meta-security: subtree update:b72cc7f87c..95fe86eb98

André Draszik (1):
      linux-yocto: update the bbappend to 5.x

Armin Kuster (36):
      README: add pull request option
      sssd: drop py2 support
      python3-fail2ban: update to latest
      Apparmor: fix some runtime depends
      linux-yocto-dev: remove "+"
      checksecurity: fix runtime issues
      buck-security: fix rdebends and minor style cleanup
      swtpm: fix configure error
      ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
      bastille: convert to py3
      tpm2-tools: update to 4.1.1
      tpm2-tcti-uefi: fix build issue for i386 machine
      tpm2-tss: update to 2.3.2
      ibmswtpm2: update to 1563
      python3-fail2ban: add 2-3 conversion changes
      google-authenticator-libpam: install module in pam location
      apparmor: update to tip
      clamav: add bison-native to depend
      meta-security-isafw: import layer from Intel
      isafw: fix to work against master
      layer.conf: add zeus
      README.md: update to new maintainer
      clamav-native: missed bison fix
      secuirty*-image: remove dead var and minor cleanup
      libtpm: fix build issue over pod2man
      sssd: python2 not supported
      libseccomp: update to 2.4.3
      lynis: add missing rdepends
      fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
      chkrootkit: add rootkit recipe
      clamav: move to recipes-scanners
      checksec: move to recipe-scanners
      checksecurity: move to recipes-scanners
      buck-security: move to recipes-scanners
      arpwatch: add new recipe
      buck-security: fix runtime issue with missing per module

Bartosz Golaszewski (3):
      linux: drop the bbappend for linux v4.x series
      classes: provide a class for generating dm-verity meta-data images
      dm-verity: add a working example for BeagleBone Black

Haseeb Ashraf (1):
      samhain: dnmalloc hash fix for aarch64 and mips64

Jan Luebbe (2):
      apparmor: fix wrong executable permission on service file
      apparmor: update to 2.13.4

Jonatan Pålsson (10):
      README: Add meta-python to list of layer deps
      sssd: Add PACKAGECONFIG for python2
      sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
      sssd: DEPEND on nss if nothing else is chosen
      sssd: Sort PACKAGECONFIG entries
      sssd: Add autofs PACKAGECONFIG
      sssd: Add sudo PACKAGECONFIG
      sssd: Add missing files to SYSTEMD_SERVICE
      sssd: Add missing DEPENDS on jansson
      sssd: Add infopipe PACKAGECONFIG

Kai Kang (1):
      sssd: fix for ldblibdir and systemd etc

Martin Jansa (1):
      layer.conf: update LAYERSERIES_COMPAT for dunfell

Mingli Yu (1):
      linux-yocto: update the bbappend to 5.x

Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
      google-authenticator-libpam: upgrade 1.07 -> 1.08

Yi Zhao (5):
      samhain: fix build with new version attr
      scap-security-guide: fix xml parsing error when build remediation files
      scap-security-guide: pass the correct schema file path to openscap-native
      openscap-daemon: add missing runtime dependencies
      samhain-server: add volatile file for systemd

Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/recipes-security/bastille/files/set_required_questions.py b/meta-security/recipes-security/bastille/files/set_required_questions.py
index 4a28358..f306109 100755
--- a/meta-security/recipes-security/bastille/files/set_required_questions.py
+++ b/meta-security/recipes-security/bastille/files/set_required_questions.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 #Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
 
@@ -83,7 +83,7 @@
   @param name qlabel The question label for which the distro is to be added.
   """
   questions_in = open(qfile)
-  questions_out = tempfile.NamedTemporaryFile(delete=False)
+  questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False)
   for l in add_requires(qlabel, distro, questions_in):
     questions_out.write(l)
   questions_out.close()
diff --git a/meta-security/recipes-security/buck-security/buck-security_0.7.bb b/meta-security/recipes-security/buck-security/buck-security_0.7.bb
deleted file mode 100644
index 3733c88..0000000
--- a/meta-security/recipes-security/buck-security/buck-security_0.7.bb
+++ /dev/null
@@ -1,63 +0,0 @@
-SUMMARY = "Linux security scanner"
-DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \
-system. This enables you to quickly overview the security status of your Linux system."
-SECTION = "security"
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-RDEPENDS_${PN} = "coreutils \
-                  gnupg \
-                  net-tools \
-                  perl \
-                  perl-module-data-dumper \
-                  perl-module-file-basename \
-                  perl-module-file-spec \
-                  perl-module-getopt-long \
-                  perl-module-lib \
-                  perl-module-posix \
-                  perl-module-term-ansicolor \
-                  perl-module-time-localtime \
-                  pinentry \
-                 "
-
-RDEPENDS_${PN}_class-native = "coreutils \
-                               net-tools \
-                               perl \
-                               perl-module-data-dumper \
-                               perl-module-file-basename \
-                               perl-module-file-spec \
-                               perl-module-getopt-long \
-                               perl-module-lib \
-                               perl-module-posix \
-                               perl-module-term-ansicolor \
-                               perl-module-time-localtime \
-                              "
-
-SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz"
-
-SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53"
-SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01"
-
-S = "${WORKDIR}/${BPN}_${PV}"
-
-do_configure() {
-    :
-}
-
-do_compile() {
-    :
-}
-
-do_install() {
-    install -d ${D}${bindir}/buck
-    cp -r ${S}/* ${D}${bindir}/buck
-    cp -r ${S}/buck-security ${D}${bindir}
-    sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security
-    sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security
-    sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security
-    sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security
-
-}
-
-FILES_${PN} = "${bindir}/*"
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/checksec/checksec_2.1.0.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb
deleted file mode 100644
index b67c98b..0000000
--- a/meta-security/recipes-security/checksec/checksec_2.1.0.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMMARY = "Linux system security checks"
-DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
-SECTION = "security"
-LICENSE = "BSD"
-HOMEPAGE="https://github.com/slimm609/checksec.sh"
-
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a"
-
-SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5"
-SRC_URI = "git://github.com/slimm609/checksec.sh"
-
-S = "${WORKDIR}/git"
-
-do_install() {
-    install -d ${D}${bindir}
-    install -m 0755 ${S}/checksec ${D}${bindir}
-}
-
-RDEPENDS_${PN} = "bash openssl-bin binutils"
diff --git a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb
deleted file mode 100644
index 030bf25..0000000
--- a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb
+++ /dev/null
@@ -1,21 +0,0 @@
-SUMMARY = "basic system security checks"
-DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
-SECTION = "security"
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
-           file://setuid-log-folder.patch \
-           file://check-setuid-use-more-portable-find-args.patch"
-
-SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
-SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
-
-do_compile() {
-}
-
-do_install() {
-    oe_runmake PREFIX=${D}
-}
-
-RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils coreutils"
diff --git a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
deleted file mode 100644
index f1fe8ed..0000000
--- a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
-From: Christopher Larson <chris_larson@mentor.com>
-Date: Wed, 5 Sep 2018 23:21:43 +0500
-Subject: [PATCH] check-setuid: use more portable find args
-
-Signed-off-by: Christopher Larson <chris_larson@mentor.com>
----
- plugins/check-setuid | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: checksecurity-2.0.15/plugins/check-setuid
-===================================================================
---- checksecurity-2.0.15.orig/plugins/check-setuid	2018-09-06 00:49:23.930934294 +0500
-+++ checksecurity-2.0.15/plugins/check-setuid	2018-09-06 00:49:49.694934757 +0500
-@@ -99,7 +99,7 @@
- ionice -t -c3 \
- find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
- 	-xdev $PATHCHK \
--	\( -type f -perm +06000 -o \( \( -type b -o -type c \) \
-+	\( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
- 	$DEVCHK \) \) \
-         -ignore_readdir_race  \
- 	-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
diff --git a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch b/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch
deleted file mode 100644
index 540ea9c..0000000
--- a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Thu, 20 Jun 2013 15:14:55 +0300
-Subject: [PATCH] changed log folder for check-setuid
-
-check-setuid was creating logs in /var/log directory,
-which cannot be created persistently. To avoid errors
-the log folder was changed to /etc/checksecurity/.
-
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- etc/check-setuid.conf |    2 +-
- plugins/check-setuid  |    6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
-index 621336f..e1532c0 100644
---- a/etc/check-setuid.conf
-+++ b/etc/check-setuid.conf
-@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
- #
- # Location of setuid file databases. 
- #
--LOGDIR=/var/log/setuid
-+LOGDIR=/etc/checksecurity/
-diff --git a/plugins/check-setuid b/plugins/check-setuid
-index 8d6f90b..bdb21c1 100755
---- a/plugins/check-setuid
-+++ b/plugins/check-setuid
-@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
-    exit 1
- fi
- 
--TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
--TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
-+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
-+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
- 
- #
- # Check for NFS/AFS mounts that are not nosuid/nodev
-@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
- fi
- 
- # Guard against undefined vars
--[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
-+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
- if [ ! -e "$LOGDIR" ] ; then
-     echo "ERROR: Log directory $LOGDIR does not exist"
-     exit 1
--- 
-1.7.9.5
-
diff --git a/meta-security/recipes-security/clamav/clamav_0.101.5.bb b/meta-security/recipes-security/clamav/clamav_0.101.5.bb
deleted file mode 100644
index a4c32e1..0000000
--- a/meta-security/recipes-security/clamav/clamav_0.101.5.bb
+++ /dev/null
@@ -1,169 +0,0 @@
-SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface"
-DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats."
-HOMEPAGE = "http://www.clamav.net/index.html"
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-
-DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack"
-DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native"
- 
-LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
-
-SRCREV = "482fcd413b07e9fd3ef9850e6d01a45f4e187108"
-
-SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \
-    file://clamd.conf \
-    file://freshclam.conf \
-    file://volatiles.03_clamav \
-    file://tmpfiles.clamav \
-    file://${BPN}.service \
-    file://freshclam-native.conf \
-    "
-
-S = "${WORKDIR}/git"
-
-LEAD_SONAME = "libclamav.so"
-SO_VER = "9.0.2"
-
-inherit autotools pkgconfig useradd systemd
-
-CLAMAV_UID ?= "clamav"
-CLAMAV_GID ?= "clamav"
-INSTALL_CLAMAV_CVD ?= "1"
-
-CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr"
-CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr"
-
-PACKAGECONFIG_class-target ?= "ncurses bz2"
-PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
-PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
-
-PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR},  --without-pcre, libpcre"
-PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json-c,"
-PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
-PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, bzip2"
-PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, "
-PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, "
-
-EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \
-            --disable-mempool \
-            --program-prefix="" \
-            --disable-zlib-vcheck \
-            --with-xml=${CLAMAV_USR_DIR} \
-            --with-zlib=${CLAMAV_USR_DIR} \
-            --with-openssl=${CLAMAV_USR_DIR} \
-            --with-libcurl=${CLAMAV_USR_DIR} \
-            --with-system-libmspack=${CLAMAV_USR_DIR} \
-            --with-iconv=no \
-            --enable-check=no \
-            "
-
-EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}"
-EXTRA_OECONF_class-target += "--with-user=${CLAMAV_UID}  --with-group=${CLAMAV_GID} ${EXTRA_OECONF_CLAMAV}"
-
-do_configure () {
-    ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
-}
-
-do_configure_class-native () {
-    ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF} 
-}
-
-do_compile_append_class-target() {
-    if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
-        bbnote "CLAMAV creating cvd"
-        install -d ${S}/clamav_db
-        ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf
-    fi
-}
-
-do_install_append_class-target () {
-    install -d ${D}/${sysconfdir}
-    install -d ${D}/${localstatedir}/lib/clamav
-    install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
-
-    install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir}
-    install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir}
-    install -m 0644 ${WORKDIR}/volatiles.03_clamav  ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
-    sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
-    rm ${D}/${libdir}/libclamav.so
-    install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
-    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
-        install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
-        install -d ${D}${sysconfdir}/tmpfiles.d
-        install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
-    fi
-}
-
-pkg_postinst_ontarget_${PN} () {
-    if command -v systemd-tmpfiles >/dev/null; then
-        systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
-    elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
-        ${sysconfdir}/init.d/populate-volatile.sh update
-    fi
-    mkdir -p ${localstatedir}/lib/clamav
-    chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
-}
-
-
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
-            ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
-
-FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \
-                ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
-                ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit*  \
-                ${docdir}/clamav/* "
-
-FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
-                        ${docdir}/clamdscan/* \
-                        ${mandir}/man1/clamdscan* \
-                        "
-
-FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
-                        ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \
-                        ${mandir}/man5/clamd*  ${mandir}/man8/clamd* \
-                        ${sysconfdir}/clamd.conf* \
-                        ${systemd_unitdir}/system/clamav-daemon/* \
-                        ${docdir}/clamav-daemon/*  ${sysconfdir}/clamav-daemon \
-                        ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon "
-
-FILES_${PN}-freshclam = "${bindir}/freshclam \
-                        ${sysconfdir}/freshclam.conf*  \
-                        ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
-                        ${sysconfdir}/tmpfiles.d/*.conf \
-                        ${localstatedir}/lib/clamav \
-                        ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
-                        ${mandir}/man5/freshclam.conf.* \
-                        ${systemd_unitdir}/system/clamav-freshclam.service"
-
-FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
-                    ${libdir}/pkgconfig/*.pc \
-                    ${mandir}/man1/clamav-config.* \
-                    ${includedir}/*.h ${docdir}/libclamav* "
-
-FILES_${PN}-staticdev = "${libdir}/*.a"
-
-FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so*\
-                          ${docdir}/libclamav/* "
-
-FILES_${PN}-doc = "${mandir}/man/* \
-                   ${datadir}/man/* \
-                   ${docdir}/* "
-
-FILES_${PN}-cvd =  "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat"
-
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
-USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir  \
-    ${localstatedir}/spool/${BPN} \
-    --no-create-home  --shell /bin/false ${BPN}"
-
-RPROVIDES_${PN} += "${PN}-systemd"
-RREPLACES_${PN} += "${PN}-systemd"
-RCONFLICTS_${PN} += "${PN}-systemd"
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
-
-RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
-RDEPENDS_${PN}_class-native = ""
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/clamav/files/clamav-freshclam.service b/meta-security/recipes-security/clamav/files/clamav-freshclam.service
deleted file mode 100644
index 0c909fb..0000000
--- a/meta-security/recipes-security/clamav/files/clamav-freshclam.service
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=ClamAV virus database updater
-Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/
-# If user wants it run from cron, don't start the daemon.
