diff options
Diffstat (limited to 'meta-security/recipes-security')
27 files changed, 2634 insertions, 1809 deletions
diff --git a/meta-security/recipes-security/bastille/files/set_required_questions.py b/meta-security/recipes-security/bastille/files/set_required_questions.py index 4a28358c3..f306109d7 100755 --- a/meta-security/recipes-security/bastille/files/set_required_questions.py +++ b/meta-security/recipes-security/bastille/files/set_required_questions.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 #Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> @@ -83,7 +83,7 @@ def xform_file(qfile, distro, qlabel): @param name qlabel The question label for which the distro is to be added. """ questions_in = open(qfile) - questions_out = tempfile.NamedTemporaryFile(delete=False) + questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False) for l in add_requires(qlabel, distro, questions_in): questions_out.write(l) questions_out.close() diff --git a/meta-security/recipes-security/buck-security/buck-security_0.7.bb b/meta-security/recipes-security/buck-security/buck-security_0.7.bb deleted file mode 100644 index 3733c88ba..000000000 --- a/meta-security/recipes-security/buck-security/buck-security_0.7.bb +++ /dev/null @@ -1,63 +0,0 @@ -SUMMARY = "Linux security scanner" -DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \ -system. This enables you to quickly overview the security status of your Linux system." -SECTION = "security" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" -RDEPENDS_${PN} = "coreutils \ - gnupg \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - pinentry \ - " - -RDEPENDS_${PN}_class-native = "coreutils \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - " - -SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz" - -SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53" -SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01" - -S = "${WORKDIR}/${BPN}_${PV}" - -do_configure() { - : -} - -do_compile() { - : -} - -do_install() { - install -d ${D}${bindir}/buck - cp -r ${S}/* ${D}${bindir}/buck - cp -r ${S}/buck-security ${D}${bindir} - sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security - sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security - sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security - sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security - -} - -FILES_${PN} = "${bindir}/*" - -BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/checksec/checksec_2.1.0.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb deleted file mode 100644 index b67c98bb6..000000000 --- a/meta-security/recipes-security/checksec/checksec_2.1.0.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "Linux system security checks" -DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="https://github.com/slimm609/checksec.sh" - -LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" - -SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5" -SRC_URI = "git://github.com/slimm609/checksec.sh" - -S = "${WORKDIR}/git" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${S}/checksec ${D}${bindir} -} - -RDEPENDS_${PN} = "bash openssl-bin binutils" diff --git a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb deleted file mode 100644 index 030bf2515..000000000 --- a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb +++ /dev/null @@ -1,21 +0,0 @@ -SUMMARY = "basic system security checks" -DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes." -SECTION = "security" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ - file://setuid-log-folder.patch \ - file://check-setuid-use-more-portable-find-args.patch" - -SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f" -SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32" - -do_compile() { -} - -do_install() { - oe_runmake PREFIX=${D} -} - -RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils coreutils" diff --git a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch deleted file mode 100644 index f1fe8edce..000000000 --- a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch +++ /dev/null @@ -1,23 +0,0 @@ -From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001 -From: Christopher Larson <chris_larson@mentor.com> -Date: Wed, 5 Sep 2018 23:21:43 +0500 -Subject: [PATCH] check-setuid: use more portable find args - -Signed-off-by: Christopher Larson <chris_larson@mentor.com> ---- - plugins/check-setuid | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -Index: checksecurity-2.0.15/plugins/check-setuid -=================================================================== ---- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500 -+++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500 -@@ -99,7 +99,7 @@ - ionice -t -c3 \ - find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \ - -xdev $PATHCHK \ -- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \ -+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \ - $DEVCHK \) \) \ - -ignore_readdir_race \ - -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | diff --git a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch b/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch deleted file mode 100644 index 540ea9c31..000000000 --- a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Thu, 20 Jun 2013 15:14:55 +0300 -Subject: [PATCH] changed log folder for check-setuid - -check-setuid was creating logs in /var/log directory, -which cannot be created persistently. To avoid errors -the log folder was changed to /etc/checksecurity/. - -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> ---- - etc/check-setuid.conf | 2 +- - plugins/check-setuid | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf -index 621336f..e1532c0 100644 ---- a/etc/check-setuid.conf -+++ b/etc/check-setuid.conf -@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false" - # - # Location of setuid file databases. - # --LOGDIR=/var/log/setuid -+LOGDIR=/etc/checksecurity/ -diff --git a/plugins/check-setuid b/plugins/check-setuid -index 8d6f90b..bdb21c1 100755 ---- a/plugins/check-setuid -+++ b/plugins/check-setuid -@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then - exit 1 - fi - --TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp --TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp -+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp -+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp - - # - # Check for NFS/AFS mounts that are not nosuid/nodev -@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then - fi - - # Guard against undefined vars --[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid -+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/ - if [ ! -e "$LOGDIR" ] ; then - echo "ERROR: Log directory $LOGDIR does not exist" - exit 1 --- -1.7.9.5 - diff --git a/meta-security/recipes-security/clamav/clamav_0.101.5.bb b/meta-security/recipes-security/clamav/clamav_0.101.5.bb deleted file mode 100644 index a4c32e1a6..000000000 --- a/meta-security/recipes-security/clamav/clamav_0.101.5.bb +++ /dev/null @@ -1,169 +0,0 @@ -SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface" -DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats." -HOMEPAGE = "http://www.clamav.net/index.html" -SECTION = "security" -LICENSE = "LGPL-2.1" - -DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack" -DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native" - -LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" - -SRCREV = "482fcd413b07e9fd3ef9850e6d01a45f4e187108" - -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \ - file://clamd.conf \ - file://freshclam.conf \ - file://volatiles.03_clamav \ - file://tmpfiles.clamav \ - file://${BPN}.service \ - file://freshclam-native.conf \ - " - -S = "${WORKDIR}/git" - -LEAD_SONAME = "libclamav.so" -SO_VER = "9.0.2" - -inherit autotools pkgconfig useradd systemd - -CLAMAV_UID ?= "clamav" -CLAMAV_GID ?= "clamav" -INSTALL_CLAMAV_CVD ?= "1" - -CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr" -CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr" - -PACKAGECONFIG_class-target ?= "ncurses bz2" -PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json-c," -PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, bzip2" -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, " -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " - -EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \ - --disable-mempool \ - --program-prefix="" \ - --disable-zlib-vcheck \ - --with-xml=${CLAMAV_USR_DIR} \ - --with-zlib=${CLAMAV_USR_DIR} \ - --with-openssl=${CLAMAV_USR_DIR} \ - --with-libcurl=${CLAMAV_USR_DIR} \ - --with-system-libmspack=${CLAMAV_USR_DIR} \ - --with-iconv=no \ - --enable-check=no \ - " - -EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}" -EXTRA_OECONF_class-target += "--with-user=${CLAMAV_UID} --with-group=${CLAMAV_GID} ${EXTRA_OECONF_CLAMAV}" - -do_configure () { - ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_configure_class-native () { - ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile_append_class-target() { - if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then - bbnote "CLAMAV creating cvd" - install -d ${S}/clamav_db - ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf - fi -} - -do_install_append_class-target () { - install -d ${D}/${sysconfdir} - install -d ${D}/${localstatedir}/lib/clamav - install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles - - install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir} - install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir} - install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav - sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc - rm ${D}/${libdir}/libclamav.so - install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/. - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf - fi -} - -pkg_postinst_ontarget_${PN} () { - if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf - elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - mkdir -p ${localstatedir}/lib/clamav - chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav -} - - -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \ - ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" - -FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ - ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ - ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ - ${docdir}/clamav/* " - -FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ - ${docdir}/clamdscan/* \ - ${mandir}/man1/clamdscan* \ - " - -FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ - ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \ - ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ - ${sysconfdir}/clamd.conf* \ - ${systemd_unitdir}/system/clamav-daemon/* \ - ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \ - ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon " - -FILES_${PN}-freshclam = "${bindir}/freshclam \ - ${sysconfdir}/freshclam.conf* \ - ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ - ${sysconfdir}/tmpfiles.d/*.conf \ - ${localstatedir}/lib/clamav \ - ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ - ${mandir}/man5/freshclam.conf.* \ - ${systemd_unitdir}/system/clamav-freshclam.service" - -FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ - ${libdir}/pkgconfig/*.pc \ - ${mandir}/man1/clamav-config.* \ - ${includedir}/*.h ${docdir}/libclamav* " - -FILES_${PN}-staticdev = "${libdir}/*.a" - -FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so*\ - ${docdir}/libclamav/* " - -FILES_${PN}-doc = "${mandir}/man/* \ - ${datadir}/man/* \ - ${docdir}/* " - -FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat" - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}" -USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \ - ${localstatedir}/spool/${BPN} \ - --no-create-home --shell /bin/false ${BPN}" - -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" -SYSTEMD_SERVICE_${PN} = "${BPN}.service" - -RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav" -RDEPENDS_${PN}_class-native = "" - -BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/clamav/files/clamav-freshclam.service b/meta-security/recipes-security/clamav/files/clamav-freshclam.service deleted file mode 100644 index 0c909fb32..000000000 --- a/meta-security/recipes-security/clamav/files/clamav-freshclam.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=ClamAV virus database updater -Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/ -# If user wants it run from cron, don't start the daemon. -ConditionPathExists=!/etc/cron.d/clamav-freshclam - -[Service] -ExecStart=/usr/bin/freshclam -d --foreground=true -StandardOutput=syslog - -[Install] -WantedBy=multi-user.target diff --git a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample b/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample deleted file mode 100644 index ed0d519ff..000000000 --- a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample +++ /dev/null @@ -1,293 +0,0 @@ -## -## Example config file for clamav-milter -## - -# Comment or remove the line below. -Example - - -## -## Main options -## - -# Define the interface through which we communicate with sendmail -# This option is mandatory! Possible formats are: -# [[unix|local]:]/path/to/file - to specify a unix domain socket -# inet:port@[hostname|ip-address] - to specify an ipv4 socket -# inet6:port@[hostname|ip-address] - to specify an ipv6 socket -# -# Default: no default -#MilterSocket /tmp/clamav-milter.socket -#MilterSocket inet:7357 - -# Define the group ownership for the (unix) milter socket. -# Default: disabled (the primary group of the user running clamd) -#MilterSocketGroup virusgroup - -# Sets the permissions on the (unix) milter socket to the specified mode. -# Default: disabled (obey umask) -#MilterSocketMode 660 - -# Remove stale socket after unclean shutdown. -# -# Default: yes -#FixStaleSocket yes - -# Run as another user (clamav-milter must be started by root for this option to work) -# -# Default: unset (don't drop privileges) -#User clamav - -# Initialize supplementary group access (clamav-milter must be started by root). -# -# Default: no -#AllowSupplementaryGroups no - -# Waiting for data from clamd will timeout after this time (seconds). -# Value of 0 disables the timeout. -# -# Default: 120 -#ReadTimeout 300 - -# Don't fork into background. -# -# Default: no -#Foreground yes - -# Chroot to the specified directory. -# Chrooting is performed just after reading the config file and before dropping privileges. -# -# Default: unset (don't chroot) -#Chroot /newroot - -# This option allows you to save a process identifier of the listening -# daemon (main thread). -# -# Default: disabled -#PidFile /var/run/clamav/clamav-milter.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -# -#TemporaryDirectory /var/tmp - -## -## Clamd options -## - -# Define the clamd socket to connect to for scanning. -# This option is mandatory! Syntax: -# ClamdSocket unix:path -# ClamdSocket tcp:host:port -# The first syntax specifies a local unix socket (needs an absolute path) e.g.: -# ClamdSocket unix:/var/run/clamd/clamd.socket -# The second syntax specifies a tcp local or remote tcp socket: the -# host can be a hostname or an ip address; the ":port" field is only required -# for IPv6 addresses, otherwise it defaults to 3310, e.g.: -# ClamdSocket tcp:192.168.0.1 -# -# This option can be repeated several times with different sockets or even -# with the same socket: clamd servers will be selected in a round-robin fashion. -# -# Default: no default -ClamdSocket /var/run/clamav/clamd - - -## -## Exclusions -## - -# Messages originating from these hosts/networks will not be scanned -# This option takes a host(name)/mask pair in CIRD notation and can be -# repeated several times. If "/mask" is omitted, a host is assumed. -# To specify a locally orignated, non-smtp, email use the keyword "local" -# -# Default: unset (scan everything regardless of the origin) -#LocalNet local -#LocalNet 192.168.0.0/24 -#LocalNet 1111:2222:3333::/48 - -# This option specifies a file which contains a list of basic POSIX regular -# expressions. Addresses (sent to or from - see below) matching these regexes -# will not be scanned. Optionally each line can start with the string "From:" -# or "To:" (note: no whitespace after the colon) indicating if it is, -# respectively, the sender or recipient that is to be whitelisted. -# If the field is missing, "To:" is assumed. -# Lines starting with #, : or ! are ignored. -# -# Default unset (no exclusion applied) -#Whitelist /etc/whitelisted_addresses - -# Messages from authenticated SMTP users matching this extended POSIX -# regular expression (egrep-like) will not be scanned. -# As an alternative, a file containing a plain (not regex) list of names (one -# per line) can be specified using the prefix "file:". -# e.g. SkipAuthenticated file:/etc/good_guys -# -# Note: this is the AUTH login name! -# -# Default: unset (no whitelisting based on SMTP auth) -#SkipAuthenticated ^(tom|dick|henry)$ - -# Messages larger than this value won't be scanned. -# Make sure this value is lower or equal than StreamMaxLength in clamd.conf -# -# Default: 25M -#MaxFileSize 10M - - -## -## Actions -## - -# The following group of options controls the delievery process under -# different circumstances. -# The following actions are available: -# - Accept -# The message is accepted for delievery -# - Reject -# Immediately refuse delievery (a 5xx error is returned to the peer) -# - Defer -# Return a temporary failure message (4xx) to the peer -# - Blackhole (not available for OnFail) -# Like Accept but the message is sent to oblivion -# - Quarantine (not available for OnFail) -# Like Accept but message is quarantined instead of being delivered -# -# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ -# For Postfix this causes the message to be placed on hold -# -# Action to be performed on clean messages (mostly useful for testing) -# Default: Accept -#OnClean Accept - -# Action to be performed on infected messages -# Default: Quarantine -#OnInfected Quarantine - -# Action to be performed on error conditions (this includes failure to -# allocate data structures, no scanners available, network timeouts, -# unknown scanner replies and the like) -# Default: Defer -#OnFail Defer - -# This option allows to set a specific rejection reason for infected messages -# and it's therefore only useful together with "OnInfected Reject" -# The string "%v", if present, will be replaced with the virus name. -# Default: MTA specific -#RejectMsg - -# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an -# "X-Virus-Status" headers will be attached to each processed message, possibly -# replacing existing headers. -# If it is set to Add, the X-Virus headers are added possibly on top of the -# existing ones. -# Note that while "Replace" can potentially break DKIM signatures, "Add" may -# confuse procmail and similar filters. -# Default: no -#AddHeader Replace - -# When AddHeader is in use, this option allows to arbitrary set the reported -# hostname. This may be desirable in order to avoid leaking internal names. -# If unset the real machine name is used. -# Default: disabled -#ReportHostname my.mail.server.name - -# Execute a command (possibly searching PATH) when an infected message is found. -# The following parameters are passed to the invoked program in this order: -# virus name, queue id, sender, destination, subject, message id, message date. -# Note #1: this requires MTA macroes to be available (see LogInfected below) -# Note #2: the process is invoked in the context of clamav-milter -# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to -# avoid unnecessary delays in email delievery -# Default: disabled -#VirusAction /usr/local/bin/my_infected_message_handler - -## -## Logging options -## - -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# -# Default: disabled -#LogFile /var/log/clamav/clamav-milter.log - -# By default the log file is locked for writing - the lock protects against -# running clamav-milter multiple times. -# This option disables log file locking. -# -# Default: no -#LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# -# Default: no -#LogTime yes - -# Use system logger (can work together with LogFile). -# -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows to tune what is logged when a message is infected. -# Possible values are Off (the default - nothing is logged), -# Basic (minimal info logged), Full (verbose info logged) -# Note: -# For this to work properly in sendmail, make sure the msg_id, mail_addr, -# rcpt_addr and i macroes are available in eom. In other words add a line like: -# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i -# to your .cf file. Alternatively use the macro: -# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') -# Postfix should be working fine with the default settings. -# -# Default: disabled -#LogInfected Basic - -# This option allows to tune what is logged when no threat is found in a scanned message. -# See LogInfected for possible values and caveats. -# Useful in debugging but drastically increases the log size. -# Default: disabled -#LogClean Basic - -# This option affects the behaviour of LogInfected, LogClean and VirusAction -# when a message with multiple recipients is scanned: -# If SupportMultipleRecipients is off (the default) -# then one single log entry is generated for the message and, in case the -# message is determined to be malicious, the command indicated by VirusAction -# is executed just once. In both cases only the last recipient is reported. -# If SupportMultipleRecipients is on: -# then one line is logged for each recipient and the command indicated -# by VirusAction is also executed once for each recipient. -# -# Note: although it's probably a good idea to enable this option, the default value -# is currently set to off for legacy reasons. -# Default: no -#SupportMultipleRecipients yes - diff --git a/meta-security/recipes-security/clamav/files/clamav.service b/meta-security/recipes-security/clamav/files/clamav.service deleted file mode 100644 index f13191fcc..000000000 --- a/meta-security/recipes-security/clamav/files/clamav.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Clam AntiVirus userspace daemon -Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/ -Requires=clamav-daemon.socket -# Check for database existence -ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc} -ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc} - -[Service] -ExecStart=/usr/sbin/clamd --foreground=true -# Reload the database -ExecReload=/bin/kill -USR2 $MAINPID -StandardOutput=syslog - -[Install] -WantedBy=multi-user.target -Also=clamav-daemon.socket diff --git a/meta-security/recipes-security/clamav/files/clamd.conf b/meta-security/recipes-security/clamav/files/clamd.conf deleted file mode 100644 index 045778506..000000000 --- a/meta-security/recipes-security/clamav/files/clamd.conf +++ /dev/null @@ -1,595 +0,0 @@ -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# Default: disabled -LogFile /tmp/clamd.log - -# By default the log file is locked for writing - the lock protects against -# running clamd multiple times (if want to run another clamd, please -# copy the configuration file, change the LogFile variable, and run -# the daemon with --config-file option). -# This option disables log file locking. -# Default: no -LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# Default: 1M -LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Also log clean files. Useful in debugging but drastically increases the -# log size. -# Default: no -#LogClean yes - -# Use system logger (can work together with LogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# Log additional information about the infected file, such as its -# size and hash, together with the virus name. -ExtendedDetectionInfo yes - -# This option allows you to save a process identifier of the listening -# daemon (main thread). -# Default: disabled -PidFile /var/run/clamd.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -TemporaryDirectory /var/tmp - -# Path to the database directory. -# Default: hardcoded (depends on installation options) -DatabaseDirectory /var/lib/clamav - -# Only load the official signatures published by the ClamAV project. -# Default: no -#OfficialDatabaseOnly no - -# The daemon can work in local mode, network mode or both. -# Due to security reasons we recommend the local mode. - -# Path to a local socket file the daemon will listen on. -# Default: disabled (must be specified by a user) -LocalSocket /tmp/clamd.socket - -# Sets the group ownership on the unix socket. -# Default: disabled (the primary group of the user running clamd) -#LocalSocketGroup virusgroup - -# Sets the permissions on the unix socket to the specified mode. -# Default: disabled (socket is world accessible) -#LocalSocketMode 660 - -# Remove stale socket after unclean shutdown. -# Default: yes -#FixStaleSocket yes - -# TCP port address. -# Default: no -#TCPSocket 3310 - -# TCP address. -# By default we bind to INADDR_ANY, probably not wise. -# Enable the following to provide some degree of protection -# from the outside world. This option can be specified multiple -# times if you want to listen on multiple IPs. IPv6 is now supported. -# Default: no -#TCPAddr 127.0.0.1 - -# Maximum length the queue of pending connections may grow to. -# Default: 200 -#MaxConnectionQueueLength 30 - -# Clamd uses FTP-like protocol to receive data from remote clients. -# If you are using clamav-milter to balance load between remote clamd daemons -# on firewall servers you may need to tune the options below. - -# Close the connection when the data size limit is exceeded. -# The value should match your MTA's limit for a maximum attachment size. -# Default: 25M -#StreamMaxLength 10M - -# Limit port range. -# Default: 1024 -#StreamMinPort 30000 -# Default: 2048 -#StreamMaxPort 32000 - -# Maximum number of threads running at the same time. -# Default: 10 -#MaxThreads 20 - -# Waiting for data from a client socket will timeout after this time (seconds). -# Default: 120 -#ReadTimeout 300 - -# This option specifies the time (in seconds) after which clamd should -# timeout if a client doesn't provide any initial command after connecting. -# Default: 5 -#CommandReadTimeout 5 - -# This option specifies how long to wait (in miliseconds) if the send buffer is full. -# Keep this value low to prevent clamd hanging -# -# Default: 500 -#SendBufTimeout 200 - -# Maximum number of queued items (including those being processed by MaxThreads threads) -# It is recommended to have this value at least twice MaxThreads if possible. -# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, -# the following condition should hold: -# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) -# -# Default: 100 -#MaxQueue 200 - -# Waiting for a new job will timeout after this time (seconds). -# Default: 30 -#IdleTimeout 60 - -# Don't scan files and directories matching regex -# This directive can be used multiple times -# Default: scan all -#ExcludePath ^/proc/ -#ExcludePath ^/sys/ - -# Maximum depth directories are scanned at. -# Default: 15 -#MaxDirectoryRecursion 20 - -# Follow directory symlinks. -# Default: no -#FollowDirectorySymlinks yes - -# Follow regular file symlinks. -# Default: no -#FollowFileSymlinks yes - -# Scan files and directories on other filesystems. -# Default: yes -#CrossFilesystems yes - -# Perform a database check. -# Default: 600 (10 min) -#SelfCheck 600 - -# Execute a command when virus is found. In the command string %v will -# be replaced with the virus name. -# Default: no -#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" - -# Run as another user (clamd must be started by root for this option to work) -# Default: don't drop privileges -User clamav - -# Initialize supplementary group access (clamd must be started by root). -# Default: no -#AllowSupplementaryGroups no - -# Stop daemon when libclamav reports out of memory condition. -#ExitOnOOM yes - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Do not remove temporary files (for debug purposes). -# Default: no -#LeaveTemporaryFiles yes - -# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject -# any ALLMATCHSCAN command as invalid. -# Default: yes -#AllowAllMatchScan no - -# Detect Possibly Unwanted Applications. -# Default: no -#DetectPUA yes - -# Exclude a specific PUA category. This directive can be used multiple times. -# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for -# the complete list of PUA categories. -# Default: Load all categories (if DetectPUA is activated) -#ExcludePUA NetTool -#ExcludePUA PWTool - -# Only include a specific PUA category. This directive can be used multiple -# times. -# Default: Load all categories (if DetectPUA is activated) -#IncludePUA Spy -#IncludePUA Scanner -#IncludePUA RAT - -# In some cases (eg. complex malware, exploits in graphic files, and others), -# ClamAV uses special algorithms to provide accurate detection. This option -# controls the algorithmic detection. -# Default: yes -#AlgorithmicDetection yes - -# This option causes memory or nested map scans to dump the content to disk. -# If you turn on this option, more data is written to disk and is available -# when the LeaveTemporaryFiles option is enabled. -#ForceToDisk yes - -# This option allows you to disable the caching feature of the engine. By -# default, the engine will store an MD5 in a cache of any files that are -# not flagged as virus or that hit limits checks. Disabling the cache will -# have a negative performance impact on large scans. -# Default: no -#DisableCache yes - -## -## Executable files -## - -# PE stands for Portable Executable - it's an executable file format used -# in all 32 and 64-bit versions of Windows operating systems. This option allows -# ClamAV to perform a deeper analysis of executable files and it's also -# required for decompression of popular executable packers such as UPX, FSG, -# and Petite. If you turn off this option, the original files will still be -# scanned, but without additional processing. -# Default: yes -#ScanPE yes - -# Certain PE files contain an authenticode signature. By default, we check -# the signature chain in the PE file against a database of trusted and -# revoked certificates if the file being scanned is marked as a virus. -# If any certificate in the chain validates against any trusted root, but -# does not match any revoked certificate, the file is marked as whitelisted. -# If the file does match a revoked certificate, the file is marked as virus. -# The following setting completely turns off authenticode verification. -# Default: no -#DisableCertCheck yes - -# Executable and Linking Format is a standard format for UN*X executables. -# This option allows you to control the scanning of ELF files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -#ScanELF yes - -# With this option clamav will try to detect broken executables (both PE and -# ELF) and mark them as Broken.Executable. -# Default: no -#DetectBrokenExecutables yes - - -## -## Documents -## - -# This option enables scanning of OLE2 files, such as Microsoft Office -# documents and .msi files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -#ScanOLE2 yes - -# With this option enabled OLE2 files with VBA macros, which were not -# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". -# Default: no -#OLE2BlockMacros no - -# This option enables scanning within PDF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -#ScanPDF yes - -# This option enables scanning within SWF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -#ScanSWF yes - - -## -## Mail files -## - -# Enable internal e-mail scanner. -# If you turn off this option, the original files will still be scanned, but -# without parsing individual messages/attachments. -# Default: yes -#ScanMail yes - -# Scan RFC1341 messages split over many emails. -# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. -# WARNING: This option may open your system to a DoS attack. -# Never use it on loaded servers. -# Default: no -#ScanPartialMessages yes - -# With this option enabled ClamAV will try to detect phishing attempts by using -# signatures. -# Default: yes -#PhishingSignatures yes - -# Scan URLs found in mails for phishing attempts using heuristics. -# Default: yes -#PhishingScanURLs yes - -# Always block SSL mismatches in URLs, even if the URL isn't in the database. -# This can lead to false positives. -# -# Default: no -#PhishingAlwaysBlockSSLMismatch no - -# Always block cloaked URLs, even if URL isn't in database. -# This can lead to false positives. -# -# Default: no -#PhishingAlwaysBlockCloak no - -# Detect partition intersections in raw disk images using heuristics. -# Default: no -#PartitionIntersection no - -# Allow heuristic match to take precedence. -# When enabled, if a heuristic scan (such as phishingScan) detects -# a possible virus/phish it will stop scan immediately. Recommended, saves CPU -# scan-time. -# When disabled, virus/phish detected by heuristic scans will be reported only at -# the end of a scan. If an archive contains both a heuristically detected -# virus/phish, and a real malware, the real malware will be reported -# -# Keep this disabled if you intend to handle "*.Heuristics.*" viruses -# differently from "real" malware. -# If a non-heuristically-detected virus (signature-based) is found first, -# the scan is interrupted immediately, regardless of this config option. -# -# Default: no -#HeuristicScanPrecedence yes - - -## -## Data Loss Prevention (DLP) -## - -# Enable the DLP module -# Default: No -#StructuredDataDetection yes - -# This option sets the lowest number of Credit Card numbers found in a file -# to generate a detect. -# Default: 3 -#StructuredMinCreditCardCount 5 - -# This option sets the lowest number of Social Security Numbers found -# in a file to generate a detect. -# Default: 3 -#StructuredMinSSNCount 5 - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxx-yy-zzzz -# Default: yes -#StructuredSSNFormatNormal yes - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxxyyzzzz -# Default: no -#StructuredSSNFormatStripped yes - - -## -## HTML -## - -# Perform HTML normalisation and decryption of MS Script Encoder code. -# Default: yes -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -#ScanHTML yes - - -## -## Archives -## - -# ClamAV can scan within archives and compressed files. -# If you turn off this option, the original files will still be scanned, but -# without unpacking and additional processing. -# Default: yes -#ScanArchive yes - -# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). -# Default: no -#ArchiveBlockEncrypted no - - -## -## Limits -## - -# The options below protect your system against Denial of Service attacks -# using archive bombs. - -# This option sets the maximum amount of data to be scanned for each input file. -# Archives and other containers are recursively extracted and scanned up to this -# value. -# Value of 0 disables the limit -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 100M -#MaxScanSize 150M - -# Files larger than this limit won't be scanned. Affects the input file itself -# as well as files contained inside it (when the input file is an archive, a -# document or some other kind of container). -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 25M -#MaxFileSize 30M - -# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR -# file, all files within it will also be scanned. This options specifies how -# deeply the process should be continued. -# Note: setting this limit too high may result in severe damage to the system. -# Default: 16 -#MaxRecursion 10 - -# Number of files to be scanned within an archive, a document, or any other -# container file. -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10000 -#MaxFiles 15000 - -# Maximum size of a file to check for embedded PE. Files larger than this value -# will skip the additional analysis step. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10M -#MaxEmbeddedPE 10M - -# Maximum size of a HTML file to normalize. HTML files larger than this value -# will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10M -#MaxHTMLNormalize 10M - -# Maximum size of a normalized HTML file to scan. HTML files larger than this -# value after normalization will not be scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 2M -#MaxHTMLNoTags 2M - -# Maximum size of a script file to normalize. Script content larger than this -# value will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 5M -#MaxScriptNormalize 5M - -# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger -# than this value will skip the step to potentially reanalyze as PE. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 1M -#MaxZipTypeRcg 1M - -# This option sets the maximum number of partitions of a raw disk image to be scanned. -# Raw disk images with more partitions than this value will have up to the value number -# partitions scanned. Negative values are not allowed. -# Note: setting this limit too high may result in severe damage or impact performance. -# Default: 50 -#MaxPartitions 128 - -# This option sets the maximum number of icons within a PE to be scanned. -# PE files with more icons than this value will have up to the value number icons scanned. -# Negative values are not allowed. -# WARNING: setting this limit too high may result in severe damage or impact performance. -# Default: 100 -#MaxIconsPE 200 - -## -## On-access Scan Settings -## - -# Enable on-access scanning. Currently, this is supported via fanotify. -# Clamuko/Dazuko support has been deprecated. -# Default: no -#ScanOnAccess yes - -# Don't scan files larger than OnAccessMaxFileSize -# Value of 0 disables the limit. -# Default: 5M -#OnAccessMaxFileSize 10M - -# Set the include paths (all files inside them will be scanned). You can have -# multiple OnAccessIncludePath directives but each directory must be added -# in a separate line. (On-access scan only) -# Default: disabled -#OnAccessIncludePath /home -#OnAccessIncludePath /students - -# Set the exclude paths. All subdirectories are also excluded. -# (On-access scan only) -# Default: disabled -#OnAccessExcludePath /home/bofh - -# With this option you can whitelist specific UIDs. Processes with these UIDs -# will be able to access all files. -# This option can be used multiple times (one per line). -# Default: disabled -#OnAccessExcludeUID 0 - - -## -## Bytecode -## - -# With this option enabled ClamAV will load bytecode from the database. -# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. -# Default: yes -#Bytecode yes - -# Set bytecode security level. -# Possible values: -# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS -# This value is only available if clamav was built with --enable-debug! -# TrustSigned - trust bytecode loaded from signed .c[lv]d files, -# insert runtime safety checks for bytecode loaded from other sources -# Paranoid - don't trust any bytecode, insert runtime checks for all -# Recommended: TrustSigned, because bytecode in .cvd files already has these checks -# Note that by default only signed bytecode is loaded, currently you can only -# load unsigned bytecode in --enable-debug mode. -# -# Default: TrustSigned -#BytecodeSecurity TrustSigned - -# Set bytecode timeout in miliseconds. -# -# Default: 5000 -# BytecodeTimeout 1000 - -## -## Statistics gathering and submitting -## - -# Enable statistical reporting. -# Default: no -#StatsEnabled yes - -# Disable submission of individual PE sections for files flagged as malware. -# Default: no -#StatsPEDisabled yes - -# HostID in the form of an UUID to use when submitting statistical information. -# Default: auto -#StatsHostID auto - -# Time in seconds to wait for the stats server to come back with a response -# Default: 10 -#StatsTimeout 10 diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf deleted file mode 100644 index aaa8cf464..000000000 --- a/meta-security/recipes-security/clamav/files/freshclam-native.conf +++ /dev/null @@ -1,224 +0,0 @@ -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# Default: hardcoded (depends on installation options) -#DatabaseDirectory /var/lib/clamav - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -#UpdateLogFile /var/log/clamav/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, -# log rotation (the LogRotate option) will always be enabled. -# Default: 1M -LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows you to save the process identifier of the daemon -# Default: disabled -#PidFile /var/run/freshclam.pid - -# By default when started freshclam drops privileges and switches to the -# "clamav" user. This directive allows you to change the database owner. -# Default: clamav (may depend on installation options) -DatabaseOwner clamav - -# Initialize supplementary group access (freshclam must be started by root). -# Default: no -#AllowSupplementaryGroups yes - -# Use DNS to verify virus database version. Freshclam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# Uncomment the following line and replace XY with your country -# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. -# You can use db.XY.ipv6.clamav.net for IPv6 connections. -#DatabaseMirror db.XY.clamav.net - -# database.clamav.net is a round-robin record which points to our most -# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is -# not working. DO NOT TOUCH the following line unless you know what you -# are doing. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# With this option you can provide custom sources (http:// or file://) for -# database files. This option can be used multiple times. -# Default: no custom URLs -#DatabaseCustomURL http://myserver.com/mysigs.ndb -#DatabaseCustomURL file:///mnt/nfs/local.hdb - -# This option allows you to easily point freshclam to private mirrors. -# If PrivateMirror is set, freshclam does not attempt to use DNS -# to determine whether its databases are out-of-date, instead it will -# use the If-Modified-Since request or directly check the headers of the -# remote database files. For each database, freshclam first attempts -# to download the CLD file. If that fails, it tries to download the -# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo -# and ScriptedUpdates. It can be used multiple times to provide -# fall-back mirrors. -# Default: disabled -#PrivateMirror mirror1.mynetwork.com -#PrivateMirror mirror2.mynetwork.com - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# Default: disabled -#HTTPProxyServer myproxy.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# Default: clamav/version_number -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. -# Default: 30 -#ReceiveTimeout 60 - -# With this option enabled, freshclam will attempt to load new -# databases into memory to make sure they are properly handled -# by libclamav before replacing the old ones. -# Default: yes -#TestDatabases yes - -# When enabled freshclam will submit statistics to the ClamAV Project about -# the latest virus detections in your environment. The ClamAV maintainers -# will then use this data to determine what types of malware are the most -# detected in the field and in what geographic area they are. -# Freshclam will connect to clamd in order to get recent statistics. -# Default: no -#SubmitDetectionStats /path/to/clamd.conf - -# Country of origin of malware/detection statistics (for statistical -# purposes only). The statistics collector at ClamAV.net will look up -# your IP address to determine the geographical origin of the malware -# reported by your installation. If this installation is mainly used to -# scan data which comes from a different location, please enable this -# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) -# of the country of origin. -# Default: disabled -#DetectionStatsCountry country-code - -# This option enables support for our "Personal Statistics" service. -# When this option is enabled, the information on malware detected by -# your clamd installation is made available to you through our website. -# To get your HostID, log on http://www.stats.clamav.net and add a new -# host to your host list. Once you have the HostID, uncomment this option -# and paste the HostID here. As soon as your freshclam starts submitting -# information to our stats collecting service, you will be able to view -# the statistics of this clamd installation by logging into -# http://www.stats.clamav.net with the same credentials you used to -# generate the HostID. For more information refer to: -# http://www.clamav.net/documentation.html#cctts -# This feature requires SubmitDetectionStats to be enabled. -# Default: disabled -#DetectionStatsHostID unique-id - -# This option enables support for Google Safe Browsing. When activated for -# the first time, freshclam will download a new database file (safebrowsing.cvd) -# which will be automatically loaded by clamd and clamscan during the next -# reload, provided that the heuristic phishing detection is turned on. This -# database includes information about websites that may be phishing sites or -# possible sources of malware. When using this option, it's mandatory to run -# freshclam at least every 30 minutes. -# Freshclam uses the ClamAV's mirror infrastructure to distribute the -# database and its updates but all the contents are provided under Google's -# terms of use. See http://www.google.com/transparencyreport/safebrowsing -# and http://www.clamav.net/documentation.html#safebrowsing -# for more information. -# Default: disabled -#SafeBrowsing yes - -# This option enables downloading of bytecode.cvd, which includes additional -# detection mechanisms and improvements to the ClamAV engine. -# Default: enabled -#Bytecode yes - -# Download an additional 3rd party signature database distributed through -# the ClamAV mirrors. -# This option can be used multiple times. -#ExtraDatabase dbname1 -#ExtraDatabase dbname2 diff --git a/meta-security/recipes-security/clamav/files/freshclam.conf b/meta-security/recipes-security/clamav/files/freshclam.conf deleted file mode 100644 index 100724f16..000000000 --- a/meta-security/recipes-security/clamav/files/freshclam.conf +++ /dev/null @@ -1,224 +0,0 @@ -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# Default: hardcoded (depends on installation options) -DatabaseDirectory /var/lib/clamav - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -UpdateLogFile /var/log/clamav/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, -# log rotation (the LogRotate option) will always be enabled. -# Default: 1M -LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows you to save the process identifier of the daemon -# Default: disabled -PidFile /var/run/freshclam.pid - -# By default when started freshclam drops privileges and switches to the -# "clamav" user. This directive allows you to change the database owner. -# Default: clamav (may depend on installation options) -DatabaseOwner clamav - -# Initialize supplementary group access (freshclam must be started by root). -# Default: no -#AllowSupplementaryGroups yes - -# Use DNS to verify virus database version. Freshclam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# Uncomment the following line and replace XY with your country -# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. -# You can use db.XY.ipv6.clamav.net for IPv6 connections. -#DatabaseMirror db.XY.clamav.net - -# database.clamav.net is a round-robin record which points to our most -# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is -# not working. DO NOT TOUCH the following line unless you know what you -# are doing. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# With this option you can provide custom sources (http:// or file://) for -# database files. This option can be used multiple times. -# Default: no custom URLs -#DatabaseCustomURL http://myserver.com/mysigs.ndb -#DatabaseCustomURL file:///mnt/nfs/local.hdb - -# This option allows you to easily point freshclam to private mirrors. -# If PrivateMirror is set, freshclam does not attempt to use DNS -# to determine whether its databases are out-of-date, instead it will -# use the If-Modified-Since request or directly check the headers of the -# remote database files. For each database, freshclam first attempts -# to download the CLD file. If that fails, it tries to download the -# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo -# and ScriptedUpdates. It can be used multiple times to provide -# fall-back mirrors. -# Default: disabled -#PrivateMirror mirror1.mynetwork.com -#PrivateMirror mirror2.mynetwork.com - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# Default: disabled -#HTTPProxyServer myproxy.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# Default: clamav/version_number -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. -# Default: 30 -#ReceiveTimeout 60 - -# With this option enabled, freshclam will attempt to load new -# databases into memory to make sure they are properly handled -# by libclamav before replacing the old ones. -# Default: yes -#TestDatabases yes - -# When enabled freshclam will submit statistics to the ClamAV Project about -# the latest virus detections in your environment. The ClamAV maintainers -# will then use this data to determine what types of malware are the most -# detected in the field and in what geographic area they are. -# Freshclam will connect to clamd in order to get recent statistics. -# Default: no -#SubmitDetectionStats /path/to/clamd.conf - -# Country of origin of malware/detection statistics (for statistical -# purposes only). The statistics collector at ClamAV.net will look up -# your IP address to determine the geographical origin of the malware -# reported by your installation. If this installation is mainly used to -# scan data which comes from a different location, please enable this -# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) -# of the country of origin. -# Default: disabled -#DetectionStatsCountry country-code - -# This option enables support for our "Personal Statistics" service. -# When this option is enabled, the information on malware detected by -# your clamd installation is made available to you through our website. -# To get your HostID, log on http://www.stats.clamav.net and add a new -# host to your host list. Once you have the HostID, uncomment this option -# and paste the HostID here. As soon as your freshclam starts submitting -# information to our stats collecting service, you will be able to view -# the statistics of this clamd installation by logging into -# http://www.stats.clamav.net with the same credentials you used to -# generate the HostID. For more information refer to: -# http://www.clamav.net/documentation.html#cctts -# This feature requires SubmitDetectionStats to be enabled. -# Default: disabled -#DetectionStatsHostID unique-id - -# This option enables support for Google Safe Browsing. When activated for -# the first time, freshclam will download a new database file (safebrowsing.cvd) -# which will be automatically loaded by clamd and clamscan during the next -# reload, provided that the heuristic phishing detection is turned on. This -# database includes information about websites that may be phishing sites or -# possible sources of malware. When using this option, it's mandatory to run -# freshclam at least every 30 minutes. -# Freshclam uses the ClamAV's mirror infrastructure to distribute the -# database and its updates but all the contents are provided under Google's -# terms of use. See http://www.google.com/transparencyreport/safebrowsing -# and http://www.clamav.net/documentation.html#safebrowsing -# for more information. -# Default: disabled -#SafeBrowsing yes - -# This option enables downloading of bytecode.cvd, which includes additional -# detection mechanisms and improvements to the ClamAV engine. -# Default: enabled -#Bytecode yes - -# Download an additional 3rd party signature database distributed through -# the ClamAV mirrors. -# This option can be used multiple times. -#ExtraDatabase dbname1 -#ExtraDatabase dbname2 diff --git a/meta-security/recipes-security/clamav/files/tmpfiles.clamav b/meta-security/recipes-security/clamav/files/tmpfiles.clamav deleted file mode 100644 index fd5adfeeb..000000000 --- a/meta-security/recipes-security/clamav/files/tmpfiles.clamav +++ /dev/null @@ -1,3 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /var/log/clamav 0755 clamav clamav - -f /var/log/clamav/freshclam.log 0644 clamav clamav - diff --git a/meta-security/recipes-security/clamav/files/volatiles.03_clamav b/meta-security/recipes-security/clamav/files/volatiles.03_clamav deleted file mode 100644 index ee2153cab..000000000 --- a/meta-security/recipes-security/clamav/files/volatiles.03_clamav +++ /dev/null @@ -1,3 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d clamav clamav 0755 /var/log/clamav none -f clamav clamav 0655 /var/log/clamav/freshclam.log none diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index e45ee0ba0..d8cd06f8d 100644 --- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -41,7 +41,7 @@ PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," do_configure_prepend() { - export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" + export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" diff --git a/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch new file mode 100644 index 000000000..ee872ec41 --- /dev/null +++ b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch @@ -0,0 +1,2527 @@ +From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 12 Feb 2020 17:19:15 +0000 +Subject: [PATCH] python3-fail2ban: 2-3 conversion + +Upstream-Status: OE specific. + +fail2ban handles py3 via a 2-3 conversion utility. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + fail2ban/client/actionreader.py | 4 +- + fail2ban/client/configparserinc.py | 10 +- + fail2ban/client/configreader.py | 4 +- + fail2ban/client/csocket.py | 4 +- + fail2ban/client/fail2banclient.py | 4 +- + fail2ban/client/fail2banregex.py | 20 +- + fail2ban/client/filterreader.py | 2 +- + fail2ban/client/jailreader.py | 4 +- + fail2ban/helpers.py | 15 +- + fail2ban/server/action.py | 19 +- + fail2ban/server/actions.py | 24 +- + fail2ban/server/asyncserver.py | 4 +- + fail2ban/server/banmanager.py | 18 +- + fail2ban/server/database.py | 6 +- + fail2ban/server/failmanager.py | 8 +- + fail2ban/server/failregex.py | 9 +- + fail2ban/server/filter.py | 12 +- + fail2ban/server/filterpoll.py | 2 +- + fail2ban/server/filterpyinotify.py | 6 +- + fail2ban/server/ipdns.py | 16 +- + fail2ban/server/jail.py | 14 +- + fail2ban/server/mytime.py | 2 +- + fail2ban/server/server.py | 18 +- + fail2ban/server/strptime.py | 6 +- + fail2ban/server/ticket.py | 14 +- + fail2ban/server/transmitter.py | 2 +- + fail2ban/server/utils.py | 6 +- + fail2ban/tests/action_d/test_badips.py | 2 +- + fail2ban/tests/actiontestcase.py | 4 +- + fail2ban/tests/clientreadertestcase.py | 4 +- + fail2ban/tests/databasetestcase.py | 16 +- + fail2ban/tests/datedetectortestcase.py | 6 +- + fail2ban/tests/fail2banclienttestcase.py | 8 +- + fail2ban/tests/failmanagertestcase.py | 10 +- + .../tests/files/config/apache-auth/digest.py | 20 +- + fail2ban/tests/filtertestcase.py | 92 ++--- + fail2ban/tests/misctestcase.py | 22 +- + fail2ban/tests/observertestcase.py | 34 +- + fail2ban/tests/samplestestcase.py | 8 +- + fail2ban/tests/servertestcase.py | 28 +- + fail2ban/tests/sockettestcase.py | 2 +- + fail2ban/tests/utils.py | 22 +- + setup.py | 326 ------------------ + 43 files changed, 264 insertions(+), 593 deletions(-) + delete mode 100755 setup.py + +diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py +index 80617a50..ecf323c5 100644 +--- a/fail2ban/client/actionreader.py ++++ b/fail2ban/client/actionreader.py +@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader): + stream = list() + stream.append(head + ["addaction", self._name]) + multi = [] +- for opt, optval in opts.iteritems(): ++ for opt, optval in opts.items(): + if opt in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if self._initOpts: +- for opt, optval in self._initOpts.iteritems(): ++ for opt, optval in self._initOpts.items(): + if opt not in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if len(multi) > 1: +diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py +index e0f39579..45c77437 100644 +--- a/fail2ban/client/configparserinc.py ++++ b/fail2ban/client/configparserinc.py +@@ -62,7 +62,7 @@ if sys.version_info >= (3,2): + parser, option, accum, rest, section, map, *args, **kwargs) + + else: # pragma: no cover +- from ConfigParser import SafeConfigParser, \ ++ from configparser import SafeConfigParser, \ + InterpolationMissingOptionError, NoOptionError, NoSectionError + + # Interpolate missing known/option as option from default section +@@ -327,7 +327,7 @@ after = 1.conf + # mix it with defaults: + return set(opts.keys()) | set(self._defaults) + # only own option names: +- return opts.keys() ++ return list(opts.keys()) + + def read(self, filenames, get_includes=True): + if not isinstance(filenames, list): +@@ -356,7 +356,7 @@ after = 1.conf + ret += i + # merge defaults and all sections to self: + alld.update(cfg.get_defaults()) +- for n, s in cfg.get_sections().iteritems(): ++ for n, s in cfg.get_sections().items(): + # conditional sections + cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n) + if cond: +@@ -366,7 +366,7 @@ after = 1.conf + del(s['__name__']) + except KeyError: + pass +- for k in s.keys(): ++ for k in list(s.keys()): + v = s.pop(k) + s[k + cond] = v + s2 = alls.get(n) +@@ -399,7 +399,7 @@ after = 1.conf + sec.update(options) + return + sk = {} +- for k, v in options.iteritems(): ++ for k, v in options.items(): + if not k.startswith(pref) and k != '__name__': + sk[pref+k] = v + sec.update(sk) +diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py +index 20709b72..b5167409 100644 +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + + import glob + import os +-from ConfigParser import NoOptionError, NoSectionError ++from configparser import NoOptionError, NoSectionError + + from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel + from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags +@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): + config_files += sorted(glob.glob('%s/*.local' % config_dir)) + + # choose only existing ones +- config_files = filter(os.path.exists, config_files) ++ config_files = list(filter(os.path.exists, config_files)) + + if len(config_files): + # at least one config exists and accessible +diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py +index ab3e294b..9417cde9 100644 +--- a/fail2ban/client/csocket.py ++++ b/fail2ban/client/csocket.py +@@ -47,7 +47,7 @@ class CSocket: + + def send(self, msg, nonblocking=False, timeout=None): + # Convert every list member to string +- obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL) ++ obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL) + self.__csock.send(obj + CSPROTO.END) + return self.receive(self.__csock, nonblocking, timeout) + +@@ -71,7 +71,7 @@ class CSocket: + @staticmethod + def convert(m): + """Convert every "unexpected" member of message to string""" +- if isinstance(m, (basestring, bool, int, float, list, dict, set)): ++ if isinstance(m, (str, bool, int, float, list, dict, set)): + return m + else: # pragma: no cover + return str(m) +diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py +index 7c90ca40..7eb11684 100755 +--- a/fail2ban/client/fail2banclient.py ++++ b/fail2ban/client/fail2banclient.py +@@ -45,7 +45,7 @@ def _thread_name(): + return threading.current_thread().__class__.__name__ + + def input_command(): # pragma: no cover +- return raw_input(PROMPT) ++ return input(PROMPT) + + ## + # +@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread): + return False + finally: + self._alive = False +- for s, sh in _prev_signals.iteritems(): ++ for s, sh in _prev_signals.items(): + signal.signal(s, sh) + + +diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py +index 513b765d..4a71b3c0 100644 +--- a/fail2ban/client/fail2banregex.py ++++ b/fail2ban/client/fail2banregex.py +@@ -41,10 +41,10 @@ import shlex + import sys + import time + import time +-import urllib ++import urllib.request, urllib.parse, urllib.error + from optparse import OptionParser, Option + +-from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError ++from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError + + try: # pragma: no cover + from ..server.filtersystemd import FilterSystemd +@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"): + 'flavor': 'python' + } + if multiline: args['flags'] = 'm' +- return 'https://www.debuggex.com/?' + urllib.urlencode(args) ++ return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args) + + def output(args): # pragma: no cover (overriden in test-cases) + print(args) +@@ -244,7 +244,7 @@ class Fail2banRegex(object): + + def __init__(self, opts): + # set local protected members from given options: +- self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems())) ++ self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items())) + self._opts = opts + self._maxlines_set = False # so we allow to override maxlines in cmdline + self._datepattern_set = False +@@ -304,7 +304,7 @@ class Fail2banRegex(object): + realopts = {} + combopts = reader.getCombined() + # output all options that are specified in filter-argument as well as some special (mostly interested): +- for k in ['logtype', 'datepattern'] + fltOpt.keys(): ++ for k in ['logtype', 'datepattern'] + list(fltOpt.keys()): + # combined options win, but they contain only a sub-set in filter expected keys, + # so get the rest from definition section: + try: +@@ -424,7 +424,7 @@ class Fail2banRegex(object): + self.output( "Use %11s line : %s" % (regex, shortstr(value)) ) + regex_values = {regextype: [RegexStat(value)]} + +- for regextype, regex_values in regex_values.iteritems(): ++ for regextype, regex_values in regex_values.items(): + regex = regextype + 'regex' + setattr(self, "_" + regex, regex_values) + for regex in regex_values: +@@ -523,10 +523,10 @@ class Fail2banRegex(object): + output(ret[1]) + elif self._opts.out == 'msg': + for ret in ret: +- output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches')))) ++ output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')])) + elif self._opts.out == 'row': + for ret in ret: +- output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches'))) ++ output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches'))) + else: + for ret in ret: + output(ret[3].get(self._opts.out)) +@@ -565,9 +565,9 @@ class Fail2banRegex(object): + ans = [[]] + for arg in [l, regexlist]: + ans = [ x + [y] for x in ans for y in arg ] +- b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + ++ b = [a[0] + ' | ' + a[1].getFailRegex() + ' | ' + + debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(), +- multiline, self._opts.usedns), ans) ++ multiline, self._opts.usedns) for a in ans] + pprint_list([x.rstrip() for x in b], header) + else: + output( "%s too many to print. Use --print-all-%s " \ +diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py +index 413f125e..4f0cc4cf 100644 +--- a/fail2ban/client/filterreader.py ++++ b/fail2ban/client/filterreader.py +@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader): + @staticmethod + def _fillStream(stream, opts, jailName): + prio0idx = 0 +- for opt, value in opts.iteritems(): ++ for opt, value in opts.items(): + if opt in ("failregex", "ignoreregex"): + if value is None: continue + multi = [] +diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py +index 50c1d047..969d0bc0 100644 +--- a/fail2ban/client/jailreader.py ++++ b/fail2ban/client/jailreader.py +@@ -117,7 +117,7 @@ class JailReader(ConfigReader): + } + _configOpts.update(FilterReader._configOpts) + +- _ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys()) ++ _ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys())) + + def getOptions(self): + +@@ -236,7 +236,7 @@ class JailReader(ConfigReader): + stream.extend(self.__filter.convert()) + # and using options from jail: + FilterReader._fillStream(stream, self.__opts, self.__name) +- for opt, value in self.__opts.iteritems(): ++ for opt, value in self.__opts.items(): + if opt == "logpath": + if self.__opts.get('backend', '').startswith("systemd"): continue + found_files = 0 +diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py +index 6f2bcdd7..7e563696 100644 +--- a/fail2ban/helpers.py ++++ b/fail2ban/helpers.py +@@ -31,6 +31,7 @@ import traceback + from threading import Lock + + from .server.mytime import MyTime ++import importlib + + try: + import ctypes +@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover + from imp import load_dynamic as __ldm + _sys = __ldm('_sys', 'sys') + except ImportError: # pragma: no cover - only if load_dynamic fails +- reload(sys) ++ importlib.reload(sys) + _sys = sys + if hasattr(_sys, "setdefaultencoding"): + _sys.setdefaultencoding(encoding) +@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def uni_decode(x, enc=PREFER_ENC, errors='strict'): + try: +- if isinstance(x, unicode): ++ if isinstance(x, str): + return x.encode(enc, errors) + return x + except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable +@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover + return x.encode(enc, 'replace') + if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now + def uni_string(x): +- if not isinstance(x, unicode): ++ if not isinstance(x, str): + return str(x) + return x.encode(PREFER_ENC, 'replace') + else: +@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover + + + def _as_bool(val): +- return bool(val) if not isinstance(val, basestring) \ ++ return bool(val) if not isinstance(val, str) \ + else val.lower() in ('1', 'on', 'true', 'yes') + + +@@ -326,7 +327,7 @@ def splitwords(s): + """ + if not s: + return [] +- return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s))) ++ return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)])) + + if sys.version_info >= (3,5): + eval(compile(r'''if 1: +@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='', + while True: + repFlag = False + # substitute each value: +- for tag in tags.iterkeys(): ++ for tag in tags.keys(): + # ignore escaped or already done (or in ignore list): + if tag in ignore or tag in done: continue + # ignore replacing callable items from calling map - should be converted on demand only (by get): +@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='', + m = tre_search(value, m.end()) + continue + # if calling map - be sure we've string: +- if not isinstance(repl, basestring): repl = uni_string(repl) ++ if not isinstance(repl, str): repl = uni_string(repl) + value = value.replace('<%s>' % rtag, repl) + #logSys.log(5, 'value now: %s' % value) + # increment reference count: +diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py +index 5c817fc0..81d50689 100644 +--- a/fail2ban/server/action.py ++++ b/fail2ban/server/action.py +@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object): + def _asdict(self, calculated=False, checker=None): + d = dict(self.data, **self.storage) + if not calculated: +- return dict((n,v) for n,v in d.iteritems() \ ++ return dict((n,v) for n,v in d.items() \ + if not callable(v) or n in self.CM_REPR_ITEMS) +- for n,v in d.items(): ++ for n,v in list(d.items()): + if callable(v): + try: + # calculate: +@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object): + return self.__class__(_merge_copy_dicts(self.data, self.storage)) + + +-class ActionBase(object): ++class ActionBase(object, metaclass=ABCMeta): + """An abstract base class for actions in Fail2Ban. + + Action Base is a base definition of what methods need to be in +@@ -209,7 +209,6 @@ class ActionBase(object): + Any additional arguments specified in `jail.conf` or passed + via `fail2ban-client` will be passed as keyword arguments. + """ +- __metaclass__ = ABCMeta + + @classmethod + def __subclasshook__(cls, C): +@@ -420,7 +419,7 @@ class CommandAction(ActionBase): + if not callable(family): # pragma: no cover + return self.__substCache.get(key, {}).get(family) + # family as expression - use it to filter values: +- return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)] ++ return [v for f, v in self.__substCache.get(key, {}).items() if family(f)] + cmd = args[0] + if cmd: # set: + try: +@@ -432,7 +431,7 @@ class CommandAction(ActionBase): + try: + famd = self.__substCache[key] + cmd = famd.pop(family) +- for family, v in famd.items(): ++ for family, v in list(famd.items()): + if v == cmd: + del famd[family] + except KeyError: # pragma: no cover +@@ -448,7 +447,7 @@ class CommandAction(ActionBase): + res = True + err = 'Script error' + if not family: # all started: +- family = [famoper for (famoper,v) in self.__started.iteritems() if v] ++ family = [famoper for (famoper,v) in self.__started.items() if v] + for famoper in family: + try: + cmd = self._getOperation(tag, famoper) +@@ -617,7 +616,7 @@ class CommandAction(ActionBase): + and executes the resulting command. + """ + # collect started families, may be started on demand (conditional): +- family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items ++ family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items + # if nothing contains items: + if not family: return True + # flush: +@@ -642,7 +641,7 @@ class CommandAction(ActionBase): + """ + # collect started families, if started on demand (conditional): + if family is None: +- family = [f for (f,v) in self.__started.iteritems() if v] ++ family = [f for (f,v) in self.__started.items() if v] + # if no started (on demand) actions: + if not family: return True + self.__started = {} +@@ -676,7 +675,7 @@ class CommandAction(ActionBase): + ret = True + # for each started family: + if self.actioncheck: +- for (family, started) in self.__started.items(): ++ for (family, started) in list(self.__started.items()): + if started and not self._invariantCheck(family, beforeRepair): + # reset started flag and command of executed operation: + self.__started[family] = 0 +diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py +index 24fea838..94b9c3ed 100644 +--- a/fail2ban/server/actions.py ++++ b/fail2ban/server/actions.py +@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping): + else: + if hasattr(self, '_reload_actions'): + # reload actions after all parameters set via stream: +- for name, initOpts in self._reload_actions.iteritems(): ++ for name, initOpts in self._reload_actions.items(): + if name in self._actions: + self._actions[name].reload(**(initOpts if initOpts else {})) + # remove obsolete actions (untouched by reload process): +- delacts = OrderedDict((name, action) for name, action in self._actions.iteritems() ++ delacts = OrderedDict((name, action) for name, action in self._actions.items() + if name not in self._reload_actions) + if len(delacts): + # unban all tickets using removed actions only: +@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping): + """ + if actions is None: + actions = self._actions +- revactions = actions.items() ++ revactions = list(actions.items()) + revactions.reverse() + for name, action in revactions: + try: +@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping): + True when the thread exits nicely. + """ + cnt = 0 +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + action.start() + except Exception as e: +@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping): + Observers.Main.add('banFound', bTicket, self._jail, btime) + logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip) + # do actions : +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping): + if bTicket.banEpoch == self.banEpoch and diftm > 3: + # avoid too often checks: + if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3: +- for action in self._actions.itervalues(): ++ for action in self._actions.values(): + action.consistencyCheck() + self.