cron installation line for newsyslog.  newsyslog
    has provided its own cron jobs for quite a while.

 -- Russ Allbery <rra@debian.org>  Sat,  3 Feb 2007 22:24:52 -0800

stanford-server (22) unstable; urgency=low

  * Add a master_kdc setting to /etc/krb5.conf.

 -- Russ Allbery <rra@debian.org>  Tue, 12 Dec 2006 15:05:14 -0800

stanford-server (21) unstable; urgency=low

  * Fix a bug in the okill -s flag handling.

 -- Russ Allbery <rra@debian.org>  Mon,  6 Nov 2006 21:21:12 -0800

stanford-server (20) unstable; urgency=low

  * Add the rebuild-iptables script which will be run by Puppet.
  * Depend on netbase since we run update-inetd in postinst.
  * Update standards version to 3.7.2 (no changes required).

 -- Russ Allbery <rra@debian.org>  Tue,  3 Oct 2006 16:33:38 -0700

stanford-server (19) unstable; urgency=low

  * Add the okill script to kill processes that exceed certain limits.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu, 21 Sep 2006 18:39:33 -0700

stanford-server (18) unstable; urgency=low

  * Remove dependency on krb4-aklog for migration to Kerberos 5.
  * Disable the remctl entry in inetd.conf since this package runs
    remctld with tcpserver and supervise.
  * Set the permissions of su and ksu so that only users in the root
    group can execute the two programs.
  * Split all the dnscache bits out to the stanford-dnscache package.

 -- Huaqing Zheng <morpheus@stanford.edu>  Tue, 25 Jul 2006 14:04:43 -0700

stanford-server (17) unstable; urgency=low

  * Remove stanford-krb5 from the dependencies.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu,  8 Jun 2006 18:17:28 -0700

stanford-server (16) unstable; urgency=low

  * Fix a remctl message filter by adding whitespace at the end.
  * Sync the krb5.conf file with the version in pubsw.
  * Have the monitor-base script touch /etc/systory/production if the
    /etc/systory directory exists.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu,  8 Jun 2006 16:22:58 -0700

stanford-server (15) unstable; urgency=low

  * Exclude more remctl messages from syslog.
  * New Pod::Parser module generates man pages with different headers.

 -- Huaqing Zheng <morpheus@stanford.edu>  Wed,  8 Mar 2006 03:33:42 -0800

stanford-server (14) unstable; urgency=low

  * Modify the iptables hook so that it will exit with status 0 when
    bringing up an interface with no iptables configuration.
  * Update uploader address.

 -- Russ Allbery <rra@debian.org>  Fri, 27 Jan 2006 16:57:19 -0800

stanford-server (13) unstable; urgency=low

  * Ignore syslog noise from pam_afs session management.
  * Add dependency on adduser since it's called from postinst.
  * Update standards version to 3.6.2 (no changes required).

 -- Russ Allbery <rra@stanford.edu>  Mon,  8 Aug 2005 15:34:48 -0700

stanford-server (12) unstable; urgency=low

  * Load krb5-config configuration information into debconf for the use of
    krb5-kdc, since we now replace krb5-config.
  * Avoid `' quoting in the postinst and postrm error message.  It looks
    weird in many modern fonts.
  * Remove a trailing blank line from the long description.
  * Add myself to uploaders.

 -- Russ Allbery <rra@stanford.edu>  Fri,  1 Jul 2005 19:24:41 -0700

stanford-server (11) unstable; urgency=low

  * Provide for krb4-config and krb5-config and make sure this package
    conflicts with krb4-config and krb5-config.
  * Exclude ntpd "synchronized to" message.

 -- Huaqing Zheng <morpheus@stanford.edu>  Tue, 14 Jun 2005 17:43:18 -0700

stanford-server (10) unstable; urgency=low

  * Make sure krb5.conf uses /usr/bin/aklog now that we have krb4-aklog
    and stanford-krb5 packages.

 -- Huaqing Zheng <morpheus@stanford.edu>  Wed,  1 Jun 2005 15:01:46 -0700

stanford-server (9) unstable; urgency=low

  * Install the Kerberos 4 and 5 configuration files for easier updates.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu, 26 May 2005 16:23:30 -0700

stanford-server (8) unstable; urgency=low

  * Fix the path to the rotate-history script in the weekly newsyslog run.

 -- Huaqing Zheng <morpheus@stanford.edu>  Sun, 22 May 2005 01:04:59 -0700

stanford-server (7) unstable; urgency=low

  * Default filter-syslog.conf to use root and root as the sender and
    alert addresses.

 -- Huaqing Zheng <morpheus@stanford.edu>  Thu, 19 May 2005 16:17:26 -0700

stanford-server (6) unstable; urgency=low

  * Add the default afs rules to filter-syslog configuration directory
    and ignore the tcp treason lines in syslog as well.

 -- Huaqing Zheng <morpheus@stanford.edu>  Tue, 17 May 2005 21:12:20 -0700

stanford-server (5) unstable; urgency=low

  * Add the default kerberos rules to filter-syslog configuration directory.

 -- Huaqing Zheng <morpheus@stanford.edu>  Tue, 17 May 2005 20:45:45 -0700

stanford-server (4) unstable; urgency=low

  * Ignore PAM_AFS warnings about root.

 -- Huaqing Zheng <morpheus@stanford.edu>  Mon, 16 May 2005 20:45:48 -0700

stanford-server (3) unstable; urgency=low

  * The default syslog rotation policy should not handle mail log.

 -- Huaqing Zheng <morpheus@stanford.edu>  Mon, 16 May 2005 20:07:04 -0700

stanford-server (2) unstable; urgency=low

  * Many bug fixes including fixes the the monitor-base wrapper script,
    removal of default remctl.conf file, ensuring creation of log
    archive directory, fixing the monitoring acl, etc.

 -- Huaqing Zheng <morpheus@stanford.edu>  Fri, 13 May 2005 12:09:59 -0700

stanford-server (1) unstable; urgency=low

  * Initial Release.

 -- Huaqing Zheng <morpheus@stanford.edu>  Tue, 29 Mar 2005 19:31:44 -0800