-ConditionPathExists=!/etc/cron.d/clamav-freshclam
-
-[Service]
-ExecStart=/usr/bin/freshclam -d --foreground=true
-StandardOutput=syslog
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample b/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample
deleted file mode 100644
index ed0d519..0000000
--- a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample
+++ /dev/null
@@ -1,293 +0,0 @@
-##
-## Example config file for clamav-milter
-##
-
-# Comment or remove the line below.
-Example
-
-
-##
-## Main options
-##
-
-# Define the interface through which we communicate with sendmail
-# This option is mandatory! Possible formats are:
-# [[unix|local]:]/path/to/file - to specify a unix domain socket
-# inet:port@[hostname|ip-address] - to specify an ipv4 socket
-# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
-#
-# Default: no default
-#MilterSocket /tmp/clamav-milter.socket
-#MilterSocket inet:7357
-
-# Define the group ownership for the (unix) milter socket.
-# Default: disabled (the primary group of the user running clamd)
-#MilterSocketGroup virusgroup
-
-# Sets the permissions on the (unix) milter socket to the specified mode.
-# Default: disabled (obey umask)
-#MilterSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-#
-# Default: yes
-#FixStaleSocket yes
-
-# Run as another user (clamav-milter must be started by root for this option to work)
-#
-# Default: unset (don't drop privileges)
-#User clamav
-
-# Initialize supplementary group access (clamav-milter must be started by root).
-#
-# Default: no
-#AllowSupplementaryGroups no
-
-# Waiting for data from clamd will timeout after this time (seconds).
-# Value of 0 disables the timeout.
-#
-# Default: 120
-#ReadTimeout 300
-
-# Don't fork into background.
-#
-# Default: no
-#Foreground yes
-
-# Chroot to the specified directory.
-# Chrooting is performed just after reading the config file and before dropping privileges.
-#
-# Default: unset (don't chroot)
-#Chroot /newroot
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-#
-# Default: disabled
-#PidFile /var/run/clamav/clamav-milter.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-#
-#TemporaryDirectory /var/tmp
-
-##
-## Clamd options
-##
-
-# Define the clamd socket to connect to for scanning.
-# This option is mandatory! Syntax:
-# ClamdSocket unix:path
-# ClamdSocket tcp:host:port
-# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
-#     ClamdSocket unix:/var/run/clamd/clamd.socket
-# The second syntax specifies a tcp local or remote tcp socket: the
-# host can be a hostname or an ip address; the ":port" field is only required
-# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
-#     ClamdSocket tcp:192.168.0.1
-#
-# This option can be repeated several times with different sockets or even
-# with the same socket: clamd servers will be selected in a round-robin fashion.
-#
-# Default: no default
-ClamdSocket /var/run/clamav/clamd
-
-
-##
-## Exclusions
-##
-
-# Messages originating from these hosts/networks will not be scanned
-# This option takes a host(name)/mask pair in CIRD notation and can be
-# repeated several times. If "/mask" is omitted, a host is assumed.
-# To specify a locally orignated, non-smtp, email use the keyword "local"
-#
-# Default: unset (scan everything regardless of the origin)
-#LocalNet local
-#LocalNet 192.168.0.0/24
-#LocalNet 1111:2222:3333::/48
-
-# This option specifies a file which contains a list of basic POSIX regular
-# expressions. Addresses (sent to or from - see below) matching these regexes
-# will not be scanned.  Optionally each line can start with the string "From:"
-# or "To:" (note: no whitespace after the colon) indicating if it is, 
-# respectively, the sender or recipient that is to be whitelisted.
-# If the field is missing, "To:" is assumed.
-# Lines starting with #, : or ! are ignored.
-#
-# Default unset (no exclusion applied)
-#Whitelist /etc/whitelisted_addresses
-
-# Messages from authenticated SMTP users matching this extended POSIX
-# regular expression (egrep-like) will not be scanned.
-# As an alternative, a file containing a plain (not regex) list of names (one
-# per line) can be specified using the prefix "file:".
-# e.g. SkipAuthenticated file:/etc/good_guys
-#
-# Note: this is the AUTH login name!
-#
-# Default: unset (no whitelisting based on SMTP auth)
-#SkipAuthenticated ^(tom|dick|henry)$
-
-# Messages larger than this value won't be scanned.
-# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
-#
-# Default: 25M
-#MaxFileSize 10M
-
-
-##
-## Actions
-##
-
-# The following group of options controls the delievery process under
-# different circumstances.
-# The following actions are available:
-# - Accept
-#   The message is accepted for delievery
-# - Reject
-#   Immediately refuse delievery (a 5xx error is returned to the peer)
-# - Defer
-#   Return a temporary failure message (4xx) to the peer
-# - Blackhole (not available for OnFail)
-#   Like Accept but the message is sent to oblivion
-# - Quarantine (not available for OnFail)
-#   Like Accept but message is quarantined instead of being delivered
-#
-# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
-# For Postfix this causes the message to be placed on hold
-# 
-# Action to be performed on clean messages (mostly useful for testing)
-# Default: Accept
-#OnClean Accept
-
-# Action to be performed on infected messages
-# Default: Quarantine
-#OnInfected Quarantine
-
-# Action to be performed on error conditions (this includes failure to
-# allocate data structures, no scanners available, network timeouts,
-# unknown scanner replies and the like)
-# Default: Defer
-#OnFail Defer
-
-# This option allows to set a specific rejection reason for infected messages
-# and it's therefore only useful together with "OnInfected Reject"
-# The string "%v", if present, will be replaced with the virus name.
-# Default: MTA specific
-#RejectMsg 
-
-# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
-# "X-Virus-Status" headers will be attached to each processed message, possibly
-# replacing existing headers.
-# If it is set to Add, the X-Virus headers are added possibly on top of the
-# existing ones.
-# Note that while "Replace" can potentially break DKIM signatures, "Add" may
-# confuse procmail and similar filters.
-# Default: no
-#AddHeader Replace
-
-# When AddHeader is in use, this option allows to arbitrary set the reported
-# hostname. This may be desirable in order to avoid leaking internal names.
-# If unset the real machine name is used.
-# Default: disabled
-#ReportHostname my.mail.server.name
-
-# Execute a command (possibly searching PATH) when an infected message is found.
-# The following parameters are passed to the invoked program in this order:
-# virus name, queue id, sender, destination, subject, message id, message date.
-# Note #1: this requires MTA macroes to be available (see LogInfected below)
-# Note #2: the process is invoked in the context of clamav-milter
-# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
-# avoid unnecessary delays in email delievery
-# Default: disabled
-#VirusAction /usr/local/bin/my_infected_message_handler
-
-##
-## Logging options
-##
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-#
-# Default: disabled
-#LogFile /var/log/clamav/clamav-milter.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamav-milter multiple times.
-# This option disables log file locking.
-#
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-#
-# Default: 1M
-#LogFileMaxSize 2M
-
-# Log time with each message.
-#
-# Default: no
-#LogTime yes
-
-# Use system logger (can work together with LogFile).
-#
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-#
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-#
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows to tune what is logged when a message is infected.
-# Possible values are Off (the default - nothing is logged),
-# Basic (minimal info logged), Full (verbose info logged)
-# Note:
-# For this to work properly in sendmail, make sure the msg_id, mail_addr,
-# rcpt_addr and i macroes are available in eom. In other words add a line like:
-# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
-# to your .cf file. Alternatively use the macro:
-# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
-# Postfix should be working fine with the default settings.
-#
-# Default: disabled
-#LogInfected Basic
-
-# This option allows to tune what is logged when no threat is found in a scanned message.
-# See LogInfected for possible values and caveats.
-# Useful in debugging but drastically increases the log size.
-# Default: disabled
-#LogClean Basic
-
-# This option affects the behaviour of LogInfected, LogClean and VirusAction
-# when a message with multiple recipients is scanned:
-# If SupportMultipleRecipients is off (the default)
-# then one single log entry is generated for the message and, in case the
-# message is determined to be malicious, the command indicated by VirusAction
-# is executed just once. In both cases only the last recipient is reported.
-# If SupportMultipleRecipients is on:
-# then one line is logged for each recipient and the command indicated
-# by VirusAction is also executed once for each recipient.
-# 
-# Note: although it's probably a good idea to enable this option, the default value
-# is currently set to off for legacy reasons.
-# Default: no
-#SupportMultipleRecipients yes
-
diff --git a/meta-security/recipes-security/clamav/files/clamav.service b/meta-security/recipes-security/clamav/files/clamav.service
deleted file mode 100644
index f13191f..0000000
--- a/meta-security/recipes-security/clamav/files/clamav.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=Clam AntiVirus userspace daemon
-Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/
-Requires=clamav-daemon.socket
-# Check for database existence
-ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc}
-ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc}
-
-[Service]
-ExecStart=/usr/sbin/clamd --foreground=true
-# Reload the database
-ExecReload=/bin/kill -USR2 $MAINPID
-StandardOutput=syslog
-
-[Install]
-WantedBy=multi-user.target
-Also=clamav-daemon.socket
diff --git a/meta-security/recipes-security/clamav/files/clamd.conf b/meta-security/recipes-security/clamav/files/clamd.conf
deleted file mode 100644
index 0457785..0000000
--- a/meta-security/recipes-security/clamav/files/clamd.conf
+++ /dev/null
@@ -1,595 +0,0 @@
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-LogFile /tmp/clamd.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-#LogClean yes
-
-# Use system logger (can work together with LogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# Default: disabled
-PidFile /var/run/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/lib/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both. 
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-LocalSocket /tmp/clamd.socket
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-#FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-#TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world. This option can be specified multiple
-# times if you want to listen on multiple IPs. IPv6 is now supported.
-# Default: no
-#TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-#MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-#StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-#MaxThreads 20
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-#ReadTimeout 300
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 5
-#CommandReadTimeout 5
-
-# This option specifies how long to wait (in miliseconds) if the send buffer is full.
-# Keep this value low to prevent clamd hanging
-#
-# Default: 500
-#SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by MaxThreads threads)
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
-# the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
-#
-# Default: 100
-#MaxQueue 200
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-#IdleTimeout 60
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-#CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-#SelfCheck 600
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-User clamav
-
-# Initialize supplementary group access (clamd must be started by root).
-# Default: no
-#AllowSupplementaryGroups no
-
-# Stop daemon when libclamav reports out of memory condition.
-#ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-#LeaveTemporaryFiles yes
-
-# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
-# any ALLMATCHSCAN command as invalid.
-# Default: yes
-#AllowAllMatchScan no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-#DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 
-# the complete list of PUA categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-#IncludePUA Spy
-#IncludePUA Scanner
-#IncludePUA RAT
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to provide accurate detection. This option
-# controls the algorithmic detection.
-# Default: yes
-#AlgorithmicDetection yes
-
-# This option causes memory or nested map scans to dump the content to disk.
-# If you turn on this option, more data is written to disk and is available
-# when the LeaveTemporaryFiles option is enabled.
-#ForceToDisk yes
-
-# This option allows you to disable the caching feature of the engine. By
-# default, the engine will store an MD5 in a cache of any files that are
-# not flagged as virus or that hit limits checks. Disabling the cache will
-# have a negative performance impact on large scans.
-# Default: no
-#DisableCache yes
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option allows
-# ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite. If you turn off this option, the original files will still be
-# scanned, but without additional processing.
