BF: fix selinux

TST: ignore *common.conf files in test cases as these are included BF: Remove USER_LOGIN from selinux-ssh as its a duplicate message ENH: add sample jail.conf
2013-10-30 20:05:49 +11:00 · 2013-10-30 20:05:49 +11:00 · e3150044fd
parent 8408e3fb0b
commit e3150044fd
7 changed files with 46 additions and 32 deletions
--- a/2
+++ b/2
@ -65,7 +65,7 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests
  Mark McKinstry
   * action.d/apf.conf - add action for Advanced Policy Firewall (apf)
  Steven Hiscocks and Daniel Black
-   * filter.d/selinux{,-ssh} -- add SELinux date and filter
+   * filter.d/selinux-{common,ssh} -- add SELinux date and ssh filter

 - Enhancements:
  François Boulogne and Frédéric
--- a/config/filter.d/selinux-common.conf
+++ b/config/filter.d/selinux-common.conf
@ -0,0 +1,21 @@
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# Author: Daniel Black
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid 
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+#
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =
--- a/config/filter.d/selinux-ssh.conf
+++ b/config/filter.d/selinux-ssh.conf
@ -3,13 +3,16 @@
 # Author: Daniel Black
 #
 #
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+# 
 [INCLUDES]

-after = selinux.conf
+after = selinux-common.conf

 [Definition]

-_type = USER_(LOGIN|ERR|AUTH)
+_type = USER_(ERR|AUTH)
 _uid  = 0
 _auid = \d+
 _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
--- a/config/filter.d/selinux.conf
+++ b/config/filter.d/selinux.conf
@ -1,18 +0,0 @@
-# Fail2Ban configuration file for generic SELinux audit messages
-#
-# Author: Daniel Black
-#
-#
-[Definition]
-
-# Things you must set before including this file. See selinux-ssh as an example.
-# One of these must include a <HOST>.
-#
-# _type
-# _uid
-# _auid 
-# _subj
-# _msg
-
-failregex = ^type=%(_type)s msg=audit\(:\d+\): user pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
-
--- a/config/jail.conf
+++ b/config/jail.conf
@ -433,3 +433,9 @@ enabled = false
 filter = sshd
 action = osx-afctl[bantime=600]
 logpath = /var/log/secure.log
+
+[selinux-ssh]
+enabled = false
+filter = selinux-ssh
+action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
+logpath = /var/log/audit/audit.log
--- a/testcases/files/logs/selinux-ssh
+++ b/testcases/files/logs/selinux-ssh
@ -1,23 +1,29 @@
-# failJSON: { "time": "2013-07-09T02:45:16", "match": true , "host": "173.242.116.187" } 
+# failJSON: { "time": "2013-07-09T02:45:16", "match": false , "host": "173.242.116.187" } 
 type=USER_LOGIN msg=audit(1373330716.415:4063): user pid=11998 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'

-# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" } 
+# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } 
 type=USER_LOGIN msg=audit(1373330717.441:4068): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'

 # failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" } 
 type=USER_ERR msg=audit(1373330717.575:4070): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=173.242.116.187 addr=173.242.116.187 terminal=ssh res=failed'

-# failJSON: { "time": "2013-07-09T02:45:17", "match": true , "host": "173.242.116.187" } 
+# failJSON: { "time": "2013-07-09T02:45:17", "match": false , "host": "173.242.116.187" } 
 type=USER_LOGIN msg=audit(1373330717.576:4073): user pid=12000 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=173.242.116.187 terminal=ssh res=failed'

-# failJSON: { "time": "2013-06-30T01:02:08", "match": true , "host": "113.240.248.18" } 
+# failJSON: { "time": "2013-06-30T01:02:08", "match": false , "host": "113.240.248.18" } 
 type=USER_LOGIN msg=audit(1372546928.726:52008): user pid=21569 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="sshd" exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'

 # failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" } 
 type=USER_ERR msg=audit(1372557500.401:61747): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=113.240.248.18 addr=113.240.248.18 terminal=ssh res=failed'

-# failJSON: { "time": "2013-06-30T03:58:20", "match": true , "host": "113.240.248.18" } 
+# failJSON: { "time": "2013-06-30T03:58:20", "match": false , "host": "113.240.248.18" } 
 type=USER_LOGIN msg=audit(1372557500.402:61750): user pid=23684 uid=0 auid=0 ses=76 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=113.240.248.18 terminal=ssh res=failed'

 # failJSON: { "time": "2013-07-06T18:48:00", "match": true , "host": "194.228.20.113" } 
 type=USER_AUTH msg=audit(1373129280.772:9): user pid=1277 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="root" exe="/usr/sbin/sshd" hostname=? addr=194.228.20.113 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-10-30T07:57:43", "match": true , "host": "192.168.3.100" } 
+type=USER_AUTH msg=audit(1383116263.930:603): pid=12887 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
+
+# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" } 
+type=USER_LOGIN msg=audit(1383116048.450:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
--- a/testcases/samplestestcase.py
+++ b/testcases/samplestestcase.py
@ -61,11 +61,7 @@ def testSampleRegexsFactory(name):
 		# Check filter exists
 		filterConf = FilterReader(name, "jail", basedir=CONFIG_DIR)
 		filterConf.read()
-		try:
-			filterConf.getOptions({})
-		except InterpolationMissingOptionError:
-			# some filters like selinux aren't complete
-			return
+		filterConf.getOptions({})

 		for opt in filterConf.convert():
 			if opt[2] == "addfailregex":
@ -136,7 +132,7 @@ def testSampleRegexsFactory(name):

 	return testFilter

-for filter_ in os.listdir(os.path.join(CONFIG_DIR, "filter.d")):
+for filter_ in filter(lambda x: not x.endswith('common.conf'), os.listdir(os.path.join(CONFIG_DIR, "filter.d"))):
 	filterName = filter_.rpartition(".")[0]
 	setattr(
 		FilterSamplesRegex,