__lastConsistencyCheckTM = MyTime.time() + # check epoch in order to reban it: + if bTicket.banEpoch < self.banEpoch: + if not rebanacts: rebanacts = dict( +- (name, action) for name, action in self._actions.iteritems() ++ (name, action) for name, action in self._actions.items() + if action.banEpoch > bTicket.banEpoch) + cnt += self.__reBan(bTicket, actions=rebanacts) + else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions: +@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping): + ip = ticket.getIP() + aInfo = self.__getActionInfo(ticket) + if log: +- logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else '')) +- for name, action in actions.iteritems(): ++ logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else '')) ++ for name, action in actions.items(): + try: + logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping): + if not self.__banManager._inBanList(ticket): return + # do actions : + aInfo = None +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping): + cnt = 0 + # first we'll execute flush for actions supporting this operation: + unbactions = {} +- for name, action in (actions if actions is not None else self._actions).iteritems(): ++ for name, action in (actions if actions is not None else self._actions).items(): + try: + if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush): + logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name) +@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping): + aInfo = self.__getActionInfo(ticket) + if log: + logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"]) +- for name, action in unbactions.iteritems(): ++ for name, action in unbactions.items(): + try: + logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py +index e3400737..f5f9740b 100644 +--- a/fail2ban/server/asyncserver.py ++++ b/fail2ban/server/asyncserver.py +@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None): + elif err_count['listen'] > 100: # pragma: no cover - normally unreachable + if ( + e.args[0] == errno.EMFILE # [Errno 24] Too many open files +- or sum(err_count.itervalues()) > 1000 ++ or sum(err_count.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", err_count) + break +@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher): + elif self.__errCount['accept'] > 100: + if ( + (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files +- or sum(self.__errCount.itervalues()) > 1000 ++ or sum(self.__errCount.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", self.__errCount) + self.stop() +diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py +index 5770bfd7..9bb44971 100644 +--- a/fail2ban/server/banmanager.py ++++ b/fail2ban/server/banmanager.py +@@ -105,9 +105,9 @@ class BanManager: + def getBanList(self, ordered=False, withTime=False): + with self.__lock: + if not ordered: +- return self.__banList.keys() ++ return list(self.__banList.keys()) + lst = [] +- for ticket in self.__banList.itervalues(): ++ for ticket in self.__banList.values(): + eob = ticket.getEndOfBanTime(self.__banTime) + lst.append((ticket,eob)) + lst.sort(key=lambda t: t[1]) +@@ -126,7 +126,7 @@ class BanManager: + + def __iter__(self): + with self.__lock: +- return self.__banList.itervalues() ++ return iter(self.__banList.values()) + + ## + # Returns normalized value +@@ -165,7 +165,7 @@ class BanManager: + return return_dict + # get ips in lock: + with self.__lock: +- banIPs = [banData.getIP() for banData in self.__banList.values()] ++ banIPs = [banData.getIP() for banData in list(self.__banList.values())] + # get cymru info: + try: + for ip in banIPs: +@@ -341,7 +341,7 @@ class BanManager: + # Gets the list of ticket to remove (thereby correct next unban time). + unBanList = {} + nextUnbanTime = BanTicket.MAX_TIME +- for fid,ticket in self.__banList.iteritems(): ++ for fid,ticket in self.__banList.items(): + # current time greater as end of ban - timed out: + eob = ticket.getEndOfBanTime(self.__banTime) + if time > eob: +@@ -357,15 +357,15 @@ class BanManager: + if len(unBanList): + if len(unBanList) / 2.0 <= len(self.__banList) / 3.0: + # few as 2/3 should be removed - remove particular items: +- for fid in unBanList.iterkeys(): ++ for fid in unBanList.keys(): + del self.__banList[fid] + else: + # create new dictionary without items to be deleted: +- self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \ ++ self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \ + if fid not in unBanList) + + # return list of tickets: +- return unBanList.values() ++ return list(unBanList.values()) + + ## + # Flush the ban list. +@@ -375,7 +375,7 @@ class BanManager: + + def flushBanList(self): + with self.__lock: +- uBList = self.__banList.values() ++ uBList = list(self.__banList.values()) + self.__banList = dict() + return uBList + +diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py +index ed736a7a..0e8c9aec 100644 +--- a/fail2ban/server/database.py ++++ b/fail2ban/server/database.py +@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def _normalize(x): + if isinstance(x, dict): +- return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems()) ++ return dict((_normalize(k), _normalize(v)) for k, v in x.items()) + elif isinstance(x, (list, set)): + return [_normalize(element) for element in x] +- elif isinstance(x, unicode): ++ elif isinstance(x, str): + # in 2.x default text_factory is unicode - so return proper unicode here: + return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC) +- elif isinstance(x, basestring): ++ elif isinstance(x, str): + return x.decode(PREFER_ENC, 'replace') + return x + +diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py +index 93c028fb..a9c6b5f6 100644 +--- a/fail2ban/server/failmanager.py ++++ b/fail2ban/server/failmanager.py +@@ -57,7 +57,7 @@ class FailManager: + def getFailCount(self): + # may be slow on large list of failures, should be used for test purposes only... + with self.__lock: +- return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()]) ++ return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())]) + + def getFailTotal(self): + with self.__lock: +@@ -125,7 +125,7 @@ class FailManager: + # in case of having many active failures, it should be ran only + # if debug level is "low" enough + failures_summary = ', '.join(['%s:%d' % (k, v.getRetry()) +- for k,v in self.__failList.iteritems()]) ++ for k,v in self.__failList.items()]) + logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s" + % (self.__failTotal, len(self.__failList), failures_summary)) + +@@ -138,7 +138,7 @@ class FailManager: + + def cleanup(self, time): + with self.__lock: +- todelete = [fid for fid,item in self.__failList.iteritems() \ ++ todelete = [fid for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime <= time] + if len(todelete) == len(self.__failList): + # remove all: +@@ -152,7 +152,7 @@ class FailManager: + del self.__failList[fid] + else: + # create new dictionary without items to be deleted: +- self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \ ++ self.__failList = dict((fid,item) for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime > time) + self.__bgSvc.service() + +diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py +index f7dafbef..fb75187d 100644 +--- a/fail2ban/server/failregex.py ++++ b/fail2ban/server/failregex.py +@@ -128,10 +128,7 @@ class Regex: + self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0) + self._regex = regex + self._altValues = {} +- for k in filter( +- lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE), +- self._regexObj.groupindex +- ): ++ for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]: + n = ALTNAME_CRE.match(k).group(1) + self._altValues[k] = n + self._altValues = list(self._altValues.items()) if len(self._altValues) else None +@@ -211,7 +208,7 @@ class Regex: + # + @staticmethod + def _tupleLinesBuf(tupleLines): +- return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n" ++ return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n" + + ## + # Searches the regular expression. +@@ -223,7 +220,7 @@ class Regex: + + def search(self, tupleLines, orgLines=None): + buf = tupleLines +- if not isinstance(tupleLines, basestring): ++ if not isinstance(tupleLines, str): + buf = Regex._tupleLinesBuf(tupleLines) + self._matchCache = self._regexObj.search(buf) + if self._matchCache: +diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py +index 998fe298..d181fd38 100644 +--- a/fail2ban/server/filter.py ++++ b/fail2ban/server/filter.py +@@ -292,7 +292,7 @@ class Filter(JailThread): + dd = DateDetector() + dd.default_tz = self.__logtimezone + if not isinstance(pattern, (list, tuple)): +- pattern = filter(bool, map(str.strip, re.split('\n+', pattern))) ++ pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern))))) + for pattern in pattern: + dd.appendTemplate(pattern) + self.dateDetector = dd +@@ -987,7 +987,7 @@ class FileFilter(Filter): + # @return log paths + + def getLogPaths(self): +- return self.__logs.keys() ++ return list(self.__logs.keys()) + + ## + # Get the log containers +@@ -995,7 +995,7 @@ class FileFilter(Filter): + # @return log containers + + def getLogs(self): +- return self.__logs.values() ++ return list(self.__logs.values()) + + ## + # Get the count of log containers +@@ -1021,7 +1021,7 @@ class FileFilter(Filter): + + def setLogEncoding(self, encoding): + encoding = super(FileFilter, self).setLogEncoding(encoding) +- for log in self.__logs.itervalues(): ++ for log in self.__logs.values(): + log.setEncoding(encoding) + + def getLog(self, path): +@@ -1183,7 +1183,7 @@ class FileFilter(Filter): + """Status of Filter plus files being monitored. + """ + ret = super(FileFilter, self).status(flavor=flavor) +- path = self.__logs.keys() ++ path = list(self.__logs.keys()) + ret.append(("File list", path)) + return ret + +@@ -1191,7 +1191,7 @@ class FileFilter(Filter): + """Stop monitoring of log-file(s) + """ + # stop files monitoring: +- for path in self.__logs.keys(): ++ for path in list(self.__logs.keys()): + self.delLogPath(path) + # stop thread: + super(Filter, self).stop() +diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py +index 228a2c8b..d49315cc 100644 +--- a/fail2ban/server/filterpoll.py ++++ b/fail2ban/server/filterpoll.py +@@ -176,4 +176,4 @@ class FilterPoll(FileFilter): + return False + + def getPendingPaths(self): +- return self.__file404Cnt.keys() ++ return list(self.__file404Cnt.keys()) +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index ca6b253f..b683b860 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter): + except KeyError: pass + + def getPendingPaths(self): +- return self.__pending.keys() ++ return list(self.__pending.keys()) + + def _checkPending(self): + if not self.__pending: +@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter): + return + found = {} + minTime = 60 +- for path, (retardTM, isDir) in self.__pending.iteritems(): ++ for path, (retardTM, isDir) in self.__pending.items(): + if ntm - self.__pendingChkTime < retardTM: + if minTime > retardTM: minTime = retardTM + continue +@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter): + self.__pendingChkTime = time.time() + self.__pendingMinTime = minTime + # process now because we've missed it in monitoring: +- for path, isDir in found.iteritems(): ++ for path, isDir in found.items(): + self._delPending(path) + # refresh monitoring of this: + self._refreshWatcher(path, isDir=isDir) +diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py +index 6648dac6..fe8f8db8 100644 +--- a/fail2ban/server/ipdns.py ++++ b/fail2ban/server/ipdns.py +@@ -275,7 +275,7 @@ class IPAddr(object): + raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,)) + if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask + s[1] = IPAddr.masktoplen(s[1]) +- s[1] = long(s[1]) ++ s[1] = int(s[1]) + return s + + def __init(self, ipstr, cidr=CIDR_UNSPEC): +@@ -309,7 +309,7 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + +@@ -321,13 +321,13 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + + # if IPv6 address is a IPv4-compatible, make instance a IPv4 + elif self.isInNet(IPAddr.IP6_4COMPAT): +- self._addr = lo & 0xFFFFFFFFL ++ self._addr = lo & 0xFFFFFFFF + self._family = socket.AF_INET + self._plen = 32 + else: +@@ -445,7 +445,7 @@ class IPAddr(object): + elif self.isIPv6: + # convert network to host byte order + hi = self._addr >> 64 +- lo = self._addr & 0xFFFFFFFFFFFFFFFFL ++ lo = self._addr & 0xFFFFFFFFFFFFFFFF + binary = struct.pack("!QQ", hi, lo) + if self._plen and self._plen < 128: + add = "/%d" % self._plen +@@ -503,9 +503,9 @@ class IPAddr(object): + if self.family != net.family: + return False + if self.isIPv4: +- mask = ~(0xFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFF >> net.plen) + elif self.isIPv6: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen) + else: + return False + +@@ -517,7 +517,7 @@ class IPAddr(object): + m4 = (1 << 32)-1 + mmap = {m6: 128, m4: 32, 0: 0} + m = 0 +- for i in xrange(0, 128): ++ for i in range(0, 128): + m |= 1 << i + if i < 32: + mmap[m ^ m4] = 32-1-i +diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py +index ce9968a8..5fa5ef10 100644 +--- a/fail2ban/server/jail.py ++++ b/fail2ban/server/jail.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + import logging + import math + import random +-import Queue ++import queue + + from .actions import Actions + from ..helpers import getLogger, _as_bool, extractOptions, MyTime +@@ -76,7 +76,7 @@ class Jail(object): + "might not function correctly. Please shorten" + % name) + self.__name = name +- self.__queue = Queue.Queue() ++ self.__queue = queue.Queue() + self.__filter = None + # Extra parameters for increase ban time + self._banExtra = {}; +@@ -127,25 +127,25 @@ class Jail(object): + "Failed to initialize any backend for Jail %r" % self.name) + + def _initPolling(self, **kwargs): +- from filterpoll import FilterPoll ++ from .filterpoll import FilterPoll + logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs)) + self.__filter = FilterPoll(self, **kwargs) + + def _initGamin(self, **kwargs): + # Try to import gamin +- from filtergamin import FilterGamin ++ from .filtergamin import FilterGamin + logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs)) + self.__filter = FilterGamin(self, **kwargs) + + def _initPyinotify(self, **kwargs): + # Try to import pyinotify +- from filterpyinotify import FilterPyinotify ++ from .filterpyinotify import FilterPyinotify + logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs)) + self.__filter = FilterPyinotify(self, **kwargs) + + def _initSystemd(self, **kwargs): # pragma: systemd no cover + # Try to import systemd +- from filtersystemd import FilterSystemd ++ from .filtersystemd import FilterSystemd + logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs)) + self.__filter = FilterSystemd(self, **kwargs) + +@@ -213,7 +213,7 @@ class Jail(object): + try: + ticket = self.__queue.get(False) + return ticket +- except Queue.Empty: ++ except queue.Empty: + return False + + def setBanTimeExtra(self, opt, value): +diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py +index 98b69bd4..24bba5cf 100644 +--- a/fail2ban/server/mytime.py ++++ b/fail2ban/server/mytime.py +@@ -162,7 +162,7 @@ class MyTime: + + @returns number (calculated seconds from expression "val") + """ +- if isinstance(val, (int, long, float, complex)): ++ if isinstance(val, (int, float, complex)): + return val + # replace together standing abbreviations, example '1d12h' -> '1d 12h': + val = MyTime._str2sec_prep.sub(r" \1", val) +diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py +index 159f6506..fc948e8c 100644 +--- a/fail2ban/server/server.py ++++ b/fail2ban/server/server.py +@@ -97,7 +97,7 @@ class Server: + + def start(self, sock, pidfile, force=False, observer=True, conf={}): + # First set the mask to only allow access to owner +- os.umask(0077) ++ os.umask(0o077) + # Second daemonize before logging etc, because it will close all handles: + if self.__daemon: # pragma: no cover + logSys.info("Starting in daemon mode") +@@ -190,7 +190,7 @@ class Server: + + # Restore default signal handlers: + if _thread_name() == '_MainThread': +- for s, sh in self.__prev_signals.iteritems(): ++ for s, sh in self.__prev_signals.items(): + signal.signal(s, sh) + + # Give observer a small chance to complete its work before exit +@@ -268,10 +268,10 @@ class Server: + logSys.info("Stopping all jails") + with self.__lock: + # 1st stop all jails (signal and stop actions/filter thread): +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=True, join=False) + # 2nd wait for end and delete jails: +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=False, join=True) + + def reloadJails(self, name, opts, begin): +@@ -302,7 +302,7 @@ class Server: + if "--restart" in opts: + self.stopAllJail() + # first set all affected jail(s) to idle and reset filter regex and other lists/dicts: +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + if name == '--all' or jn == name: + jail.idle = True + self.