-# Default: yes
-#ScanPE yes
-
-# Certain PE files contain an authenticode signature. By default, we check
-# the signature chain in the PE file against a database of trusted and
-# revoked certificates if the file being scanned is marked as a virus.
-# If any certificate in the chain validates against any trusted root, but
-# does not match any revoked certificate, the file is marked as whitelisted.
-# If the file does match a revoked certificate, the file is marked as virus.
-# The following setting completely turns off authenticode verification.
-# Default: no
-#DisableCertCheck yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanELF yes
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and mark them as Broken.Executable.
-# Default: no
-#DetectBrokenExecutables yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanOLE2 yes
-
-# With this option enabled OLE2 files with VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-#OLE2BlockMacros no
-
-# This option enables scanning within PDF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanPDF yes
-
-# This option enables scanning within SWF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanSWF yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# If you turn off this option, the original files will still be scanned, but
-# without parsing individual messages/attachments.
-# Default: yes
-#ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
-# WARNING: This option may open your system to a DoS attack.
-#	   Never use it on loaded servers.
-# Default: no
-#ScanPartialMessages yes
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# signatures.
-# Default: yes
-#PhishingSignatures yes
-
-# Scan URLs found in mails for phishing attempts using heuristics.
-# Default: yes
-#PhishingScanURLs yes
-
-# Always block SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockSSLMismatch no
-
-# Always block cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockCloak no
-
-# Detect partition intersections in raw disk images using heuristics.
-# Default: no
-#PartitionIntersection no
-
-# Allow heuristic match to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only at
-# the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first, 
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-#HeuristicScanPrecedence yes
-
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-#StructuredDataDetection yes
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-#StructuredSSNFormatNormal yes
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-#StructuredSSNFormatStripped yes
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-#ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# If you turn off this option, the original files will still be scanned, but
-# without unpacking and additional processing.
-# Default: yes
-#ScanArchive yes
-
-# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
-# Default: no
-#ArchiveBlockEncrypted no
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of data to be scanned for each input file.
-# Archives and other containers are recursively extracted and scanned up to this
-# value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-#MaxScanSize 150M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-#MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-#MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# Maximum size of a file to check for embedded PE. Files larger than this value
-# will skip the additional analysis step.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxEmbeddedPE 10M
-
-# Maximum size of a HTML file to normalize. HTML files larger than this value
-# will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxHTMLNormalize 10M
-
-# Maximum size of a normalized HTML file to scan. HTML files larger than this
-# value after normalization will not be scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 2M
-#MaxHTMLNoTags 2M
-
-# Maximum size of a script file to normalize. Script content larger than this
-# value will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 5M
-#MaxScriptNormalize 5M
-
-# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
-# than this value will skip the step to potentially reanalyze as PE.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 1M
-#MaxZipTypeRcg 1M
-
-# This option sets the maximum number of partitions of a raw disk image to be scanned.
-# Raw disk images with more partitions than this value will have up to the value number
-# partitions scanned. Negative values are not allowed.
-# Note: setting this limit too high may result in severe damage or impact performance.
-# Default: 50
-#MaxPartitions 128
-
-# This option sets the maximum number of icons within a PE to be scanned.
-# PE files with more icons than this value will have up to the value number icons scanned.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact performance.
-# Default: 100
-#MaxIconsPE 200
-
-##
-## On-access Scan Settings
-##
-
-# Enable on-access scanning. Currently, this is supported via fanotify.
-# Clamuko/Dazuko support has been deprecated.
-# Default: no
-#ScanOnAccess yes
-
-# Don't scan files larger than OnAccessMaxFileSize
-# Value of 0 disables the limit.
-# Default: 5M
-#OnAccessMaxFileSize 10M
-
-# Set the include paths (all files inside them will be scanned). You can have
-# multiple OnAccessIncludePath directives but each directory must be added
-# in a separate line. (On-access scan only)
-# Default: disabled
-#OnAccessIncludePath /home
-#OnAccessIncludePath /students
-
-# Set the exclude paths. All subdirectories are also excluded.
-# (On-access scan only)
-# Default: disabled
-#OnAccessExcludePath /home/bofh
-
-# With this option you can whitelist specific UIDs. Processes with these UIDs
-# will be able to access all files.
-# This option can be used multiple times (one per line).
-# Default: disabled
-#OnAccessExcludeUID 0
-
-
-##
-## Bytecode
-##
-
-# With this option enabled ClamAV will load bytecode from the database. 
-# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
-# Default: yes
-#Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-#       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
-#         This value is only available if clamav was built with --enable-debug!
-#       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
-#                insert runtime safety checks for bytecode loaded from other sources
-#       Paranoid - don't trust any bytecode, insert runtime checks for all
-# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-#BytecodeSecurity TrustSigned
-
-# Set bytecode timeout in miliseconds.
-# 
-# Default: 5000
-# BytecodeTimeout 1000
-
-##
-## Statistics gathering and submitting
-##
-
-# Enable statistical reporting.
-# Default: no
-#StatsEnabled yes
-
-# Disable submission of individual PE sections for files flagged as malware.
-# Default: no
-#StatsPEDisabled yes
-
-# HostID in the form of an UUID to use when submitting statistical information.
-# Default: auto
-#StatsHostID auto
-
-# Time in seconds to wait for the stats server to come back with a response
-# Default: 10
-#StatsTimeout 10
diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf
deleted file mode 100644
index aaa8cf4..0000000
--- a/meta-security/recipes-security/clamav/files/freshclam-native.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-# Path to the database directory.
-# WARNING: It must match clamd.conf's directive!
-# Default: hardcoded (depends on installation options)
-#DatabaseDirectory /var/lib/clamav
-
-# Path to the log file (make sure it has proper permissions)
-# Default: disabled
-#UpdateLogFile /var/log/clamav/freshclam.log
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
-# log rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Use system logger (can work together with UpdateLogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows you to save the process identifier of the daemon
-# Default: disabled
-#PidFile /var/run/freshclam.pid
-
-# By default when started freshclam drops privileges and switches to the
-# "clamav" user. This directive allows you to change the database owner.
-# Default: clamav (may depend on installation options)
-DatabaseOwner clamav
-
-# Initialize supplementary group access (freshclam must be started by root).
-# Default: no
-#AllowSupplementaryGroups yes
-
-# Use DNS to verify virus database version. Freshclam uses DNS TXT records
-# to verify database and software versions. With this directive you can change
-# the database verification domain.
-# WARNING: Do not touch it unless you're configuring freshclam to use your
-# own database verification domain.
-# Default: current.cvd.clamav.net
-#DNSDatabaseInfo current.cvd.clamav.net
-
-# Uncomment the following line and replace XY with your country
-# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
-# You can use db.XY.ipv6.clamav.net for IPv6 connections.
-#DatabaseMirror db.XY.clamav.net
-
-# database.clamav.net is a round-robin record which points to our most 
-# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
-# not working. DO NOT TOUCH the following line unless you know what you
-# are doing.
-DatabaseMirror database.clamav.net
-
-# How many attempts to make before giving up.
-# Default: 3 (per mirror)
-#MaxAttempts 5
-
-# With this option you can control scripted updates. It's highly recommended
-# to keep it enabled.
-# Default: yes
-#ScriptedUpdates yes
-
-# By default freshclam will keep the local databases (.cld) uncompressed to
-# make their handling faster. With this option you can enable the compression;
-# the change will take effect with the next database update.
-# Default: no
-#CompressLocalDatabase no
-
-# With this option you can provide custom sources (http:// or file://) for
-# database files. This option can be used multiple times.
-# Default: no custom URLs
-#DatabaseCustomURL http://myserver.com/mysigs.ndb
-#DatabaseCustomURL file:///mnt/nfs/local.hdb
-
-# This option allows you to easily point freshclam to private mirrors.
-# If PrivateMirror is set, freshclam does not attempt to use DNS
-# to determine whether its databases are out-of-date, instead it will
-# use the If-Modified-Since request or directly check the headers of the
-# remote database files. For each database, freshclam first attempts
-# to download the CLD file. If that fails, it tries to download the
-# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
-# and ScriptedUpdates. It can be used multiple times to provide
-# fall-back mirrors.
-# Default: disabled
-#PrivateMirror mirror1.mynetwork.com
-#PrivateMirror mirror2.mynetwork.com
-
-# Number of database checks per day.
-# Default: 12 (every two hours)
-#Checks 24
-
-# Proxy settings
-# Default: disabled
-#HTTPProxyServer myproxy.com
-#HTTPProxyPort 1234
-#HTTPProxyUsername myusername
-#HTTPProxyPassword mypass
-
-# If your servers are behind a firewall/proxy which applies User-Agent
-# filtering you can use this option to force the use of a different
-# User-Agent header.
-# Default: clamav/version_number
-#HTTPUserAgent SomeUserAgentIdString
-
-# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
-# multi-homed systems.
-# Default: Use OS'es default outgoing IP address.
-#LocalIPAddress aaa.bbb.ccc.ddd
-
-# Send the RELOAD command to clamd.
-# Default: no
-#NotifyClamd /path/to/clamd.conf
-
-# Run command after successful database update.
-# Default: disabled
-#OnUpdateExecute command
-
-# Run command when database update process fails.
-# Default: disabled
-#OnErrorExecute command
-
-# Run command when freshclam reports outdated version.
-# In the command string %v will be replaced by the new version number.
-# Default: disabled
-#OnOutdatedExecute command
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Timeout in seconds when connecting to database server.
-# Default: 30
-#ConnectTimeout 60
-
-# Timeout in seconds when reading from database server.
-# Default: 30
-#ReceiveTimeout 60
-
-# With this option enabled, freshclam will attempt to load new
-# databases into memory to make sure they are properly handled
-# by libclamav before replacing the old ones.
-# Default: yes
-#TestDatabases yes
-
-# When enabled freshclam will submit statistics to the ClamAV Project about
-# the latest virus detections in your environment. The ClamAV maintainers
-# will then use this data to determine what types of malware are the most
-# detected in the field and in what geographic area they are.
-# Freshclam will connect to clamd in order to get recent statistics.
-# Default: no
-#SubmitDetectionStats /path/to/clamd.conf
-
-# Country of origin of malware/detection statistics (for statistical
-# purposes only). The statistics collector at ClamAV.net will look up
-# your IP address to determine the geographical origin of the malware
-# reported by your installation. If this installation is mainly used to
-# scan data which comes from a different location, please enable this
-# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
-# of the country of origin.
-# Default: disabled
-#DetectionStatsCountry country-code
-
-# This option enables support for our "Personal Statistics" service. 
-# When this option is enabled, the information on malware detected by
-# your clamd installation is made available to you through our website.
-# To get your HostID, log on http://www.stats.clamav.net and add a new
-# host to your host list. Once you have the HostID, uncomment this option
-# and paste the HostID here. As soon as your freshclam starts submitting
-# information to our stats collecting service, you will be able to view
-# the statistics of this clamd installation by logging into
-# http://www.stats.clamav.net with the same credentials you used to
-# generate the HostID. For more information refer to:
-# http://www.clamav.net/documentation.html#cctts 
-# This feature requires SubmitDetectionStats to be enabled.
-# Default: disabled
-#DetectionStatsHostID unique-id
-
-# This option enables support for Google Safe Browsing. When activated for
-# the first time, freshclam will download a new database file (safebrowsing.cvd)
-# which will be automatically loaded by clamd and clamscan during the next
-# reload, provided that the heuristic phishing detection is turned on. This
-# database includes information about websites that may be phishing sites or
-# possible sources of malware. When using this option, it's mandatory to run
-# freshclam at least every 30 minutes.
-# Freshclam uses the ClamAV's mirror infrastructure to distribute the
-# database and its updates but all the contents are provided under Google's
-# terms of use. See http://www.google.com/transparencyreport/safebrowsing
-# and http://www.clamav.net/documentation.html#safebrowsing 
-# for more information.
-# Default: disabled
-#SafeBrowsing yes
-
-# This option enables downloading of bytecode.cvd, which includes additional
-# detection mechanisms and improvements to the ClamAV engine.
-# Default: enabled
-#Bytecode yes
-
-# Download an additional 3rd party signature database distributed through
-# the ClamAV mirrors. 
-# This option can be used multiple times.
-#ExtraDatabase dbname1
-#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/clamav/files/freshclam.conf b/meta-security/recipes-security/clamav/files/freshclam.conf
deleted file mode 100644
index 100724f..0000000
--- a/meta-security/recipes-security/clamav/files/freshclam.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-# Path to the database directory.
-# WARNING: It must match clamd.conf's directive!
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/lib/clamav
-
-# Path to the log file (make sure it has proper permissions)
-# Default: disabled
-UpdateLogFile /var/log/clamav/freshclam.log
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
-# log rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Use system logger (can work together with UpdateLogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows you to save the process identifier of the daemon
-# Default: disabled
-PidFile /var/run/freshclam.pid
-
-# By default when started freshclam drops privileges and switches to the
-# "clamav" user. This directive allows you to change the database owner.
