MRG: merge ChangeLog and jail.conf

ChangeLog

@@ -71,6 +71,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
    * action.d/apf.conf - add action for Advanced Policy Firewall (apf)
   Amir Caspi and kjohnsonecl
    * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server
+  Steven Hiscocks and Daniel Black
+   * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter
 
 - Enhancements:
   François Boulogne and Frédéric

config/filter.d/selinux-common.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# Author: Daniel Black
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid 
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+#
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =

config/filter.d/selinux-ssh.conf

@@ -0,0 +1,24 @@
+# Fail2Ban configuration file for SELinux ssh authentication errors
+#
+# Author: Daniel Black
+#
+#
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+# 
+[INCLUDES]
+
+after = selinux-common.conf
+
+[Definition]
+
+_type = USER_(ERR|AUTH)
+_uid  = 0
+_auid = \d+
+_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
+
+_exe  =/usr/sbin/sshd
+_terminal = ssh
+
+_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+

config/jail.conf

@@ -485,3 +485,9 @@ enabled = false
 filter = dovecot
 action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
 logpath = /var/log/secure
+
+[selinux-ssh]
+enabled = false
+filter = selinux-ssh
+action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
+logpath = /var/log/audit/audit.log

testcases/files/logs/selinux-ssh

@@ -0,0 +1,29 @@
+# failJSON: { "time": "2013-07-09T02:45:16", "match": false , "host": "173.242.116.187" } 
+type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } 
+type=USER_LOGIN msg=audit(1373330717.441:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" } 
+type=USER_ERR msg=audit(1373330717.575:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } 
+type=USER_LOGIN msg=audit(1373330717.576:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-06-30T01:02:08", "match": false , "host": "113.240.248.18" } 
+type=USER_LOGIN msg=audit(1372546928.726:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" } 
+type=USER_ERR msg=audit(1372557500.401:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-06-30T03:58:20", "match": false , "host": "113.240.248.18" } 
+type=USER_LOGIN msg=audit(1372557500.402:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-07-06T18:48:00", "match": true , "host": "194.228.20.113" } 
+type=USER_AUTH msg=audit(1373129280.772:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-10-30T07:57:43", "match": true , "host": "192.168.3.100" } 
+type=USER_AUTH msg=audit(1383116263.930:603): pid=12887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } 
+type=USER_LOGIN msg=audit(1383116048.450:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'

testcases/samplestestcase.py

@@ -23,6 +23,7 @@ __copyright__ = "Copyright (c) 2013 Steven Hiscocks"
 __license__ = "GPL"
 
 import unittest, sys, os, fileinput, re, datetime, inspect
+from ConfigParser import InterpolationMissingOptionError
 
 if sys.version_info >= (2, 6):
 	import json
@@ -131,7 +132,7 @@ def testSampleRegexsFactory(name):
 
 	return testFilter
 
-for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")):
+for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
 	filterName = filter_.rpartition(".")[0]
 	setattr(
 		FilterSamplesRegex,