__reload_state[jn] = jail +@@ -313,7 +313,7 @@ class Server: + # end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started: + with self.__lock: + deljails = [] +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + # still in reload state: + if jn in self.__reload_state: + # remove jails that are not reloaded (untouched, so not in new configuration) +@@ -513,7 +513,7 @@ class Server: + jails = [self.__jails[name]] + else: + # in all jails: +- jails = self.__jails.values() ++ jails = list(self.__jails.values()) + # unban given or all (if value is None): + cnt = 0 + ifexists |= (name is None) +@@ -551,7 +551,7 @@ class Server: + def isAlive(self, jailnum=None): + if jailnum is not None and len(self.__jails) != jailnum: + return 0 +- for jail in self.__jails.values(): ++ for jail in list(self.__jails.values()): + if not jail.isAlive(): + return 0 + return 1 +@@ -759,7 +759,7 @@ class Server: + return "flushed" + + def setThreadOptions(self, value): +- for o, v in value.iteritems(): ++ for o, v in value.items(): + if o == 'stacksize': + threading.stack_size(int(v)*1024) + else: # pragma: no cover +diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py +index 498d284b..a5579fdc 100644 +--- a/fail2ban/server/strptime.py ++++ b/fail2ban/server/strptime.py +@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3) + timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3) + + def getTimePatternRE(): +- keys = timeRE.keys() ++ keys = list(timeRE.keys()) + patt = (r"%%(%%|%s|[%s])" % ( + "|".join([k for k in keys if len(k) > 1]), + "".join([k for k in keys if len(k) == 1]), +@@ -134,7 +134,7 @@ def zone2offset(tz, dt): + """ + if isinstance(tz, int): + return tz +- if isinstance(tz, basestring): ++ if isinstance(tz, str): + return validateTimeZone(tz) + tz, tzo = tz + if tzo is None or tzo == '': # without offset +@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None): + year = month = day = hour = minute = tzoffset = \ + weekday = julian = week_of_year = None + second = fraction = 0 +- for key, val in found_dict.iteritems(): ++ for key, val in found_dict.items(): + if val is None: continue + # Directives not explicitly handled below: + # c, x, X +diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py +index f67e0d23..f0b727c2 100644 +--- a/fail2ban/server/ticket.py ++++ b/fail2ban/server/ticket.py +@@ -55,7 +55,7 @@ class Ticket(object): + self._time = time if time is not None else MyTime.time() + self._data = {'matches': matches or [], 'failures': 0} + if data is not None: +- for k,v in data.iteritems(): ++ for k,v in data.items(): + if v is not None: + self._data[k] = v + if ticket: +@@ -89,7 +89,7 @@ class Ticket(object): + + def setIP(self, value): + # guarantee using IPAddr instead of unicode, str for the IP +- if isinstance(value, basestring): ++ if isinstance(value, str): + value = IPAddr(value) + self._ip = value + +@@ -181,7 +181,7 @@ class Ticket(object): + if len(args) == 1: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in args[0].iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in args[0].items() if v is not None]) + # add k,v list or dict (merge): + elif len(args) == 2: + self._data.update((args,)) +@@ -192,7 +192,7 @@ class Ticket(object): + # filter (delete) None values: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in self._data.iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in self._data.items() if v is not None]) + + def getData(self, key=None, default=None): + # return whole data dict: +@@ -201,17 +201,17 @@ class Ticket(object): + # return default if not exists: + if not self._data: + return default +- if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)): ++ if not isinstance(key,(str,type(None),int,float,bool,complex)): + # return filtered by lambda/function: + if callable(key): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if key(k)} +- return dict([(k,v) for k,v in self._data.iteritems() if key(k)]) ++ return dict([(k,v) for k,v in self._data.items() if key(k)]) + # return filtered by keys: + if hasattr(key, '__iter__'): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if k in key} +- return dict([(k,v) for k,v in self._data.iteritems() if k in key]) ++ return dict([(k,v) for k,v in self._data.items() if k in key]) + # return single value of data: + return self._data.get(key, default) + +diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py +index f83e9d5f..80726cb4 100644 +--- a/fail2ban/server/transmitter.py ++++ b/fail2ban/server/transmitter.py +@@ -475,7 +475,7 @@ class Transmitter: + opt = command[1][len("bantime."):] + return self.__server.getBanTimeExtra(name, opt) + elif command[1] == "actions": +- return self.__server.getActions(name).keys() ++ return list(self.__server.getActions(name).keys()) + elif command[1] == "action": + actionname = command[2] + actionvalue = command[3] +diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py +index d4461a7d..13c24e76 100644 +--- a/fail2ban/server/utils.py ++++ b/fail2ban/server/utils.py +@@ -57,7 +57,7 @@ _RETCODE_HINTS = { + + # Dictionary to lookup signal name from number + signame = dict((num, name) +- for name, num in signal.__dict__.iteritems() if name.startswith("SIG")) ++ for name, num in signal.__dict__.items() if name.startswith("SIG")) + + class Utils(): + """Utilities provide diverse static methods like executes OS shell commands, etc. +@@ -109,7 +109,7 @@ class Utils(): + break + else: # pragma: 3.x no cover (dict is in 2.6 only) + remlst = [] +- for (ck, cv) in cache.iteritems(): ++ for (ck, cv) in cache.items(): + # if expired: + if cv[1] <= t: + remlst.append(ck) +@@ -152,7 +152,7 @@ class Utils(): + if not isinstance(realCmd, list): + realCmd = [realCmd] + i = len(realCmd)-1 +- for k, v in varsDict.iteritems(): ++ for k, v in varsDict.items(): + varsStat += "%s=$%s " % (k, i) + realCmd.append(v) + i += 1 +diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py +index 013c0fdb..3c35e4d7 100644 +--- a/fail2ban/tests/action_d/test_badips.py ++++ b/fail2ban/tests/action_d/test_badips.py +@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR + if sys.version_info >= (3, ): # pragma: 2.x no cover + from urllib.error import HTTPError, URLError + else: # pragma: 3.x no cover +- from urllib2 import HTTPError, URLError ++ from urllib.error import HTTPError, URLError + + def skip_if_not_available(f): + """Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway". +diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py +index 1a00c040..ecd09246 100644 +--- a/fail2ban/tests/actiontestcase.py ++++ b/fail2ban/tests/actiontestcase.py +@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase): + setattr(self.__action, 'ab', "<ac>") + setattr(self.__action, 'x?family=inet6', "") + # produce self-referencing properties except: +- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", ++ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", + lambda: self.__action.replaceTag("<a><b>", + self.__action._properties, conditional="family=inet4") + ) + # remore self-referencing in props: + delattr(self.__action, 'ac') + # produce self-referencing query except: +- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", ++ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", + lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>", + self.__action._properties, conditional="family=inet6") + ) +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index 2c1d0a0e..aa7908c4 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase): + # And multiple groups (`][` instead of `,`) + result = extractOptions(option.replace(',', '][')) + expected2 = (expected[0], +- dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems()) ++ dict((k, v.replace(',', '][')) for k, v in expected[1].items()) + ) + self.assertEqual(expected2, result) + +@@ -975,7 +975,7 @@ filter = testfilter1 + self.assertEqual(add_actions[-1][-1], "{}") + + def testLogPathFileFilterBackend(self): +- self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail", ++ self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail", + self._testLogPath, backend='polling') + + def testLogPathSystemdBackend(self): +diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py +index 9a5e9fa1..562461a6 100644 +--- a/fail2ban/tests/databasetestcase.py ++++ b/fail2ban/tests/databasetestcase.py +@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase): + + @property + def db(self): +- if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:': ++ if isinstance(self._db, str) and self._db == ':auto-create-in-memory:': + self._db = getFail2BanDb(self.dbFilename) + return self._db + @db.setter +@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase): + self.db = Fail2BanDb(self.dbFilename) + self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets'])) + self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log'])) +- ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"]) ++ ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"]) + self.assertEqual(self.db.getBans()[0], ticket) + + self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__) +@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase): + self.assertEqual(len(bans), 2) + # compare first ticket completely: + ticket = FailTicket("1.2.3.7", 1417595494, [ +- u'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' ++ 'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' + ]) + ticket.setAttempt(3) + self.assertEqual(bans[0], ticket) +@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase): + # invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ... + tickets = [ + FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), ++ FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), + FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']), ++ FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']), + FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']), +- FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']), ++ FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']), + FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf']) + ] + for ticket in tickets: +diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py +index 458f76ef..49ada60d 100644 +--- a/fail2ban/tests/datedetectortestcase.py ++++ b/fail2ban/tests/datedetectortestcase.py +@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase): + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17') + # confuse it with year being at the end +- for i in xrange(10): ++ for i in range(10): + ( logTime, logMatch ) = self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0') + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17') +@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): ++ if isinstance(matched, str): + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): # pragma: no cover ++ if isinstance(matched, str): # pragma: no cover + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py +index 95f73ed3..bba354fa 100644 +--- a/fail2ban/tests/fail2banclienttestcase.py ++++ b/fail2ban/tests/fail2banclienttestcase.py +@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}): + # several commands to server in body of decorated function: + return f(self, tmp, startparams, *args, **kwargs) + except Exception as e: # pragma: no cover +- print('=== Catch an exception: %s' % e) ++ print(('=== Catch an exception: %s' % e)) + log = self.getLog() + if log: +- print('=== Error of server, log: ===\n%s===' % log) ++ print(('=== Error of server, log: ===\n%s===' % log)) + self.pruneLog() + raise + finally: +@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase): + ) + except: # pragma: no cover + if _inherited_log(startparams): +- print('=== Error by wait fot server, log: ===\n%s===' % self.getLog()) ++ print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog())) + self.pruneLog() + log = pjoin(tmp, "f2b.log") + if isfile(log): +@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase): + self.stopAndWaitForServerEnd(SUCCESS) + + def testServerStartStop(self): +- for i in xrange(2000): ++ for i in range(2000): + self._testServerStartStop() + +diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py +index a5425286..2a94cc82 100644 +--- a/fail2ban/tests/failmanagertestcase.py ++++ b/fail2ban/tests/failmanagertestcase.py +@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase): + super(AddFailure, self).tearDown() + + def _addDefItems(self): +- self.__items = [[u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], ++ self.__items = [['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], +diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py +index 03588594..e2297ab3 100755 +--- a/fail2ban/tests/files/config/apache-auth/digest.py ++++ b/fail2ban/tests/files/config/apache-auth/digest.py +@@ -41,7 +41,7 @@ def auth(v): + response="%s" + """ % ( username, algorithm, realm, url, nonce, qop, response ) + # opaque="%s", +- print(p.method, p.url, p.headers) ++ print((p.method, p.url, p.headers)) + s = requests.Session() + return s.send(p) + +@@ -76,18 +76,18 @@ r = auth(v) + + # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ + +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + v['algorithm'] = algorithm + + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + nonce = v['nonce'] + v['nonce']=v['nonce'][5:-5] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ + +@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text) + v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b + +@@ -107,7 +107,7 @@ import time + time.sleep(1) + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # Obtained by putting the following code in modules/aaa/mod_auth_digest.c + # in the function initialize_secret +@@ -137,7 +137,7 @@ s = sha.sha(apachesecret) + + v=preauth() + +-print(v['nonce']) ++print((v['nonce'])) + realm = v['Digest realm'][1:-1] + + (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13])) +@@ -156,13 +156,13 @@ print(v) + + r = auth(v) + #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + url='/digest_onetime/' + v=preauth() + + # Need opaque header handling in auth + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index 35785a58..8eeb6902 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -22,7 +22,7 @@ + __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" + __license__ = "GPL" + +-from __builtin__ import open as fopen ++from builtins import open as fopen + import unittest + import os + import re +@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line + else: + fin = in_ + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read + i = 0 +@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p + # Required for filtering + fields.update(TEST_JOURNAL_FIELDS) + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read/Write + i = 0 +@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase): + def testTest_tm(self): + unittest.F2B.SkipIfFast() + ## test function "_tm" works correct (returns the same as slow strftime): +- for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600): ++ for i in range(1417512352, (1417512352 // 3600 + 3) * 3600): + tm = MyTime.time2str(i) + if _tm(i) != tm: # pragma: no cover - never reachable + self.assertEqual((_tm(i), i), (tm, i)) + + def testWrongCharInTupleLine(self): + ## line tuple has different types (ascii after ascii / unicode): +- for a1 in ('', u'', b''): +- for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'): ++ for a1 in ('', '', b''): ++ for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'): + for a3 in ( + 'Fail for "g\xc3\xb6ran" from 192.0.2.1', +- u'Fail for "g\xc3\xb6ran" from 192.0.2.1', ++ 'Fail for "g\xc3\xb6ran" from 192.0.2.1', + b'Fail for "g\xc3\xb6ran" from 192.0.2.1' + ): + # join should work if all arguments have the same type: +@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase): + + def testAddAttempt(self): + self.filter.setMaxRetry(3) +- for i in xrange(1, 1+3): ++ for i in range(1, 1+3): + self.filter.addAttempt('192.0.2.1') + self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True) + self.jail.actions._Actions__checkBan() +@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase): + # like both test-cases above, just cached (so once per key)... + self.filter.ignoreCache = {"key":"<ip>"} + self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1")) + self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0")) +@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase): + # by host of IP: + self.filter.ignoreCache = {"key":"<ip-host>"} + self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1"))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff"))) +@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase): + self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"} + self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60]) + self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'}))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'}))) +@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase): + fc = FileContainer(fname, self.filter.getLogEncoding()) + fc.open() + # no time - nothing should be found : +- for i in xrange(10): ++ for i in range(10): + f.write("[sshd] error: PAM: failure len 1\n") + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase): + # variable length of file (ca 45K or 450K before and hereafter): + # write lines with smaller as search time: + t = time - count - 1 +- for i in xrange(count): ++ for i in range(count): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) + self.assertEqual(fc.getPos(), 47*count) + # write lines with exact search time: +- for i in xrange(10): ++ for i in range(10): + f.write("%s [sshd] error: PAM: failure\n" % _tm(time)) + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase): + self.assertEqual(fc.getPos(), 47*count) + # write lines with greater as search time: + t = time+1 +- for i in xrange(count//500): +- for j in xrange(500): ++ for i in range(count//500): ++ for j in range(500): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() +@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover + # Add direct utf, unicode, blob: + for l in ( + "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", +- u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", ++ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", + b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'), + "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", +- u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", ++ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", + b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace') + ): + fields = self.journal_fields +@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase): + + # so that they could be reused by other tests + FAILURES_01 = ('193.168.0.128', 3, 1124013599.0, +- [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) ++ ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) + + def setUp(self): + """Call before every test case.""" +@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase): + + def testGetFailures02(self): + output = ('141.3.81.106', 4, 1124013539.0, +- [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' +- % m for m in 53, 54, 57, 58]) ++ ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' ++ % m for m in (53, 54, 57, 58)]) + + self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0) + self.filter.addFailRegex(r"Failed .