-# Default: clamav (may depend on installation options)
-DatabaseOwner clamav
-
-# Initialize supplementary group access (freshclam must be started by root).
-# Default: no
-#AllowSupplementaryGroups yes
-
-# Use DNS to verify virus database version. Freshclam uses DNS TXT records
-# to verify database and software versions. With this directive you can change
-# the database verification domain.
-# WARNING: Do not touch it unless you're configuring freshclam to use your
-# own database verification domain.
-# Default: current.cvd.clamav.net
-#DNSDatabaseInfo current.cvd.clamav.net
-
-# Uncomment the following line and replace XY with your country
-# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
-# You can use db.XY.ipv6.clamav.net for IPv6 connections.
-#DatabaseMirror db.XY.clamav.net
-
-# database.clamav.net is a round-robin record which points to our most 
-# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is 
-# not working. DO NOT TOUCH the following line unless you know what you
-# are doing.
-DatabaseMirror database.clamav.net
-
-# How many attempts to make before giving up.
-# Default: 3 (per mirror)
-#MaxAttempts 5
-
-# With this option you can control scripted updates. It's highly recommended
-# to keep it enabled.
-# Default: yes
-#ScriptedUpdates yes
-
-# By default freshclam will keep the local databases (.cld) uncompressed to
-# make their handling faster. With this option you can enable the compression;
-# the change will take effect with the next database update.
-# Default: no
-#CompressLocalDatabase no
-
-# With this option you can provide custom sources (http:// or file://) for
-# database files. This option can be used multiple times.
-# Default: no custom URLs
-#DatabaseCustomURL http://myserver.com/mysigs.ndb
-#DatabaseCustomURL file:///mnt/nfs/local.hdb
-
-# This option allows you to easily point freshclam to private mirrors.
-# If PrivateMirror is set, freshclam does not attempt to use DNS
-# to determine whether its databases are out-of-date, instead it will
-# use the If-Modified-Since request or directly check the headers of the
-# remote database files. For each database, freshclam first attempts
-# to download the CLD file. If that fails, it tries to download the
-# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
-# and ScriptedUpdates. It can be used multiple times to provide
-# fall-back mirrors.
-# Default: disabled
-#PrivateMirror mirror1.mynetwork.com
-#PrivateMirror mirror2.mynetwork.com
-
-# Number of database checks per day.
-# Default: 12 (every two hours)
-#Checks 24
-
-# Proxy settings
-# Default: disabled
-#HTTPProxyServer myproxy.com
-#HTTPProxyPort 1234
-#HTTPProxyUsername myusername
-#HTTPProxyPassword mypass
-
-# If your servers are behind a firewall/proxy which applies User-Agent
-# filtering you can use this option to force the use of a different
-# User-Agent header.
-# Default: clamav/version_number
-#HTTPUserAgent SomeUserAgentIdString
-
-# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
-# multi-homed systems.
-# Default: Use OS'es default outgoing IP address.
-#LocalIPAddress aaa.bbb.ccc.ddd
-
-# Send the RELOAD command to clamd.
-# Default: no
-#NotifyClamd /path/to/clamd.conf
-
-# Run command after successful database update.
-# Default: disabled
-#OnUpdateExecute command
-
-# Run command when database update process fails.
-# Default: disabled
-#OnErrorExecute command
-
-# Run command when freshclam reports outdated version.
-# In the command string %v will be replaced by the new version number.
-# Default: disabled
-#OnOutdatedExecute command
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Timeout in seconds when connecting to database server.
-# Default: 30
-#ConnectTimeout 60
-
-# Timeout in seconds when reading from database server.
-# Default: 30
-#ReceiveTimeout 60
-
-# With this option enabled, freshclam will attempt to load new
-# databases into memory to make sure they are properly handled
-# by libclamav before replacing the old ones.
-# Default: yes
-#TestDatabases yes
-
-# When enabled freshclam will submit statistics to the ClamAV Project about
-# the latest virus detections in your environment. The ClamAV maintainers
-# will then use this data to determine what types of malware are the most
-# detected in the field and in what geographic area they are.
-# Freshclam will connect to clamd in order to get recent statistics.
-# Default: no
-#SubmitDetectionStats /path/to/clamd.conf
-
-# Country of origin of malware/detection statistics (for statistical
-# purposes only). The statistics collector at ClamAV.net will look up
-# your IP address to determine the geographical origin of the malware
-# reported by your installation. If this installation is mainly used to
-# scan data which comes from a different location, please enable this
-# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
-# of the country of origin.
-# Default: disabled
-#DetectionStatsCountry country-code
-
-# This option enables support for our "Personal Statistics" service. 
-# When this option is enabled, the information on malware detected by
-# your clamd installation is made available to you through our website.
-# To get your HostID, log on http://www.stats.clamav.net and add a new
-# host to your host list. Once you have the HostID, uncomment this option
-# and paste the HostID here. As soon as your freshclam starts submitting
-# information to our stats collecting service, you will be able to view
-# the statistics of this clamd installation by logging into
-# http://www.stats.clamav.net with the same credentials you used to
-# generate the HostID. For more information refer to:
-# http://www.clamav.net/documentation.html#cctts 
-# This feature requires SubmitDetectionStats to be enabled.
-# Default: disabled
-#DetectionStatsHostID unique-id
-
-# This option enables support for Google Safe Browsing. When activated for
-# the first time, freshclam will download a new database file (safebrowsing.cvd)
-# which will be automatically loaded by clamd and clamscan during the next
-# reload, provided that the heuristic phishing detection is turned on. This
-# database includes information about websites that may be phishing sites or
-# possible sources of malware. When using this option, it's mandatory to run
-# freshclam at least every 30 minutes.
-# Freshclam uses the ClamAV's mirror infrastructure to distribute the
-# database and its updates but all the contents are provided under Google's
-# terms of use. See http://www.google.com/transparencyreport/safebrowsing
-# and http://www.clamav.net/documentation.html#safebrowsing 
-# for more information.
-# Default: disabled
-#SafeBrowsing yes
-
-# This option enables downloading of bytecode.cvd, which includes additional
-# detection mechanisms and improvements to the ClamAV engine.
-# Default: enabled
-#Bytecode yes
-
-# Download an additional 3rd party signature database distributed through
-# the ClamAV mirrors. 
-# This option can be used multiple times.
-#ExtraDatabase dbname1
-#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/clamav/files/tmpfiles.clamav b/meta-security/recipes-security/clamav/files/tmpfiles.clamav
deleted file mode 100644
index fd5adfe..0000000
--- a/meta-security/recipes-security/clamav/files/tmpfiles.clamav
+++ /dev/null
@@ -1,3 +0,0 @@
-#Type Path        Mode UID  GID  Age Argument
-d /var/log/clamav 0755 clamav clamav -
-f /var/log/clamav/freshclam.log 0644 clamav clamav -
diff --git a/meta-security/recipes-security/clamav/files/volatiles.03_clamav b/meta-security/recipes-security/clamav/files/volatiles.03_clamav
deleted file mode 100644
index ee2153c..0000000
--- a/meta-security/recipes-security/clamav/files/volatiles.03_clamav
+++ /dev/null
@@ -1,3 +0,0 @@
-# <type> <owner> <group> <mode> <path> <linksource>
-d clamav clamav 0755 /var/log/clamav none
-f clamav clamav 0655 /var/log/clamav/freshclam.log none
diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index e45ee0b..d8cd06f 100644
--- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -41,7 +41,7 @@
 PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
 
 do_configure_prepend() {
-    export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
+    export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3"
     export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
     export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
     export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
diff --git a/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch
new file mode 100644
index 0000000..ee872ec
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch
@@ -0,0 +1,2527 @@
+From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 12 Feb 2020 17:19:15 +0000
+Subject: [PATCH] python3-fail2ban: 2-3 conversion
+
+Upstream-Status: OE specific.
+
+fail2ban handles py3 via a 2-3 conversion utility.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ fail2ban/client/actionreader.py               |   4 +-
+ fail2ban/client/configparserinc.py            |  10 +-
+ fail2ban/client/configreader.py               |   4 +-
+ fail2ban/client/csocket.py                    |   4 +-
+ fail2ban/client/fail2banclient.py             |   4 +-
+ fail2ban/client/fail2banregex.py              |  20 +-
+ fail2ban/client/filterreader.py               |   2 +-
+ fail2ban/client/jailreader.py                 |   4 +-
+ fail2ban/helpers.py                           |  15 +-
+ fail2ban/server/action.py                     |  19 +-
+ fail2ban/server/actions.py                    |  24 +-
+ fail2ban/server/asyncserver.py                |   4 +-
+ fail2ban/server/banmanager.py                 |  18 +-
+ fail2ban/server/database.py                   |   6 +-
+ fail2ban/server/failmanager.py                |   8 +-
+ fail2ban/server/failregex.py                  |   9 +-
+ fail2ban/server/filter.py                     |  12 +-
+ fail2ban/server/filterpoll.py                 |   2 +-
+ fail2ban/server/filterpyinotify.py            |   6 +-
+ fail2ban/server/ipdns.py                      |  16 +-
+ fail2ban/server/jail.py                       |  14 +-
+ fail2ban/server/mytime.py                     |   2 +-
+ fail2ban/server/server.py                     |  18 +-
+ fail2ban/server/strptime.py                   |   6 +-
+ fail2ban/server/ticket.py                     |  14 +-
+ fail2ban/server/transmitter.py                |   2 +-
+ fail2ban/server/utils.py                      |   6 +-
+ fail2ban/tests/action_d/test_badips.py        |   2 +-
+ fail2ban/tests/actiontestcase.py              |   4 +-
+ fail2ban/tests/clientreadertestcase.py        |   4 +-
+ fail2ban/tests/databasetestcase.py            |  16 +-
+ fail2ban/tests/datedetectortestcase.py        |   6 +-
+ fail2ban/tests/fail2banclienttestcase.py      |   8 +-
+ fail2ban/tests/failmanagertestcase.py         |  10 +-
+ .../tests/files/config/apache-auth/digest.py  |  20 +-
+ fail2ban/tests/filtertestcase.py              |  92 ++---
+ fail2ban/tests/misctestcase.py                |  22 +-
+ fail2ban/tests/observertestcase.py            |  34 +-
+ fail2ban/tests/samplestestcase.py             |   8 +-
+ fail2ban/tests/servertestcase.py              |  28 +-
+ fail2ban/tests/sockettestcase.py              |   2 +-
+ fail2ban/tests/utils.py                       |  22 +-
+ setup.py                                      | 326 ------------------
+ 43 files changed, 264 insertions(+), 593 deletions(-)
+ delete mode 100755 setup.py
+
+diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py
+index 80617a50..ecf323c5 100644
+--- a/fail2ban/client/actionreader.py
++++ b/fail2ban/client/actionreader.py
+@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader):
+ 		stream = list()
+ 		stream.append(head + ["addaction", self._name])
+ 		multi = []
+-		for opt, optval in opts.iteritems():
++		for opt, optval in opts.items():
+ 			if opt in self._configOpts and not opt.startswith('known/'):
+ 				multi.append([opt, optval])
+ 		if self._initOpts:
+-			for opt, optval in self._initOpts.iteritems():
++			for opt, optval in self._initOpts.items():
+ 				if opt not in self._configOpts and not opt.startswith('known/'):
+ 					multi.append([opt, optval])
+ 		if len(multi) > 1:
+diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
+index e0f39579..45c77437 100644
+--- a/fail2ban/client/configparserinc.py
++++ b/fail2ban/client/configparserinc.py
+@@ -62,7 +62,7 @@ if sys.version_info >= (3,2):
+ 					parser, option, accum, rest, section, map, *args, **kwargs)
+ 
+ else: # pragma: no cover
+-	from ConfigParser import SafeConfigParser, \
++	from configparser import SafeConfigParser, \
+ 		InterpolationMissingOptionError, NoOptionError, NoSectionError
+ 
+ 	# Interpolate missing known/option as option from default section
+@@ -327,7 +327,7 @@ after = 1.conf
+ 			# mix it with defaults:
+ 			return set(opts.keys()) | set(self._defaults)
