github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #3 from grooverdan/selinux_ssh_filter 

ENH: separate selinux and selinux-ssh
pull/374/head
Daniel Black 2013-10-22 04:49:32 -07:00
parent a1eaa5f755 4649cf9608
commit d9e7bc67cd
4 changed files with 36 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
config/filter.d/selinux-ssh.conf Normal file
View File

@ -0,0 +1,21 @@
# Fail2Ban configuration file for SELinux ssh authentication errors
#
# Author: Daniel Black
#
#
[INCLUDES]
after = selinux.conf
[Definition]
_type = USER_(LOGIN|ERR|AUTH)
_uid = 0
_auid = \d+
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
_exe =/usr/sbin/sshd
_terminal = ssh
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed

19
config/filter.d/selinux.conf
View File

@ -1,19 +1,18 @@
# Fail2Ban configuration file for generic Selinux Errors authentication errors
# Fail2Ban configuration file for generic SELinux audit messages
#
# Author: Daniel Black
#
#
[Definition]
_type = USER_(LOGIN|ERR|AUTH)
_uid = 0
_auid = \d+
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
_exe =/usr/sbin/sshd
_terminal = ssh
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
# Things you must set before including this file. See selinux-ssh as an example.
# One of these must include a <HOST>.
#
# _type
# _uid
# _auid
# _subj
# _msg
failregex = ^type=%(_type)s msg=audit\(:\d+\): user pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$

0
testcases/files/logs/selinux → testcases/files/logs/selinux-ssh
View File

7
testcases/samplestestcase.py
View File

@ -23,6 +23,7 @@ __copyright__ = "Copyright (c) 2013 Steven Hiscocks"
__license__ = "GPL"
import unittest, sys, os, fileinput, re, datetime, inspect
from ConfigParser import InterpolationMissingOptionError
if sys.version_info >= (2, 6):
import json
@ -60,7 +61,11 @@ def testSampleRegexsFactory(name):
# Check filter exists
filterConf = FilterReader(name, "jail", basedir=CONFIG_DIR)
filterConf.read()
filterConf.getOptions({})
try:
filterConf.getOptions({})
except InterpolationMissingOptionError:
# some filters like selinux aren't complete
return
for opt in filterConf.convert():
if opt[2] == "addfailregex":