* from <HOST>") +@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase): + # We should still catch failures with usedns = no ;-) + output_yes = ( + ('93.184.216.34', 2, 1124013539.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', +- u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', ++ 'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ), + ('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] + ), + ) + + output_no = ( + ('93.184.216.34', 1, 1124013539.0, +- [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ) + ) + +@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase): + self.assertTrue(c.get('a') is None) + self.assertEqual(c.get('a', 'test'), 'test') + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- for i in xrange(5): ++ for i in range(5): + self.assertEqual(c.get(i), i) + # remove unavailable key: + c.unset('a'); c.unset('a') +@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase): + def testCacheMaxSize(self): + c = Utils.Cache(maxCount=5, maxTime=60) + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)]) +- self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)]) ++ self.assertNotIn(-1, (c.get(i, -1) for i in range(5))) + # add one - too many: + c.set(10, i) + # one element should be removed : +- self.assertIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertIn(-1, (c.get(i, -1) for i in range(5))) + # test max size (not expired): +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + self.assertEqual(len(c), 5) + + def testCacheMaxTime(self): + # test max time (expired, timeout reached) : + c = Utils.Cache(maxCount=5, maxTime=0.0005) +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + st = time.time() + self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1)) + # we have still 5 elements (or fewer if too slow test mashine): + self.assertTrue(len(c) <= 5) + # but all that are expiered also: +- for i in xrange(10): ++ for i in range(10): + self.assertTrue(c.get(i) is None) + # here the whole cache should be empty: + self.assertEqual(len(c), 0) +@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase): + c = count + while c: + c -= 1 +- s = xrange(0, 256, 1) if forw else xrange(255, -1, -1) ++ s = range(0, 256, 1) if forw else range(255, -1, -1) + if random: shuffle([i for i in s]) + for i in s: + IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4) +@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + def testAddr2bin(self): + res = IPAddr('10.0.0.0') +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) + res = IPAddr('10.0.0.0', cidr=None) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.0', cidr=32L) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.1', cidr=32L) +- self.assertEqual(res.addr, 167772161L) +- res = IPAddr('10.0.0.1', cidr=31L) +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.0', cidr=32) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.1', cidr=32) ++ self.assertEqual(res.addr, 167772161) ++ res = IPAddr('10.0.0.1', cidr=31) ++ self.assertEqual(res.addr, 167772160) + + self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000') + self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002') +@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase): + '93.184.216.34': 'ip4-test', + '2606:2800:220:1:248:1893:25c8:1946': 'ip6-test' + } +- d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()]) +- self.assertTrue(isinstance(d.keys()[0], basestring)) +- self.assertTrue(isinstance(d2.keys()[0], IPAddr)) ++ d2 = dict([(IPAddr(k), v) for k, v in d.items()]) ++ self.assertTrue(isinstance(list(d.keys())[0], str)) ++ self.assertTrue(isinstance(list(d2.keys())[0], IPAddr)) + self.assertEqual(d.get(ip4[2], ''), 'ip4-test') + self.assertEqual(d.get(ip6[2], ''), 'ip6-test') + self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test') +diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py +index 9b986f53..94f7a8de 100644 +--- a/fail2ban/tests/misctestcase.py ++++ b/fail2ban/tests/misctestcase.py +@@ -29,9 +29,9 @@ import tempfile + import shutil + import fnmatch + from glob import glob +-from StringIO import StringIO ++from io import StringIO + +-from utils import LogCaptureTestCase, logSys as DefLogSys ++from .utils import LogCaptureTestCase, logSys as DefLogSys + + from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \ + splitwords, uni_decode, uni_string +@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase): + self.assertEqual(splitwords(' 1\n 2'), ['1', '2']) + self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + # string as unicode: +- self.assertEqual(splitwords(u' 1\n 2, 3'), ['1', '2', '3']) ++ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + + + if sys.version_info >= (2,7): +@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase): + + def testUniConverters(self): + self.assertRaises(Exception, uni_decode, +- (b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding') +- uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf')) ++ (b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding') ++ uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf')) + uni_string(b'test\xcf') + uni_string('test\xcf') +- uni_string(u'test\xcf') ++ uni_string('test\xcf') + + def testSafeLogging(self): + # logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc) +@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase): + if self.err: + raise Exception('no represenation for test!') + else: +- return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' ++ return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' + test = Test() + logSys.log(logging.NOTICE, "test 1a: %r", test) + self.assertLogged("Traceback", "no represenation for test!") +@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase): + func_raise() + + try: +- print deep_function(3) ++ print(deep_function(3)) + except ValueError: + s = tb() + +@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase): + self.assertIn(':', s) + + def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs): +- self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs) ++ self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs) + + def testExtendedAssertRaisesRE(self): + ## test _testAssertionErrorRE several fail cases: +@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase): + self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'", + self.assertNotIn, 'a', 'cba') + self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]", +- self.assertNotIn, 1, xrange(3)) ++ self.assertNotIn, 1, range(3)) + self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]", + self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b')) + self._testAssertionErrorRE(r"'a' was not found in 'xyz'", + self.assertIn, 'a', 'xyz') + self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]", +- self.assertIn, 5, xrange(3)) ++ self.assertIn, 5, range(3)) + self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]", + self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a')) + ## assertLogged, assertNotLogged positive case: +diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py +index 8e944454..ed520286 100644 +--- a/fail2ban/tests/observertestcase.py ++++ b/fail2ban/tests/observertestcase.py +@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', multipliers) + # test algorithm and max time 24 hours : + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): +@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase): + if multcnt < 11: + arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt)) + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + arr + ) + a.setBanTimeExtra('maxtime', '1d') + # change factor : + a.setBanTimeExtra('factor', '2'); + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400] + ) + # factor is float : + a.setBanTimeExtra('factor', '1.33'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', None); + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('multipliers', None) +@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase): + # this multipliers has the same values as default formula, we test stop growing after count 9: + self.testDefault('1 2 4 8 16 32 64 128 256') + # this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only): +- self.testDefault(' '.join([str(1<<i) for i in xrange(31)])) ++ self.testDefault(' '.join([str(1<<i) for i in range(31)])) + + def testFormula(self): + a = self.__jail; +@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', None) + # test algorithm and max time 24 hours : + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): + a.setBanTimeExtra('maxtime', '30d') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407] + ) + a.setBanTimeExtra('maxtime', '24h') + # change factor : + a.setBanTimeExtra('factor', '1'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', '2.0 / 2.885385') + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('factor', None); +@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime, []) + # test ticket not yet found + self.assertEqual( +- [self.incrBanTime(ticket, 10) for i in xrange(3)], ++ [self.incrBanTime(ticket, 10) for i in range(3)], + [10, 10, 10] + ) + # add a ticket banned +@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ) + # increase ban multiple times: + lastBanTime = 20 +- for i in xrange(10): ++ for i in range(10): + ticket.setTime(stime + lastBanTime + 5) + banTime = self.incrBanTime(ticket, 10) + self.assertEqual(banTime, lastBanTime * 2) +@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime-120, []) + failManager = FailManager() + failManager.setMaxRetry(3) +- for i in xrange(3): ++ for i in range(3): + failManager.addFailure(ticket) + obs.add('failureFound', failManager, jail, ticket) + obs.wait_empty(5) +diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py +index 0bbd05f5..479b564a 100644 +--- a/fail2ban/tests/samplestestcase.py ++++ b/fail2ban/tests/samplestestcase.py +@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase): + + @staticmethod + def _filterOptions(opts): +- return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.')) ++ return dict((k, v) for k, v in opts.items() if not k.startswith('test.')) + + def testSampleRegexsFactory(name, basedir): + def testFilter(self): +@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir): + self.assertTrue(faildata.get('match', False), + "Line matched when shouldn't have") + self.assertEqual(len(ret), 1, +- "Multiple regexs matched %r" % (map(lambda x: x[0], ret))) ++ "Multiple regexs matched %r" % ([x[0] for x in ret])) + + # Verify match captures (at least fid/host) and timestamp as expected +- for k, v in faildata.iteritems(): ++ for k, v in faildata.items(): + if k not in ("time", "match", "desc", "filter"): + fv = fail.get(k, None) + if fv is None: +@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir): + '\n'.join(pprint.pformat(fail).splitlines()))) + + # check missing samples for regex using each filter-options combination: +- for fltName, flt in self._filters.iteritems(): ++ for fltName, flt in self._filters.items(): + flt, regexsUsedIdx = flt + regexList = flt.getFailRegex() + for failRegexIndex, failRegex in enumerate(regexList): +diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py +index 55e72455..7925ab1e 100644 +--- a/fail2ban/tests/servertestcase.py ++++ b/fail2ban/tests/servertestcase.py +@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase): + self.transm.proceed(["get", jail, cmd]), (0, [])) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdAdd, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdDel, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + + def jailAddDelRegexTest(self, cmd, inValues, outValues, jail): + cmdAdd = "add" + cmd +@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase): + + def testLogTarget(self): + logTargets = [] +- for _ in xrange(3): ++ for _ in range(3): + tmpFile = tempfile.mkstemp("fail2ban", "transmitter") + logTargets.append(tmpFile[1]) + os.close(tmpFile[0]) +@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase): + self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over")) + l.warning("After flushlogs") + with open(fn2,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('Changed logging target to') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("Before file moved\n")) +- line2 = f.next() ++ line2 = next(f) + self.assertTrue(line2.endswith("After file moved\n")) + try: +- n = f.next() ++ n = next(f) + if n.find("Command: ['flushlogs']") >=0: +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + else: + self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n) + except StopIteration: + pass # on higher debugging levels this is expected + with open(fn,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('rollover performed on') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("After flushlogs\n")) +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + f.close() + finally: + os.remove(fn2) +@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase): + os.remove(f) + + +-from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR ++from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR + + class ServerConfigReaderTests(LogCaptureTestCase): + +diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py +index 69bf8d8b..60f49e57 100644 +--- a/fail2ban/tests/sockettestcase.py ++++ b/fail2ban/tests/sockettestcase.py +@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase): + org_handler = RequestHandler.found_terminator + try: + RequestHandler.found_terminator = lambda self: self.close() +- self.assertRaisesRegexp(RuntimeError, r"socket connection broken", ++ self.assertRaisesRegex(RuntimeError, r"socket connection broken", + lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10))) + finally: + RequestHandler.found_terminator = org_handler +diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py +index fcfddba7..cb234e0d 100644 +--- a/fail2ban/tests/utils.py ++++ b/fail2ban/tests/utils.py +@@ -35,7 +35,7 @@ import time + import threading + import unittest + +-from cStringIO import StringIO ++from io import StringIO + from functools import wraps + + from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode +@@ -174,8 +174,8 @@ def initProcess(opts): + + # Let know the version + if opts.verbosity != 0: +- print("Fail2ban %s test suite. Python %s. Please wait..." \ +- % (version, str(sys.version).replace('\n', ''))) ++ print(("Fail2ban %s test suite. Python %s. Please wait..." \ ++ % (version, str(sys.version).replace('\n', '')))) + + return opts; + +@@ -322,7 +322,7 @@ def initTests(opts): + c = DNSUtils.CACHE_ipToName + # increase max count and max time (too many entries, long time testing): + c.setOptions(maxCount=10000, maxTime=5*60) +- for i in xrange(256): ++ for i in range(256): + c.set('192.0.2.%s' % i, None) + c.set('198.51.100.%s' % i, None) + c.set('203.0.113.%s' % i, None) +@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None): + import difflib, pprint + if not hasattr(unittest.TestCase, 'assertDictEqual'): + def assertDictEqual(self, d1, d2, msg=None): +- self.assert_(isinstance(d1, dict), 'First argument is not a dictionary') +- self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary') ++ self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary') ++ self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary') + if d1 != d2: + standardMsg = '%r != %r' % (d1, d2) + diff = ('\n' + '\n'.join(difflib.ndiff( +@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + # used to recognize having element as nested dict, list or tuple: + def _is_nested(v): + if isinstance(v, dict): +- return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues()) ++ return any(isinstance(v, (dict, list, tuple)) for v in v.values()) + return any(isinstance(v, (dict, list, tuple)) for v in v) + # level comparison routine: + def _assertSortedEqual(a, b, level, nestedOnly, key): +@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + return + raise ValueError('%r != %r' % (a, b)) + if isinstance(a, dict) and isinstance(b, dict): # compare dict's: +- for k, v1 in a.iteritems(): ++ for k, v1 in a.items(): + v2 = b[k] + if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)): + _assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key) +@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'): + self.fail('\"%s\" does not match \"%s\"' % (regexp, e)) + else: + self.fail('%s not raised' % getattr(exccls, '__name__')) +- unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp ++ unittest.TestCase.assertRaisesRegex = assertRaisesRegexp + + # always custom following methods, because we use atm better version of both (support generators) + if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a not in b: +@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertNotIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a in b: +diff --git a/setup.py b/setup.py +deleted file mode 100755 +index ce1eedf6..00000000 +--- a/setup.py ++++ /dev/null +@@ -1,326 +0,0 @@ +-#!