+ 		# only own option names:
+-		return opts.keys()
++		return list(opts.keys())
+ 
+ 	def read(self, filenames, get_includes=True):
+ 		if not isinstance(filenames, list):
+@@ -356,7 +356,7 @@ after = 1.conf
+ 					ret += i
+ 					# merge defaults and all sections to self:
+ 					alld.update(cfg.get_defaults())
+-					for n, s in cfg.get_sections().iteritems():
++					for n, s in cfg.get_sections().items():
+ 						# conditional sections
+ 						cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n)
+ 						if cond:
+@@ -366,7 +366,7 @@ after = 1.conf
+ 								del(s['__name__'])
+ 							except KeyError:
+ 								pass
+-							for k in s.keys():
++							for k in list(s.keys()):
+ 								v = s.pop(k)
+ 								s[k + cond] = v
+ 						s2 = alls.get(n)
+@@ -399,7 +399,7 @@ after = 1.conf
+ 			sec.update(options)
+ 			return
+ 		sk = {}
+-		for k, v in options.iteritems():
++		for k, v in options.items():
+ 			if not k.startswith(pref) and k != '__name__':
+ 				sk[pref+k] = v
+ 		sec.update(sk)
+diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
+index 20709b72..b5167409 100644
+--- a/fail2ban/client/configreader.py
++++ b/fail2ban/client/configreader.py
+@@ -26,7 +26,7 @@ __license__ = "GPL"
+ 
+ import glob
+ import os
+-from ConfigParser import NoOptionError, NoSectionError
++from configparser import NoOptionError, NoSectionError
+ 
+ from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel
+ from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags
+@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
+ 		config_files += sorted(glob.glob('%s/*.local' % config_dir))
+ 
+ 		# choose only existing ones
+-		config_files = filter(os.path.exists, config_files)
++		config_files = list(filter(os.path.exists, config_files))
+ 
+ 		if len(config_files):
+ 			# at least one config exists and accessible
+diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py
+index ab3e294b..9417cde9 100644
+--- a/fail2ban/client/csocket.py
++++ b/fail2ban/client/csocket.py
+@@ -47,7 +47,7 @@ class CSocket:
+ 	
+ 	def send(self, msg, nonblocking=False, timeout=None):
+ 		# Convert every list member to string
+-		obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL)
++		obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL)
+ 		self.__csock.send(obj + CSPROTO.END)
+ 		return self.receive(self.__csock, nonblocking, timeout)
+ 
+@@ -71,7 +71,7 @@ class CSocket:
+ 	@staticmethod
+ 	def convert(m):
+ 		"""Convert every "unexpected" member of message to string"""
+-		if isinstance(m, (basestring, bool, int, float, list, dict, set)):
++		if isinstance(m, (str, bool, int, float, list, dict, set)):
+ 			return m
+ 		else: # pragma: no cover
+ 			return str(m)
+diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py
+index 7c90ca40..7eb11684 100755
+--- a/fail2ban/client/fail2banclient.py
++++ b/fail2ban/client/fail2banclient.py
+@@ -45,7 +45,7 @@ def _thread_name():
+ 	return threading.current_thread().__class__.__name__
+ 
+ def input_command(): # pragma: no cover
+-	return raw_input(PROMPT)
++	return input(PROMPT)
+ 
+ ##
+ #
+@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread):
+ 			return False
+ 		finally:
+ 			self._alive = False
+-			for s, sh in _prev_signals.iteritems():
++			for s, sh in _prev_signals.items():
+ 				signal.signal(s, sh)
+ 
+ 
+diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py
+index 513b765d..4a71b3c0 100644
+--- a/fail2ban/client/fail2banregex.py
++++ b/fail2ban/client/fail2banregex.py
+@@ -41,10 +41,10 @@ import shlex
+ import sys
+ import time
+ import time
+-import urllib
++import urllib.request, urllib.parse, urllib.error
+ from optparse import OptionParser, Option
+ 
+-from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
++from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError
+ 
+ try: # pragma: no cover
+ 	from ..server.filtersystemd import FilterSystemd
+@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"):
+ 		'flavor': 'python'
+ 	}
+ 	if multiline: args['flags'] = 'm'
+-	return 'https://www.debuggex.com/?' + urllib.urlencode(args)
++	return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args)
+ 
+ def output(args): # pragma: no cover (overriden in test-cases)
+ 	print(args)
+@@ -244,7 +244,7 @@ class Fail2banRegex(object):
+ 
+ 	def __init__(self, opts):
+ 		# set local protected members from given options:
+-		self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems()))
++		self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items()))
+ 		self._opts = opts
+ 		self._maxlines_set = False		  # so we allow to override maxlines in cmdline
+ 		self._datepattern_set = False
+@@ -304,7 +304,7 @@ class Fail2banRegex(object):
+ 		realopts = {}
+ 		combopts = reader.getCombined()
+ 		# output all options that are specified in filter-argument as well as some special (mostly interested):
+-		for k in ['logtype', 'datepattern'] + fltOpt.keys():
++		for k in ['logtype', 'datepattern'] + list(fltOpt.keys()):
+ 			# combined options win, but they contain only a sub-set in filter expected keys,
+ 			# so get the rest from definition section:
+ 			try:
+@@ -424,7 +424,7 @@ class Fail2banRegex(object):
+ 			self.output( "Use %11s line : %s" % (regex, shortstr(value)) )
+ 			regex_values = {regextype: [RegexStat(value)]}
+ 
+-		for regextype, regex_values in regex_values.iteritems():
++		for regextype, regex_values in regex_values.items():
+ 			regex = regextype + 'regex'
+ 			setattr(self, "_" + regex, regex_values)
+ 			for regex in regex_values:
+@@ -523,10 +523,10 @@ class Fail2banRegex(object):
+ 							output(ret[1])
+ 					elif self._opts.out == 'msg':
+ 						for ret in ret:
+-							output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches'))))
++							output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')]))
+ 					elif self._opts.out == 'row':
+ 						for ret in ret:
+-							output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches')))
++							output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches')))
+ 					else:
+ 						for ret in ret:
+ 							output(ret[3].get(self._opts.out))
+@@ -565,9 +565,9 @@ class Fail2banRegex(object):
+ 					ans = [[]]
+ 					for arg in [l, regexlist]:
+ 						ans = [ x + [y] for x in ans for y in arg ]
+-					b = map(lambda a: a[0] +  ' | ' + a[1].getFailRegex() + ' |  ' + 
++					b = [a[0] +  ' | ' + a[1].getFailRegex() + ' |  ' + 
+ 						debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(), 
+-							multiline, self._opts.usedns), ans)
++							multiline, self._opts.usedns) for a in ans]
+ 					pprint_list([x.rstrip() for x in b], header)
+ 				else:
+ 					output( "%s too many to print.  Use --print-all-%s " \
+diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py
+index 413f125e..4f0cc4cf 100644
+--- a/fail2ban/client/filterreader.py
++++ b/fail2ban/client/filterreader.py
+@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader):
+ 	@staticmethod
+ 	def _fillStream(stream, opts, jailName):
+ 		prio0idx = 0
+-		for opt, value in opts.iteritems():
++		for opt, value in opts.items():
+ 			if opt in ("failregex", "ignoreregex"):
+ 				if value is None: continue
+ 				multi = []
+diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
+index 50c1d047..969d0bc0 100644
+--- a/fail2ban/client/jailreader.py
++++ b/fail2ban/client/jailreader.py
+@@ -117,7 +117,7 @@ class JailReader(ConfigReader):
+ 	}
+ 	_configOpts.update(FilterReader._configOpts)
+ 
+-	_ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys())
++	_ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys()))
+ 
+ 	def getOptions(self):
+ 
+@@ -236,7 +236,7 @@ class JailReader(ConfigReader):
+ 			stream.extend(self.__filter.convert())
+ 		# and using options from jail:
+ 		FilterReader._fillStream(stream, self.__opts, self.__name)
+-		for opt, value in self.__opts.iteritems():
++		for opt, value in self.__opts.items():
+ 			if opt == "logpath":
+ 				if self.__opts.get('backend', '').startswith("systemd"): continue
+ 				found_files = 0
+diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py
+index 6f2bcdd7..7e563696 100644
+--- a/fail2ban/helpers.py
++++ b/fail2ban/helpers.py
+@@ -31,6 +31,7 @@ import traceback
+ from threading import Lock
+ 
+ from .server.mytime import MyTime
++import importlib
+ 
+ try:
+ 	import ctypes
+@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover
+ 					from imp import load_dynamic as __ldm
+ 					_sys = __ldm('_sys', 'sys')
+ 				except ImportError: # pragma: no cover - only if load_dynamic fails
+-					reload(sys)
++					importlib.reload(sys)
+ 					_sys = sys
+ 			if hasattr(_sys, "setdefaultencoding"):
+ 				_sys.setdefaultencoding(encoding)
+@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover
+ else: # pragma: 3.x no cover
+ 	def uni_decode(x, enc=PREFER_ENC, errors='strict'):
+ 		try:
+-			if isinstance(x, unicode):
++			if isinstance(x, str):
+ 				return x.encode(enc, errors)
+ 			return x
+ 		except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable
+@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover
+ 			return x.encode(enc, 'replace')
+ 	if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now
+ 		def uni_string(x):
+-			if not isinstance(x, unicode):
++			if not isinstance(x, str):
+ 				return str(x)
+ 			return x.encode(PREFER_ENC, 'replace')
+ 	else:
+@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover
+ 
+ 
+ def _as_bool(val):
+-	return bool(val) if not isinstance(val, basestring) \
++	return bool(val) if not isinstance(val, str) \
+ 		else val.lower() in ('1', 'on', 'true', 'yes')
+ 
+ 
+@@ -326,7 +327,7 @@ def splitwords(s):
+ 	"""
+ 	if not s:
+ 		return []
+-	return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s)))
++	return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)]))
+ 
+ if sys.version_info >= (3,5):
+ 	eval(compile(r'''if 1:
+@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='',
+ 	while True:
+ 		repFlag = False
+ 		# substitute each value:
+-		for tag in tags.iterkeys():
++		for tag in tags.keys():
+ 			# ignore escaped or already done (or in ignore list):
+ 			if tag in ignore or tag in done: continue
+ 			# ignore replacing callable items from calling map - should be converted on demand only (by get):
+@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='',
+ 					m = tre_search(value, m.end())
+ 					continue
+ 				# if calling map - be sure we've string:
+-				if not isinstance(repl, basestring): repl = uni_string(repl)
++				if not isinstance(repl, str): repl = uni_string(repl)
+ 				value = value.replace('<%s>' % rtag, repl)
+ 				#logSys.log(5, 'value now: %s' % value)
+ 				# increment reference count:
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 5c817fc0..81d50689 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object):
+ 	def _asdict(self, calculated=False, checker=None):
+ 		d = dict(self.data, **self.storage)
+ 		if not calculated:
+-			return dict((n,v) for n,v in d.iteritems() \
++			return dict((n,v) for n,v in d.items() \
+ 				if not callable(v) or n in self.CM_REPR_ITEMS)
+-		for n,v in d.items():
++		for n,v in list(d.items()):
+ 			if callable(v):
+ 				try:
+ 					# calculate:
+@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object):
+ 		return self.__class__(_merge_copy_dicts(self.data, self.storage))
+ 
+ 
+-class ActionBase(object):
++class ActionBase(object, metaclass=ABCMeta):
+ 	"""An abstract base class for actions in Fail2Ban.
+ 
+ 	Action Base is a base definition of what methods need to be in
+@@ -209,7 +209,6 @@ class ActionBase(object):
+ 	Any additional arguments specified in `jail.conf` or passed
+ 	via `fail2ban-client` will be passed as keyword arguments.
+ 	"""
+-	__metaclass__ = ABCMeta
+ 
+ 	@classmethod
+ 	def __subclasshook__(cls, C):
+@@ -420,7 +419,7 @@ class CommandAction(ActionBase):
+ 			if not callable(family): # pragma: no cover
+ 				return self.__substCache.get(key, {}).get(family)
+ 			# family as expression - use it to filter values:
+-			return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)]
++			return [v for f, v in self.__substCache.get(key, {}).items() if family(f)]
+ 		cmd = args[0]
+ 		if cmd: # set:
+ 			try:
+@@ -432,7 +431,7 @@ class CommandAction(ActionBase):
+ 			try:
+ 				famd = self.__substCache[key]
+ 				cmd = famd.pop(family)
+-				for family, v in famd.items():
++				for family, v in list(famd.items()):
+ 					if v == cmd:
+ 						del famd[family]
+ 			except KeyError: # pragma: no cover
+@@ -448,7 +447,7 @@ class CommandAction(ActionBase):
+ 		res = True
+ 		err = 'Script error'
+ 		if not family: # all started:
+-			family = [famoper for (famoper,v) in self.__started.iteritems() if v]
++			family = [famoper for (famoper,v) in self.__started.items() if v]
+ 		for famoper in family:
+ 			try:
+ 				cmd = self._getOperation(tag, famoper)
+@@ -617,7 +616,7 @@ class CommandAction(ActionBase):
+ 		and executes the resulting command.
