AKA: Merge remote-tracking branch 'github_kwirk_fail2ban/module' into 0.9
* github_kwirk_fail2ban/module:
BF: Added test filter.d files to setup.py package data
TST: Fix up tests from multiline elements broken in previous merge
TST: clientreader test now use /etc/fail2ban/ if no local config/
ENH+TST: Move fail2ban-* scripts to bin/
TST+ENH: Move testcases to part of fail2ban module
TST: Update Travis CI coverage config for python module structure
ENH+BF+TST+DOC: Make fail2ban a python module
Conflicts:
.travis.yml -- the line for PYTHONPATH
.travis_coveragerc -- now we do cover gamin tests
* master:
ENH: for consistency (and future expansion ;)) -- rename to mysqld-auth
Adjusting previous PR (MySQL logs) according to my comments
TST: Add gamin testing for and only coveralls coverage for python2.7
change the license to GPLv2 + adapat text
TST: Add gamin support for Travis CI
fix the script name to check_fail2ban everywhere
Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
* 'Support_for_mysql_log_example' of https://github.com/arto-p/fail2ban:
Added testcase for MySQL date format to testcases/datedetectortestcase.py and example of MySQL log file.
Added support for MySQL logfiles
Conflicts:
testcases/datedetectortestcase.py -- conflictde with other added test cases
* 'master' of https://github.com/labynocle/fail2ban:
change the license to GPLv2 + adapat text
fix the script name to check_fail2ban everywhere
Replace the check_fail2ban script by a new one which respects the Nagios specs (like status, output, perfdata, help...). Also add a README which includes the content of f2ban.txt (which is now removed)
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff
Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.
This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).
Some random references related to this bug:
http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.htmlhttp://forums.fedoraforum.org/showthread.php?t=234230
* 002-fail2ban-filters-close-on-exec-typo-fix.diff
There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.
* 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff
Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
---
File descriptors in action process before patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak)
File descriptors in action process after patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
* commit '0.8.8-160-g74e76e0': (65 commits)
TST+BF: Use separate coveragerc for Travis CI
RF+TST: bring inBanList back from private to protected and enabled its rudimentary unittests
TST: coverage ignore Travis CI python virtual environments
ENH: increase waiting to 4 sec for gamin/pyinotify
TST+BF: Fix incorrect commands for coveralls support
TST: Add support for coveralls for python 2.6 and python 2.7
ENH: deleted trailing spaces in fail2ban- cmdline tools
DOC: minor change -- refer to the fail2ban manpage
TST: be more aggressive in cleanup of temp files + use mktemp instead of mkstemp
ENH(BF?): overload open() (for buffering) within filtertestcase to guarantee atomic writing
BF: delay check for the existence of config directory until read()
DOC: minor fix ups of manpages. fixes#159
non-static (get|set)BaseDir for Configurator. fixes#160
ENH: Slight tune ups for fresh SOGo filter + comment into the sample log file
ENH: postfix filter -- react also on (450 4.7.1) with empty from/to. fixes#126
TST: basic testing of reading the shipped jail.conf (forcing all jails to be enabled)
ENH: allow to force enable all jails (for testing), do not crash for jails without actions (just warn)
ENH: minor -- add default value into the warning if option had none provided
ENH: _copy_lines_between_files -- read all needed, and only then write/flush at once
ENH: move pyinotify callback debug message into callback + delay string interpolations
...
Conflicts:
fail2ban-testcases
testcases/clientreadertestcase.py -- fix for setBaseDir will follow
Steven Hiscocks