diff --git a/ChangeLog b/ChangeLog index bd668a71..f77d9491 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,8 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests * action.d/apf.conf - add action for Advanced Policy Firewall (apf) Amir Caspi and kjohnsonecl * filter.d/uwimap-auth - filter for uwimap-auth IMAP/POP server + Steven Hiscocks and Daniel Black + * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter - Enhancements: François Boulogne and Frédéric diff --git a/config/filter.d/selinux-common.conf b/config/filter.d/selinux-common.conf new file mode 100644 index 00000000..333b43f2 --- /dev/null +++ b/config/filter.d/selinux-common.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file for generic SELinux audit messages +# +# Author: Daniel Black +# +# This file is not intended to be used directly, and should be included into a +# filter file which would define following variables. See selinux-ssh.conf as +# and example. +# +# _type +# _uid +# _auid +# _subj +# _msg +# +# Also one of these variables must include . +# +[Definition] + +failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ + +ignoreregex = diff --git a/config/filter.d/selinux-ssh.conf b/config/filter.d/selinux-ssh.conf new file mode 100644 index 00000000..6e563a13 --- /dev/null +++ b/config/filter.d/selinux-ssh.conf @@ -0,0 +1,24 @@ +# Fail2Ban configuration file for SELinux ssh authentication errors +# +# Author: Daniel Black +# +# +# Note: USER_LOGIN is ignored as this is the duplicate messsage +# ssh logs after 3 USER_AUTH failures. +# +[INCLUDES] + +after = selinux-common.conf + +[Definition] + +_type = USER_(ERR|AUTH) +_uid = 0 +_auid = \d+ +_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 + +_exe =/usr/sbin/sshd +_terminal = ssh + +_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed + diff --git a/config/jail.conf b/config/jail.conf index 1154cb52..670922cc 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -485,3 +485,9 @@ enabled = false filter = dovecot action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp] logpath = /var/log/secure + +[selinux-ssh] +enabled = false +filter = selinux-ssh +action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] +logpath = /var/log/audit/audit.log diff --git a/testcases/files/logs/selinux-ssh b/testcases/files/logs/selinux-ssh new file mode 100644 index 00000000..ed43c411 --- /dev/null +++ b/testcases/files/logs/selinux-ssh @@ -0,0 +1,29 @@ +# failJSON: { "time": "2013-07-09T02:45:16", "match": false , "host": "173.242.116.187" } +type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed' + +# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } +type=USER_LOGIN msg=audit(1373330717.441:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed' + +# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" } +type=USER_ERR msg=audit(1373330717.575:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed' + +# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } +type=USER_LOGIN msg=audit(1373330717.576:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed' + +# failJSON: { "time": "2013-06-30T01:02:08", "match": false , "host": "113.240.248.18" } +type=USER_LOGIN msg=audit(1372546928.726:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed' + +# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" } +type=USER_ERR msg=audit(1372557500.401:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed' + +# failJSON: { "time": "2013-06-30T03:58:20", "match": false , "host": "113.240.248.18" } +type=USER_LOGIN msg=audit(1372557500.402:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed' + +# failJSON: { "time": "2013-07-06T18:48:00", "match": true , "host": "194.228.20.113" } +type=USER_AUTH msg=audit(1373129280.772:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed' + +# failJSON: { "time": "2013-10-30T07:57:43", "match": true , "host": "192.168.3.100" } +type=USER_AUTH msg=audit(1383116263.930:603): pid=12887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed' + +# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } +type=USER_LOGIN msg=audit(1383116048.450:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed' diff --git a/testcases/samplestestcase.py b/testcases/samplestestcase.py index 0b4285ba..d88be5e9 100644 --- a/testcases/samplestestcase.py +++ b/testcases/samplestestcase.py @@ -23,6 +23,7 @@ __copyright__ = "Copyright (c) 2013 Steven Hiscocks" __license__ = "GPL" import unittest, sys, os, fileinput, re, datetime, inspect +from ConfigParser import InterpolationMissingOptionError if sys.version_info >= (2, 6): import json @@ -131,7 +132,7 @@ def testSampleRegexsFactory(name): return testFilter -for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")): +for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))): filterName = filter_.rpartition(".")[0] setattr( FilterSamplesRegex,