+ 		"""
+ 		# collect started families, may be started on demand (conditional):
+-		family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items
++		family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items
+ 		# if nothing contains items:
+ 		if not family: return True
+ 		# flush:
+@@ -642,7 +641,7 @@ class CommandAction(ActionBase):
+ 		"""
+ 		# collect started families, if started on demand (conditional):
+ 		if family is None:
+-			family = [f for (f,v) in self.__started.iteritems() if v]
++			family = [f for (f,v) in self.__started.items() if v]
+ 			# if no started (on demand) actions:
+ 			if not family: return True
+ 			self.__started = {}
+@@ -676,7 +675,7 @@ class CommandAction(ActionBase):
+ 		ret = True
+ 		# for each started family:
+ 		if self.actioncheck:
+-			for (family, started) in self.__started.items():
++			for (family, started) in list(self.__started.items()):
+ 				if started and not self._invariantCheck(family, beforeRepair):
+ 					# reset started flag and command of executed operation:
+ 					self.__started[family] = 0
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index 24fea838..94b9c3ed 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping):
+ 		else:
+ 			if hasattr(self, '_reload_actions'):
+ 				# reload actions after all parameters set via stream:
+-				for name, initOpts in self._reload_actions.iteritems():
++				for name, initOpts in self._reload_actions.items():
+ 					if name in self._actions:
+ 						self._actions[name].reload(**(initOpts if initOpts else {}))
+ 				# remove obsolete actions (untouched by reload process):
+-				delacts = OrderedDict((name, action) for name, action in self._actions.iteritems()
++				delacts = OrderedDict((name, action) for name, action in self._actions.items()
+ 					if name not in self._reload_actions)
+ 				if len(delacts):
+ 					# unban all tickets using removed actions only:
+@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping):
+ 		"""
+ 		if actions is None:
+ 			actions = self._actions
+-		revactions = actions.items()
++		revactions = list(actions.items())
+ 		revactions.reverse()
+ 		for name, action in revactions:
+ 			try:
+@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping):
+ 			True when the thread exits nicely.
+ 		"""
+ 		cnt = 0
+-		for name, action in self._actions.iteritems():
++		for name, action in self._actions.items():
+ 			try:
+ 				action.start()
+ 			except Exception as e:
+@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping):
+ 					Observers.Main.add('banFound', bTicket, self._jail, btime)
+ 				logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip)
+ 				# do actions :
+-				for name, action in self._actions.iteritems():
++				for name, action in self._actions.items():
+ 					try:
+ 						if ticket.restored and getattr(action, 'norestored', False):
+ 							continue
+@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping):
+ 					if bTicket.banEpoch == self.banEpoch and diftm > 3:
+ 						# avoid too often checks:
+ 						if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3:
+-							for action in self._actions.itervalues():
++							for action in self._actions.values():
+ 								action.consistencyCheck()
+ 							self.__lastConsistencyCheckTM = MyTime.time()
+ 					# check epoch in order to reban it:
+ 					if bTicket.banEpoch < self.banEpoch:
+ 						if not rebanacts: rebanacts = dict(
+-							(name, action) for name, action in self._actions.iteritems()
++							(name, action) for name, action in self._actions.items()
+ 								if action.banEpoch > bTicket.banEpoch)
+ 						cnt += self.__reBan(bTicket, actions=rebanacts)
+ 				else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions:
+@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping):
+ 		ip = ticket.getIP()
+ 		aInfo = self.__getActionInfo(ticket)
+ 		if log:
+-			logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else ''))
+-		for name, action in actions.iteritems():
++			logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else ''))
++		for name, action in actions.items():
+ 			try:
+ 				logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip)
+ 				if not aInfo.immutable: aInfo.reset()
+@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping):
+ 		if not self.__banManager._inBanList(ticket): return
+ 		# do actions :
+ 		aInfo = None
+-		for name, action in self._actions.iteritems():
++		for name, action in self._actions.items():
+ 			try:
+ 				if ticket.restored and getattr(action, 'norestored', False):
+ 					continue
+@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping):
+ 		cnt = 0
+ 		# first we'll execute flush for actions supporting this operation:
+ 		unbactions = {}
+-		for name, action in (actions if actions is not None else self._actions).iteritems():
++		for name, action in (actions if actions is not None else self._actions).items():
+ 			try:
+ 				if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush):
+ 					logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name)
+@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping):
+ 		aInfo = self.__getActionInfo(ticket)
+ 		if log:
+ 			logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"])
+-		for name, action in unbactions.iteritems():
++		for name, action in unbactions.items():
+ 			try:
+ 				logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip)
+ 				if not aInfo.immutable: aInfo.reset()
+diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py
+index e3400737..f5f9740b 100644
+--- a/fail2ban/server/asyncserver.py
++++ b/fail2ban/server/asyncserver.py
+@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None):
+ 			elif err_count['listen'] > 100: # pragma: no cover - normally unreachable
+ 				if (
+ 					   e.args[0] == errno.EMFILE # [Errno 24] Too many open files
+-					or sum(err_count.itervalues()) > 1000
++					or sum(err_count.values()) > 1000
+ 				):
+ 					logSys.critical("Too many errors - critical count reached %r", err_count)
+ 					break
+@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher):
+ 			elif self.__errCount['accept'] > 100:
+ 				if (
+ 					  (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files
+-					or sum(self.__errCount.itervalues()) > 1000
++					or sum(self.__errCount.values()) > 1000
+ 				):
+ 					logSys.critical("Too many errors - critical count reached %r", self.__errCount)
+ 					self.stop()
+diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py
+index 5770bfd7..9bb44971 100644
+--- a/fail2ban/server/banmanager.py
++++ b/fail2ban/server/banmanager.py
+@@ -105,9 +105,9 @@ class BanManager:
+ 	def getBanList(self, ordered=False, withTime=False):
+ 		with self.__lock:
+ 			if not ordered:
+-				return self.__banList.keys()
++				return list(self.__banList.keys())
+ 			lst = []
+-			for ticket in self.__banList.itervalues():
++			for ticket in self.__banList.values():
+ 				eob = ticket.getEndOfBanTime(self.__banTime)
+ 				lst.append((ticket,eob))
+ 			lst.sort(key=lambda t: t[1])
+@@ -126,7 +126,7 @@ class BanManager:
+ 	
+ 	def __iter__(self):
+ 		with self.__lock:
+-			return self.__banList.itervalues()
++			return iter(self.__banList.values())
+ 
+ 	##
+ 	# Returns normalized value
+@@ -165,7 +165,7 @@ class BanManager:
+ 				return return_dict
+ 		# get ips in lock:
+ 		with self.__lock:
+-			banIPs = [banData.getIP() for banData in self.__banList.values()]
++			banIPs = [banData.getIP() for banData in list(self.__banList.values())]
+ 		# get cymru info:
+ 		try:
+ 			for ip in banIPs:
+@@ -341,7 +341,7 @@ class BanManager:
+ 			# Gets the list of ticket to remove (thereby correct next unban time).
+ 			unBanList = {}
+ 			nextUnbanTime = BanTicket.MAX_TIME
+-			for fid,ticket in self.__banList.iteritems():
++			for fid,ticket in self.__banList.items():
+ 				# current time greater as end of ban - timed out:
+ 				eob = ticket.getEndOfBanTime(self.__banTime)
+ 				if time > eob:
+@@ -357,15 +357,15 @@ class BanManager:
+ 			if len(unBanList):
+ 				if len(unBanList) / 2.0 <= len(self.__banList) / 3.0:
+ 					# few as 2/3 should be removed - remove particular items:
+-					for fid in unBanList.iterkeys():
++					for fid in unBanList.keys():
+ 						del self.__banList[fid]
+ 				else:
+ 					# create new dictionary without items to be deleted:
+-					self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \
++					self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \
+ 						if fid not in unBanList)
+ 						
+ 			# return list of tickets:
+-			return unBanList.values()
++			return list(unBanList.values())
+ 
+ 	##
+ 	# Flush the ban list.
+@@ -375,7 +375,7 @@ class BanManager:
+ 	
+ 	def flushBanList(self):
+ 		with self.__lock:
+-			uBList = self.__banList.values()
++			uBList = list(self.__banList.values())
+ 			self.__banList = dict()
+ 			return uBList
+ 
+diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py
+index ed736a7a..0e8c9aec 100644
+--- a/fail2ban/server/database.py
++++ b/fail2ban/server/database.py
+@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover
+ else: # pragma: 3.x no cover
+ 	def _normalize(x):
+ 		if isinstance(x, dict):
+-			return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems())
++			return dict((_normalize(k), _normalize(v)) for k, v in x.items())
+ 		elif isinstance(x, (list, set)):
+ 			return [_normalize(element) for element in x]
+-		elif isinstance(x, unicode):
++		elif isinstance(x, str):
+ 			# in 2.x default text_factory is unicode - so return proper unicode here:
+ 			return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC)
+-		elif isinstance(x, basestring):
++		elif isinstance(x, str):
+ 			return x.decode(PREFER_ENC, 'replace')
+ 		return x
+ 
+diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py
+index 93c028fb..a9c6b5f6 100644
+--- a/fail2ban/server/failmanager.py
++++ b/fail2ban/server/failmanager.py
+@@ -57,7 +57,7 @@ class FailManager:
+ 	def getFailCount(self):
+ 		# may be slow on large list of failures, should be used for test purposes only...
+ 		with self.__lock:
+-			return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()])
++			return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())])
+ 
+ 	def getFailTotal(self):
+ 		with self.__lock:
+@@ -125,7 +125,7 @@ class FailManager:
+ 				# in case of having many active failures, it should be ran only
+ 				# if debug level is "low" enough
+ 				failures_summary = ', '.join(['%s:%d' % (k, v.getRetry())
+-											  for k,v in  self.__failList.iteritems()])
++											  for k,v in  self.__failList.items()])
+ 				logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s"
+ 							 % (self.__failTotal, len(self.__failList), failures_summary))
+ 
+@@ -138,7 +138,7 @@ class FailManager:
+ 	
+ 	def cleanup(self, time):
+ 		with self.__lock:
+-			todelete = [fid for fid,item in self.__failList.iteritems() \
++			todelete = [fid for fid,item in self.__failList.items() \
+ 				if item.getLastTime() + self.__maxTime <= time]
+ 			if len(todelete) == len(self.__failList):
+ 				# remove all:
+@@ -152,7 +152,7 @@ class FailManager:
+ 					del self.__failList[fid]
+ 			else:
+ 				# create new dictionary without items to be deleted:
+-				self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \
++				self.__failList = dict((fid,item) for fid,item in self.__failList.items() \
+ 					if item.getLastTime() + self.__maxTime > time)
+ 		self.__bgSvc.service()
+ 	
+diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py
+index f7dafbef..fb75187d 100644
+--- a/fail2ban/server/failregex.py
++++ b/fail2ban/server/failregex.py
+@@ -128,10 +128,7 @@ class Regex:
+ 			self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0)
+ 			self._regex = regex
+ 			self._altValues = {}
+-			for k in filter(
+-				lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE),
+-				self._regexObj.groupindex
+-			):
++			for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]:
+ 				n = ALTNAME_CRE.match(k).group(1)
+ 				self._altValues[k] = n
+ 			self._altValues = list(self._altValues.items()) if len(self._altValues) else None
+@@ -211,7 +208,7 @@ class Regex:
+ 	#
+ 	@staticmethod
+ 	def _tupleLinesBuf(tupleLines):
+-		return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n"
++		return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n"
+ 
+ 	##
+ 	# Searches the regular expression.
+@@ -223,7 +220,7 @@ class Regex:
+ 	
+ 	def search(self, tupleLines, orgLines=None):
+ 		buf = tupleLines
+-		if not isinstance(tupleLines, basestring):
++		if not isinstance(tupleLines, str):
+ 			buf = Regex._tupleLinesBuf(tupleLines)
+ 		self._matchCache = self._regexObj.search(buf)
+ 		if self._matchCache:
+diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py
+index 998fe298..d181fd38 100644
+--- a/fail2ban/server/filter.py
++++ b/fail2ban/server/filter.py
+@@ -292,7 +292,7 @@ class Filter(JailThread):
+ 			dd = DateDetector()
+ 			dd.default_tz = self.__logtimezone
+ 			if not isinstance(pattern, (list, tuple)):
+-				pattern = filter(bool, map(str.strip, re.split('\n+', pattern)))
++				pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern)))))
+ 			for pattern in pattern:
+ 				dd.appendTemplate(pattern)
+ 			self.dateDetector = dd
+@@ -987,7 +987,7 @@ class FileFilter(Filter):
+ 	# @return log paths
+ 
+ 	def getLogPaths(self):
+-		return self.__logs.keys()
++		return list(self.__logs.keys())
+ 
+ 	##
+ 	# Get the log containers
+@@ -995,7 +995,7 @@ class FileFilter(Filter):
+ 	# @return log containers
+ 
+ 	def getLogs(self):
+-		return self.__logs.values()
++		return list(self.__logs.values())
+ 
+ 	##
+ 	# Get the count of log containers
+@@ -1021,7 +1021,7 @@ class FileFilter(Filter):
+ 
+ 	def setLogEncoding(self, encoding):
+ 		encoding = super(FileFilter, self).setLogEncoding(encoding)
+-		for log in self.__logs.itervalues():
++		for log in self.__logs.values():
+ 			log.setEncoding(encoding)
+ 
+ 	def getLog(self, path):
+@@ -1183,7 +1183,7 @@ class FileFilter(Filter):
+ 		"""Status of Filter plus files being monitored.