/usr/bin/env python +-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +-# vi: set ft=python sts=4 ts=4 sw=4 noet : +- +-# This file is part of Fail2Ban. +-# +-# Fail2Ban is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 2 of the License, or +-# (at your option) any later version. +-# +-# Fail2Ban is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with Fail2Ban; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +- +-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" +-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" +-__license__ = "GPL" +- +-import platform +- +-try: +- import setuptools +- from setuptools import setup +- from setuptools.command.install import install +- from setuptools.command.install_scripts import install_scripts +-except ImportError: +- setuptools = None +- from distutils.core import setup +- +-# all versions +-from distutils.command.build_py import build_py +-from distutils.command.build_scripts import build_scripts +-if setuptools is None: +- from distutils.command.install import install +- from distutils.command.install_scripts import install_scripts +-try: +- # python 3.x +- from distutils.command.build_py import build_py_2to3 +- from distutils.command.build_scripts import build_scripts_2to3 +- _2to3 = True +-except ImportError: +- # python 2.x +- _2to3 = False +- +-import os +-from os.path import isfile, join, isdir, realpath +-import re +-import sys +-import warnings +-from glob import glob +- +-from fail2ban.setup import updatePyExec +- +- +-source_dir = os.path.realpath(os.path.dirname( +- # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): +- sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__ +-)) +- +-# Wrapper to install python binding (to current python version): +-class install_scripts_f2b(install_scripts): +- +- def get_outputs(self): +- outputs = install_scripts.get_outputs(self) +- # setup.py --dry-run install: +- dry_run = not outputs +- self.update_scripts(dry_run) +- if dry_run: +- #bindir = self.install_dir +- bindir = self.build_dir +- print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,)) +- print('Copying content of %s to %s' % (self.build_dir, self.install_dir)); +- return outputs +- fn = None +- for fn in outputs: +- if os.path.basename(fn) == 'fail2ban-server': +- break +- bindir = os.path.dirname(fn) +- print('creating fail2ban-python binding -> %s' % (bindir,)) +- updatePyExec(bindir) +- return outputs +- +- def update_scripts(self, dry_run=False): +- buildroot = os.path.dirname(self.build_dir) +- install_dir = self.install_dir +- try: +- # remove root-base from install scripts path: +- root = self.distribution.command_options['install']['root'][1] +- if install_dir.startswith(root): +- install_dir = install_dir[len(root):] +- except: # pragma: no cover +- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') +- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) +- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: +- lines = fn.readlines() +- fn = None +- if not dry_run: +- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') +- try: +- for ln in lines: +- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) +- if dry_run: +- sys.stdout.write(' | ' + ln) +- continue +- fn.write(ln) +- finally: +- if fn: fn.close() +- if dry_run: +- print(' `') +- +- +-# Wrapper to specify fail2ban own options: +-class install_command_f2b(install): +- user_options = install.user_options + [ +- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), +- ('without-tests', None, 'without tests files installation'), +- ] +- def initialize_options(self): +- self.disable_2to3 = None +- self.without_tests = None +- install.initialize_options(self) +- def finalize_options(self): +- global _2to3 +- ## in the test cases 2to3 should be already done (fail2ban-2to3): +- if self.disable_2to3: +- _2to3 = False +- if _2to3: +- cmdclass = self.distribution.cmdclass +- cmdclass['build_py'] = build_py_2to3 +- cmdclass['build_scripts'] = build_scripts_2to3 +- if self.without_tests: +- self.distribution.scripts.remove('bin/fail2ban-testcases') +- +- self.distribution.packages.remove('fail2ban.tests') +- self.distribution.packages.remove('fail2ban.tests.action_d') +- +- del self.distribution.package_data['fail2ban.tests'] +- install.finalize_options(self) +- def run(self): +- install.run(self) +- +- +-# Update fail2ban-python env to current python version (where f2b-modules located/installed) +-updatePyExec(os.path.join(source_dir, 'bin')) +- +-if setuptools and "test" in sys.argv: +- import logging +- logSys = logging.getLogger("fail2ban") +- hdlr = logging.StreamHandler(sys.stdout) +- fmt = logging.Formatter("%(asctime)-15s %(message)s") +- hdlr.setFormatter(fmt) +- logSys.addHandler(hdlr) +- if set(["-q", "--quiet"]) & set(sys.argv): +- logSys.setLevel(logging.CRITICAL) +- warnings.simplefilter("ignore") +- sys.warnoptions.append("ignore") +- elif set(["-v", "--verbose"]) & set(sys.argv): +- logSys.setLevel(logging.DEBUG) +- else: +- logSys.setLevel(logging.INFO) +-elif "test" in sys.argv: +- print("python distribute required to execute fail2ban tests") +- print("") +- +-longdesc = ''' +-Fail2Ban scans log files like /var/log/pwdfail or +-/var/log/apache/error_log and bans IP that makes +-too many password failures. It updates firewall rules +-to reject the IP address or executes user defined +-commands.''' +- +-if setuptools: +- setup_extra = { +- 'test_suite': "fail2ban.tests.utils.gatherTests", +- 'use_2to3': True, +- } +-else: +- setup_extra = {} +- +-data_files_extra = [] +-if os.path.exists('/var/run'): +- # if we are on the system with /var/run -- we are to use it for having fail2ban/ +- # directory there for socket file etc. +- # realpath is used to possibly resolve /var/run -> /run symlink +- data_files_extra += [(realpath('/var/run/fail2ban'), '')] +- +-# Installing documentation files only under Linux or other GNU/ systems +-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding +-# installation there (see e.g. #1233) +-platform_system = platform.system().lower() +-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] +-if platform_system in ('solaris', 'sunos'): +- doc_files.append('README.Solaris') +-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): +- data_files_extra.append( +- ('/usr/share/doc/fail2ban', doc_files) +- ) +- +-# Get version number, avoiding importing fail2ban. +-# This is due to tests not functioning for python3 as 2to3 takes place later +-exec(open(join("fail2ban", "version.py")).read()) +- +-setup( +- name = "fail2ban", +- version = version, +- description = "Ban IPs that make too many password failures", +- long_description = longdesc, +- author = "Cyril Jaquier & Fail2Ban Contributors", +- author_email = "cyril.jaquier@fail2ban.org", +- url = "http://www.fail2ban.org", +- license = "GPL", +- platforms = "Posix", +- cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, +- 'install_scripts': install_scripts_f2b, 'install': install_command_f2b +- }, +- scripts = [ +- 'bin/fail2ban-client', +- 'bin/fail2ban-server', +- 'bin/fail2ban-regex', +- 'bin/fail2ban-testcases', +- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper +- ], +- packages = [ +- 'fail2ban', +- 'fail2ban.client', +- 'fail2ban.server', +- 'fail2ban.tests', +- 'fail2ban.tests.action_d', +- ], +- package_data = { +- 'fail2ban.tests': +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/files') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/config') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/action_d') +- for f in w[2]] +- }, +- data_files = [ +- ('/etc/fail2ban', +- glob("config/*.conf") +- ), +- ('/etc/fail2ban/filter.d', +- glob("config/filter.d/*.conf") +- ), +- ('/etc/fail2ban/filter.d/ignorecommands', +- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] +- ), +- ('/etc/fail2ban/action.d', +- glob("config/action.d/*.conf") + +- glob("config/action.d/*.py") +- ), +- ('/etc/fail2ban/fail2ban.d', +- '' +- ), +- ('/etc/fail2ban/jail.d', +- '' +- ), +- ('/var/lib/fail2ban', +- '' +- ), +- ] + data_files_extra, +- **setup_extra +-) +- +-# Do some checks after installation +-# Search for obsolete files. +-obsoleteFiles = [] +-elements = { +- "/etc/": +- [ +- "fail2ban.conf" +- ], +- "/usr/bin/": +- [ +- "fail2ban.py" +- ], +- "/usr/lib/fail2ban/": +- [ +- "version.py", +- "protocol.py" +- ] +-} +- +-for directory in elements: +- for f in elements[directory]: +- path = join(directory, f) +- if isfile(path): +- obsoleteFiles.append(path) +- +-if obsoleteFiles: +- print("") +- print("Obsolete files from previous Fail2Ban versions were found on " +- "your system.") +- print("Please delete them:") +- print("") +- for f in obsoleteFiles: +- print("\t" + f) +- print("") +- +-if isdir("/usr/lib/fail2ban"): +- print("") +- print("Fail2ban is not installed under /usr/lib anymore. The new " +- "location is under /usr/share. Please remove the directory " +- "/usr/lib/fail2ban and everything under this directory.") +- print("") +- +-# Update config file +-if sys.argv[1] == "install": +- print("") +- print("Please do not forget to update your configuration files.") +- print("They are in \"/etc/fail2ban/\".") +- print("") +- print("You can also install systemd service-unit file from \"build/fail2ban.service\"") +- print("resp. corresponding init script from \"files/*-initd\".") +- print("") +-- +2.17.1 + diff --git a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py index a5d4ed6cb..e23194986 100755 --- a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py +++ b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 53f94ff9f..e737f502a 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb @@ -9,13 +9,12 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578" -SRC_URI = " \ - git://github.com/fail2ban/fail2ban.git;branch=0.11 \ - file://initd \ +SRCREV ="3befbb177017957869425c81a560edb8e27db75a" +SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \ + file://initd \ file://fail2ban_setup.py \ file://run-ptest \ - file://0001-To-fix-build-error-of-xrang.patch \ + file://0001-python3-fail2ban-2-3-conversion.patch \ " inherit update-rc.d ptest setuptools3 @@ -27,16 +26,16 @@ do_compile_prepend () { } do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server - chown -R root:root ${D}/${bindir} + install -d ${D}/${sysconfdir}/fail2ban + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + chown -R root:root ${D}/${bindir} } do_install_ptest_append () { - install -d ${D}${PTEST_PATH} - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest - install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} + install -d ${D}${PTEST_PATH} + sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} } FILES_${PN} += "/run" @@ -47,5 +46,6 @@ INITSCRIPT_PARAMS = "defaults 25" INSANE_SKIP_${PN}_append = "already-stripped" -RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify" +RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" +RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb index 98f895c44..f9ca09268 100644 --- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb +++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LICENSE = "Apache-2.0" SRC_URI = "git://github.com/google/google-authenticator-libpam.git" -SRCREV = "c9280f43610ce896f91eafd0f740a4eb4dcecedd" +SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef" DEPENDS = "libpam" @@ -14,7 +14,10 @@ inherit autotools features_check REQUIRED_DISTRO_FEATURES = "pam" +# Use the same dir location as PAM +EXTRA_OECONF = "--libdir=${base_libdir}" + PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${libdir}/security/pam_google_authenticator.so" +FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb index 1a9247972..f4ebc697c 100644 --- a/meta-security/recipes-security/images/security-client-image.bb +++ b/meta-security/recipes-security/images/security-client-image.bb @@ -5,8 +5,7 @@ IMAGE_INSTALL = "\ packagegroup-core-boot \ os-release \ samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" IMAGE_LINGUAS ?= " " diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb index 502b5c142..4927e0ee5 100644 --- a/meta-security/recipes-security/images/security-server-image.bb +++ b/meta-security/recipes-security/images/security-server-image.bb @@ -6,8 +6,7 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ samhain-server \ - os-release \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + os-release " IMAGE_LINGUAS ?= " " diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch deleted file mode 100644 index a53433fe5..000000000 --- a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001 -From: Paul Moore <paul@paul-moore.com> -Date: Tue, 5 Nov 2019 15:11:11 -0500 -Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls - -We recently changed how libseccomp handles syscall numbers that are -not defined natively, but we missed test #15. - -Acked-by: Tom Hromatka <tom.hromatka@oracle.com> -Signed-off-by: Paul Moore <paul@paul-moore.com> - -Upstream-Status: Backport -[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - tests/15-basic-resolver.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c -index 6badef1..0c1eefe 100644 ---- a/tests/15-basic-resolver.c -+++ b/tests/15-basic-resolver.c -@@ -55,15 +55,15 @@ int main(int argc, char *argv[]) - unsigned int arch; - char *name = NULL; - -- if (seccomp_syscall_resolve_name("open") != __NR_open) -+ if (seccomp_syscall_resolve_name("open") != __SNR_open) - goto fail; -- if (seccomp_syscall_resolve_name("read") != __NR_read) -+ if (seccomp_syscall_resolve_name("read") != __SNR_read) - goto fail; - if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) - goto fail; - - rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat"); -- if (rc != __NR_openat) -+ if (rc != __SNR_openat) - goto fail; - - while ((arch = arch_list[iter++]) != -1) { --- -2.17.1 - diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb index 07db82a60..9ca41e650 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb @@ -4,10 +4,9 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563" +SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ - file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \ file://run-ptest \ " diff --git a/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch new file mode 100644 index 000000000..e350bafcd --- /dev/null +++ b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch @@ -0,0 +1,25 @@ +When calculate value of ldblibdir, it checks whether the directory of +$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not +suitable for cross compile. Fix it that only re-assign ldblibdir when its value +is empty. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/external/libldb.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 +index c400add..5e5f06d 100644 +--- a/src/external/libldb.m4 ++++ b/src/external/libldb.m4 +@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir + else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" +- if ! test -d $ldblibdir; then ++ if test -z $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi + fi diff --git a/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/meta-security/recipes-security/sssd/files/volatiles.99_sssd new file mode 100644 index 000000000..2a82413f3 --- /dev/null +++ b/meta-security/recipes-security/sssd/files/volatiles.99_sssd @@ -0,0 +1 @@ +d root root 0750 /var/log/sssd none diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb index 089a99e0d..7ea1586bd 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -8,13 +8,21 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ - file://sssd.conf " +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://fix-ldblibdir.patch \ + " SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" -inherit autotools pkgconfig gettext python-dir features_check +inherit autotools pkgconfig gettext python3-dir features_check systemd REQUIRED_DISTRO_FEATURES = "pam" @@ -22,29 +30,37 @@ SSSD_UID ?= "root" SSSD_GID ?= "root" CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} \ - ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ " -PACKAGECONFIG ?="nss nscd" +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" +PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" -PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings" -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir=" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl" - -EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ +" do_configure_prepend() { mkdir -p ${AUTOTOOLS_AUXDIR}/build @@ -59,6 +75,12 @@ do_install () { rmdir --ignore-fail-on-non-empty "${D}/${bindir}" install -d ${D}/${sysconfdir}/${BPN} install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run @@ -76,10 +98,24 @@ CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" INITSCRIPT_NAME = "sssd" INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = "${BPN}.service" +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd-secrets.service \ + sssd-secrets.socket \ + sssd.service \ +" SYSTEMD_AUTO_ENABLE = "disable" -FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* " +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" # The package contains symlinks that trip up insane |