+ 		"""
+ 		ret = super(FileFilter, self).status(flavor=flavor)
+-		path = self.__logs.keys()
++		path = list(self.__logs.keys())
+ 		ret.append(("File list", path))
+ 		return ret
+ 
+@@ -1191,7 +1191,7 @@ class FileFilter(Filter):
+ 		"""Stop monitoring of log-file(s)
+ 		"""
+ 		# stop files monitoring:
+-		for path in self.__logs.keys():
++		for path in list(self.__logs.keys()):
+ 			self.delLogPath(path)
+ 		# stop thread:
+ 		super(Filter, self).stop()
+diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py
+index 228a2c8b..d49315cc 100644
+--- a/fail2ban/server/filterpoll.py
++++ b/fail2ban/server/filterpoll.py
+@@ -176,4 +176,4 @@ class FilterPoll(FileFilter):
+ 			return False
+ 
+ 	def getPendingPaths(self):
+-		return self.__file404Cnt.keys()
++		return list(self.__file404Cnt.keys())
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index ca6b253f..b683b860 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter):
+ 		except KeyError: pass
+ 
+ 	def getPendingPaths(self):
+-		return self.__pending.keys()
++		return list(self.__pending.keys())
+ 
+ 	def _checkPending(self):
+ 		if not self.__pending:
+@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter):
+ 			return
+ 		found = {}
+ 		minTime = 60
+-		for path, (retardTM, isDir) in self.__pending.iteritems():
++		for path, (retardTM, isDir) in self.__pending.items():
+ 			if ntm - self.__pendingChkTime < retardTM:
+ 				if minTime > retardTM: minTime = retardTM
+ 				continue
+@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter):
+ 		self.__pendingChkTime = time.time()
+ 		self.__pendingMinTime = minTime
+ 		# process now because we've missed it in monitoring:
+-		for path, isDir in found.iteritems():
++		for path, isDir in found.items():
+ 			self._delPending(path)
+ 			# refresh monitoring of this:
+ 			self._refreshWatcher(path, isDir=isDir)
+diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py
+index 6648dac6..fe8f8db8 100644
+--- a/fail2ban/server/ipdns.py
++++ b/fail2ban/server/ipdns.py
+@@ -275,7 +275,7 @@ class IPAddr(object):
+ 			raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,))
+ 		if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask
+ 			s[1] = IPAddr.masktoplen(s[1])
+-		s[1] = long(s[1])
++		s[1] = int(s[1])
+ 		return s
+ 		
+ 	def __init(self, ipstr, cidr=CIDR_UNSPEC):
+@@ -309,7 +309,7 @@ class IPAddr(object):
+ 
+ 				# mask out host portion if prefix length is supplied
+ 				if cidr is not None and cidr >= 0:
+-					mask = ~(0xFFFFFFFFL >> cidr)
++					mask = ~(0xFFFFFFFF >> cidr)
+ 					self._addr &= mask
+ 					self._plen = cidr
+ 
+@@ -321,13 +321,13 @@ class IPAddr(object):
+ 
+ 				# mask out host portion if prefix length is supplied
+ 				if cidr is not None and cidr >= 0:
+-					mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr)
++					mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr)
+ 					self._addr &= mask
+ 					self._plen = cidr
+ 
+ 				# if IPv6 address is a IPv4-compatible, make instance a IPv4
+ 				elif self.isInNet(IPAddr.IP6_4COMPAT):
+-					self._addr = lo & 0xFFFFFFFFL
++					self._addr = lo & 0xFFFFFFFF
+ 					self._family = socket.AF_INET
+ 					self._plen = 32
+ 		else:
+@@ -445,7 +445,7 @@ class IPAddr(object):
+ 		elif self.isIPv6:
+ 			# convert network to host byte order
+ 			hi = self._addr >> 64
+-			lo = self._addr & 0xFFFFFFFFFFFFFFFFL
++			lo = self._addr & 0xFFFFFFFFFFFFFFFF
+ 			binary = struct.pack("!QQ", hi, lo)
+ 			if self._plen and self._plen < 128:
+ 				add = "/%d" % self._plen
+@@ -503,9 +503,9 @@ class IPAddr(object):
+ 		if self.family != net.family:
+ 			return False
+ 		if self.isIPv4:
+-			mask = ~(0xFFFFFFFFL >> net.plen)
++			mask = ~(0xFFFFFFFF >> net.plen)
+ 		elif self.isIPv6:
+-			mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen)
++			mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen)
+ 		else:
+ 			return False
+ 		
+@@ -517,7 +517,7 @@ class IPAddr(object):
+ 		m4 = (1 << 32)-1
+ 		mmap = {m6: 128, m4: 32, 0: 0}
+ 		m = 0
+-		for i in xrange(0, 128):
++		for i in range(0, 128):
+ 			m |= 1 << i
+ 			if i < 32:
+ 				mmap[m ^ m4] = 32-1-i
+diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py
+index ce9968a8..5fa5ef10 100644
+--- a/fail2ban/server/jail.py
++++ b/fail2ban/server/jail.py
+@@ -26,7 +26,7 @@ __license__ = "GPL"
+ import logging
+ import math
+ import random
+-import Queue
++import queue
+ 
+ from .actions import Actions
+ from ..helpers import getLogger, _as_bool, extractOptions, MyTime
+@@ -76,7 +76,7 @@ class Jail(object):
+ 							"might not function correctly. Please shorten"
+ 							% name)
+ 		self.__name = name
+-		self.__queue = Queue.Queue()
++		self.__queue = queue.Queue()
+ 		self.__filter = None
+ 		# Extra parameters for increase ban time
+ 		self._banExtra = {};
+@@ -127,25 +127,25 @@ class Jail(object):
+ 			"Failed to initialize any backend for Jail %r" % self.name)
+ 
+ 	def _initPolling(self, **kwargs):
+-		from filterpoll import FilterPoll
++		from .filterpoll import FilterPoll
+ 		logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs))
+ 		self.__filter = FilterPoll(self, **kwargs)
+ 
+ 	def _initGamin(self, **kwargs):
+ 		# Try to import gamin
+-		from filtergamin import FilterGamin
++		from .filtergamin import FilterGamin
+ 		logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs))
+ 		self.__filter = FilterGamin(self, **kwargs)
+ 
+ 	def _initPyinotify(self, **kwargs):
+ 		# Try to import pyinotify
+-		from filterpyinotify import FilterPyinotify
++		from .filterpyinotify import FilterPyinotify
+ 		logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs))
+ 		self.__filter = FilterPyinotify(self, **kwargs)
+ 
+ 	def _initSystemd(self, **kwargs): # pragma: systemd no cover
+ 		# Try to import systemd
+-		from filtersystemd import FilterSystemd
++		from .filtersystemd import FilterSystemd
+ 		logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs))
+ 		self.__filter = FilterSystemd(self, **kwargs)
+ 
+@@ -213,7 +213,7 @@ class Jail(object):
+ 		try:
+ 			ticket = self.__queue.get(False)
+ 			return ticket
+-		except Queue.Empty:
++		except queue.Empty:
+ 			return False
+ 
+ 	def setBanTimeExtra(self, opt, value):
+diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py
+index 98b69bd4..24bba5cf 100644
+--- a/fail2ban/server/mytime.py
++++ b/fail2ban/server/mytime.py
+@@ -162,7 +162,7 @@ class MyTime:
+ 		
+ 		@returns number (calculated seconds from expression "val")
+ 		"""
+-		if isinstance(val, (int, long, float, complex)):
++		if isinstance(val, (int, float, complex)):
+ 			return val
+ 		# replace together standing abbreviations, example '1d12h' -> '1d 12h':
+ 		val = MyTime._str2sec_prep.sub(r" \1", val)
+diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py
+index 159f6506..fc948e8c 100644
+--- a/fail2ban/server/server.py
++++ b/fail2ban/server/server.py
+@@ -97,7 +97,7 @@ class Server:
+ 
+ 	def start(self, sock, pidfile, force=False, observer=True, conf={}):
+ 		# First set the mask to only allow access to owner
+-		os.umask(0077)
++		os.umask(0o077)
+ 		# Second daemonize before logging etc, because it will close all handles:
+ 		if self.__daemon: # pragma: no cover
+ 			logSys.info("Starting in daemon mode")
+@@ -190,7 +190,7 @@ class Server:
+ 
+ 		# Restore default signal handlers:
+ 		if _thread_name() == '_MainThread':
+-			for s, sh in self.__prev_signals.iteritems():
++			for s, sh in self.__prev_signals.items():
+ 				signal.signal(s, sh)
+ 
+ 		# Give observer a small chance to complete its work before exit
+@@ -268,10 +268,10 @@ class Server:
+ 		logSys.info("Stopping all jails")
+ 		with self.__lock:
+ 			# 1st stop all jails (signal and stop actions/filter thread):
+-			for name in self.__jails.keys():
++			for name in list(self.__jails.keys()):
+ 				self.delJail(name, stop=True, join=False)
+ 			# 2nd wait for end and delete jails:
+-			for name in self.__jails.keys():
++			for name in list(self.__jails.keys()):
+ 				self.delJail(name, stop=False, join=True)
+ 
+ 	def reloadJails(self, name, opts, begin):
+@@ -302,7 +302,7 @@ class Server:
+ 					if "--restart" in opts:
+ 						self.stopAllJail()
+ 				# first set all affected jail(s) to idle and reset filter regex and other lists/dicts:
+-				for jn, jail in self.__jails.iteritems():
++				for jn, jail in self.__jails.items():
+ 					if name == '--all' or jn == name:
+ 						jail.idle = True
+ 						self.__reload_state[jn] = jail
+@@ -313,7 +313,7 @@ class Server:
+ 			# end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started:
+ 			with self.__lock:
+ 				deljails = []
+-				for jn, jail in self.__jails.iteritems():
++				for jn, jail in self.__jails.items():
+ 					# still in reload state:
+ 					if jn in self.__reload_state:
+ 						# remove jails that are not reloaded (untouched, so not in new configuration)
+@@ -513,7 +513,7 @@ class Server:
+ 			jails = [self.__jails[name]]
+ 		else:
+ 			# in all jails:
+-			jails = self.__jails.values()
++			jails = list(self.__jails.values())
+ 		# unban given or all (if value is None):
+ 		cnt = 0
+ 		ifexists |= (name is None)
+@@ -551,7 +551,7 @@ class Server:
+ 	def isAlive(self, jailnum=None):
+ 		if jailnum is not None and len(self.__jails) != jailnum:
+ 			return 0
+-		for jail in self.__jails.values():
++		for jail in list(self.__jails.values()):
+ 			if not jail.isAlive():
+ 				return 0
+ 		return 1
+@@ -759,7 +759,7 @@ class Server:
+ 			return "flushed"
+ 			
+ 	def setThreadOptions(self, value):
+-		for o, v in value.iteritems():
++		for o, v in value.items():
+ 			if o == 'stacksize':
+ 				threading.stack_size(int(v)*1024)
+ 			else: # pragma: no cover
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 498d284b..a5579fdc 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3)
+ timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3)
+ 
+ def getTimePatternRE():
+-	keys = timeRE.keys()
++	keys = list(timeRE.keys())
+ 	patt = (r"%%(%%|%s|[%s])" % (
+ 		"|".join([k for k in keys if len(k) > 1]),
+ 		"".join([k for k in keys if len(k) == 1]),
+@@ -134,7 +134,7 @@ def zone2offset(tz, dt):
+ 	"""
+ 	if isinstance(tz, int):
+ 		return tz
+-	if isinstance(tz, basestring):
++	if isinstance(tz, str):
+ 		return validateTimeZone(tz)
+ 	tz, tzo = tz
+ 	if tzo is None or tzo == '': # without offset
+@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None):
+ 	year = month = day = hour = minute = tzoffset = \
+ 	weekday = julian = week_of_year = None
+ 	second = fraction = 0
+-	for key, val in found_dict.iteritems():
++	for key, val in found_dict.items():
+ 		if val is None: continue
+ 		# Directives not explicitly handled below:
+ 		#   c, x, X
+diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py
+index f67e0d23..f0b727c2 100644
+--- a/fail2ban/server/ticket.py
++++ b/fail2ban/server/ticket.py
+@@ -55,7 +55,7 @@ class Ticket(object):
+ 		self._time = time if time is not None else MyTime.time()
+ 		self._data = {'matches': matches or [], 'failures': 0}
+ 		if data is not None:
+-			for k,v in data.iteritems():
++			for k,v in data.items():
+ 				if v is not None:
+ 					self._data[k] = v
+ 		if ticket:
+@@ -89,7 +89,7 @@ class Ticket(object):
+ 
+ 	def setIP(self, value):
+ 		# guarantee using IPAddr instead of unicode, str for the IP
+-		if isinstance(value, basestring):
++		if isinstance(value, str):
+ 			value = IPAddr(value)
+ 		self._ip = value
+ 	
+@@ -181,7 +181,7 @@ class Ticket(object):
+ 		if len(args) == 1:
+ 			# todo: if support >= 2.7 only:
+ 			# self._data = {k:v for k,v in args[0].iteritems() if v is not None}
+-			self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None])
++			self._data = dict([(k,v) for k,v in args[0].items() if v is not None])
+ 		# add k,v list or dict (merge):
+ 		elif len(args) == 2:
+ 			self._data.update((args,))
+@@ -192,7 +192,7 @@ class Ticket(object):
+ 		# filter (delete) None values:
+ 		# todo: if support >= 2.7 only:
+ 		# self._data = {k:v for k,v in self._data.iteritems() if v is not None}
+-		self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None])
++		self._data = dict([(k,v) for k,v in self._data.items() if v is not None])
+ 	
+ 	def getData(self, key=None, default=None):
+ 		# return whole data dict:
+@@ -201,17 +201,17 @@ class Ticket(object):
+ 		# return default if not exists:
+ 		if not self._data:
+ 			return default
+-		if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)):
++		if not isinstance(key,(str,type(None),int,float,bool,complex)):
+ 			# return filtered by lambda/function:
+ 			if callable(key):
+ 				# todo: if support >= 2.7 only:
+ 				# return {k:v for k,v in self._data.iteritems() if key(k)}
+-				return dict([(k,v) for k,v in self._data.iteritems() if key(k)])
++				return dict([(k,v) for k,v in self._data.items() if key(k)])
+ 			# return filtered by keys:
+ 			if hasattr(key, '__iter__'):
+ 				# todo: if support >= 2.7 only:
+ 				# return {k:v for k,v in self._data.iteritems() if k in key}
+-				return dict([(k,v) for k,v in self._data.iteritems() if k in key])
++				return dict([(k,v) for k,v in self._data.items() if k in key])
+ 		# return single value of data:
+ 		return self._data.get(key, default)
+ 
+diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py
+index f83e9d5f..80726cb4 100644
+--- a/fail2ban/server/transmitter.py
++++ b/fail2ban/server/transmitter.py
+@@ -475,7 +475,7 @@ class Transmitter:
+ 			opt = command[1][len("bantime."):]
+ 			return self.__server.getBanTimeExtra(name, opt)
+ 		elif command[1] == "actions":
+-			return self.__server.getActions(name).keys()
++			return list(self.__server.getActions(name).keys())
+ 		elif command[1] == "action":
+ 			actionname = command[2]
+ 			actionvalue = command[3]
+diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py
+index d4461a7d..13c24e76 100644
+--- a/fail2ban/server/utils.py
++++ b/fail2ban/server/utils.py
+@@ -57,7 +57,7 @@ _RETCODE_HINTS = {
+ 
+ # Dictionary to lookup signal name from number
+ signame = dict((num, name)
+-	for name, num in signal.__dict__.iteritems() if name.startswith("SIG"))
++	for name, num in signal.__dict__.items() if name.startswith("SIG"))
+ 
+ class Utils():
+ 	"""Utilities provide diverse static methods like executes OS shell commands, etc.
+@@ -109,7 +109,7 @@ class Utils():
+ 								break
+ 					else: # pragma: 3.x no cover (dict is in 2.6 only)
+ 						remlst = []
+-						for (ck, cv) in cache.iteritems():
++						for (ck, cv) in cache.items():
+ 							# if expired:
+ 							if cv[1] <= t:
+ 								remlst.append(ck)
+@@ -152,7 +152,7 @@ class Utils():
+ 		if not isinstance(realCmd, list):
+ 			realCmd = [realCmd]
+ 		i = len(realCmd)-1
+-		for k, v in varsDict.iteritems():
++		for k, v in varsDict.items():
+ 			varsStat += "%s=$%s " % (k, i)
+ 			realCmd.append(v)
+ 			i += 1
+diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py
+index 013c0fdb..3c35e4d7 100644
+--- a/fail2ban/tests/action_d/test_badips.py
++++ b/fail2ban/tests/action_d/test_badips.py
+@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR
+ if sys.version_info >= (3, ): # pragma: 2.x no cover
+ 	from urllib.error import HTTPError, URLError
+ else: # pragma: 3.x no cover
+-	from urllib2 import HTTPError, URLError
++	from urllib.error import HTTPError, URLError
+ 
+ def skip_if_not_available(f):
+ 	"""Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway".
+diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py
+index 1a00c040..ecd09246 100644
+--- a/fail2ban/tests/actiontestcase.py
++++ b/fail2ban/tests/actiontestcase.py
+@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase):
+ 		setattr(self.__action, 'ab', "<ac>")
+ 		setattr(self.__action, 'x?family=inet6', "")
+ 		# produce self-referencing properties except:
+-		self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions",
++		self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions",
+ 			lambda: self.__action.replaceTag("<a><b>", 
+ 				self.__action._properties, conditional="family=inet4")
+ 		)
+ 		# remore self-referencing in props:
+ 		delattr(self.__action, 'ac')
+ 		# produce self-referencing query except:
+-		self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query",
++		self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query",
+ 			lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>", 
+ 				self.__action._properties, conditional="family=inet6")
+ 		)
+diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
+index 2c1d0a0e..aa7908c4 100644
+--- a/fail2ban/tests/clientreadertestcase.py
++++ b/fail2ban/tests/clientreadertestcase.py
+@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase):
+ 		# And multiple groups (`][` instead of `,`)
+ 		result = extractOptions(option.replace(',', ']['))
+ 		expected2 = (expected[0],
+-		 dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems())
++		 dict((k, v.replace(',', '][')) for k, v in expected[1].items())
+ 		)
+ 		self.assertEqual(expected2, result)
+ 
+@@ -975,7 +975,7 @@ filter = testfilter1
+ 		self.assertEqual(add_actions[-1][-1], "{}")
+ 
+ 	def testLogPathFileFilterBackend(self):
+-		self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail", 
++		self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail", 
+ 			self._testLogPath, backend='polling')
+ 
+ 	def testLogPathSystemdBackend(self):
+diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py
+index 9a5e9fa1..562461a6 100644
+--- a/fail2ban/tests/databasetestcase.py
++++ b/fail2ban/tests/databasetestcase.py
+@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase):
+ 
+ 	@property
+ 	def db(self):
+-		if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:':
++		if isinstance(self._db, str) and self._db == ':auto-create-in-memory:':
+ 			self._db = getFail2BanDb(self.dbFilename)
+ 		return self._db
+ 	@db.setter
+@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase):
+ 			self.db = Fail2BanDb(self.dbFilename)
+ 			self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets']))
+ 			self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log']))
+-			ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"])
++			ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"])
+ 			self.assertEqual(self.db.getBans()[0], ticket)
+ 
+ 			self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__)
+@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase):
+ 		self.assertEqual(len(bans), 2)
+ 		# compare first ticket completely:
+ 		ticket = FailTicket("1.2.3.7", 1417595494, [
+-			u'Dec  3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
+-			u'Dec  3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
+-			u'Dec  3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7'
++			'Dec  3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
++			'Dec  3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
++			'Dec  3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7'
+ 		])
+ 		ticket.setAttempt(3)
+ 		self.assertEqual(bans[0], ticket)
+@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase):
+ 		# invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ...
+ 		tickets = [
+ 		  FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+-		  FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
++		  FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+ 		  FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+-		  FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']),
++		  FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']),
+ 		  FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']),
+-		  FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']),
++		  FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']),
+ 		  FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf'])
+ 		]
+ 		for ticket in tickets:
+diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py
+index 458f76ef..49ada60d 100644
+--- a/fail2ban/tests/datedetectortestcase.py
++++ b/fail2ban/tests/datedetectortestcase.py
+@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase):
+ 		self.assertEqual(logTime, mu)
+ 		self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17')
+ 		# confuse it with year being at the end
+-		for i in xrange(10):
++		for i in range(10):
+ 			( logTime, logMatch ) =	self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0')
+ 			self.assertEqual(logTime, mu)
+ 			self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17')
+@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase):
+ 			date = dd.getTime(line)
+ 			if matched:
+ 				self.assertTrue(date)
+-				if isinstance(matched, basestring):
++				if isinstance(matched, str):
+ 					self.assertEqual(matched, date[1].group(1))
+ 				else:
+ 					self.assertEqual(matched, date[0])
+@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase):
+ 			date = dd.getTime(line)
+ 			if matched:
+ 				self.assertTrue(date)
+-				if isinstance(matched, basestring): # pragma: no cover
++				if isinstance(matched, str): # pragma: no cover
+ 					self.assertEqual(matched, date[1].group(1))
+ 				else:
+ 					self.assertEqual(matched, date[0])
+diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py
+index 95f73ed3..bba354fa 100644
+--- a/fail2ban/tests/fail2banclienttestcase.py
++++ b/fail2ban/tests/fail2banclienttestcase.py
+@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}):
+ 				# several commands to server in body of decorated function:
+ 				return f(self, tmp, startparams, *args, **kwargs)
+ 			except Exception as e: # pragma: no cover
+-				print('=== Catch an exception: %s' % e)
++				print(('=== Catch an exception: %s' % e))
+ 				log = self.getLog()
+ 				if log:
+-					print('=== Error of server, log: ===\n%s===' % log)
++					print(('=== Error of server, log: ===\n%s===' % log))
+ 					self.pruneLog()
+ 				raise
+ 			finally:
+@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase):
+ 					)
+ 		except:  # pragma: no cover
+ 			if _inherited_log(startparams):
+-				print('=== Error by wait fot server, log: ===\n%s===' % self.getLog())
++				print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog()))
+ 				self.pruneLog()
+ 			log = pjoin(tmp, "f2b.log")
+ 			if isfile(log):
+@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase):
+ 			self.stopAndWaitForServerEnd(SUCCESS)
+ 
+ 		def testServerStartStop(self):
+-			for i in xrange(2000):
++			for i in range(2000):
+ 				self._testServerStartStop()
+ 
+diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py
+index a5425286..2a94cc82 100644
+--- a/fail2ban/tests/failmanagertestcase.py
++++ b/fail2ban/tests/failmanagertestcase.py
+@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase):
+ 		super(AddFailure, self).tearDown()
+ 		
+ 	def _addDefItems(self):
+-		self.__items = [[u'193.168.0.128', 1167605999.0],
+-					    [u'193.168.0.128', 1167605999.0],
+-					    [u'193.168.0.128', 1167605999.0],
+-					    [u'193.168.0.128', 1167605999.0],
+-					    [u'193.168.0.128', 1167605999.0],
++		self.__items = [['193.168.0.128', 1167605999.0],
++					    ['193.168.0.128', 1167605999.0],
++					    ['193.168.0.128', 1167605999.0],
++					    ['193.168.0.128', 1167605999.0],
++					    ['193.168.0.128', 1167605999.0],
+ 					    ['87.142.124.10', 1167605999.0],
+ 					    ['87.142.124.10', 1167605999.0],
+ 					    ['87.142.124.10', 1167605999.0],
+diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py
+index 03588594..e2297ab3 100755
+--- a/fail2ban/tests/files/config/apache-auth/digest.py
++++ b/fail2ban/tests/files/config/apache-auth/digest.py
+@@ -41,7 +41,7 @@ def auth(v):
+         response="%s"
+     """ % ( username, algorithm, realm, url, nonce, qop, response )
+ #        opaque="%s",
+-    print(p.method, p.url, p.headers)
++    print((p.method, p.url, p.headers))
+     s =  requests.Session()
+     return s.send(p)
+ 
+@@ -76,18 +76,18 @@ r = auth(v)
+ 
+ # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+ 
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ v['algorithm'] = algorithm
+ 
+ 
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ 
+ nonce = v['nonce']
+ v['nonce']=v['nonce'][5:-5]
+ 
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ 
+ # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+ 
+@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text)
+ v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
+ 
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ 
+ #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+ 
+@@ -107,7 +107,7 @@ import time
+ time.sleep(1)
+ 
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ 
+ # Obtained by putting the following code in modules/aaa/mod_auth_digest.c
+ # in the function initialize_secret
+@@ -137,7 +137,7 @@ s = sha.sha(apachesecret)
+ 
+ v=preauth()
+ 
+-print(v['nonce'])
++print((v['nonce']))
+ realm = v['Digest realm'][1:-1]
+ 
+ (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13]))
+@@ -156,13 +156,13 @@ print(v)
+ 
+ r = auth(v)
+ #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ 
+ url='/digest_onetime/'
+ v=preauth()
+ 
+ # Need opaque header handling in auth
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
+index 35785a58..8eeb6902 100644
+--- a/fail2ban/tests/filtertestcase.py
++++ b/fail2ban/tests/filtertestcase.py
+@@ -22,7 +22,7 @@
+ __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko"
+ __license__ = "GPL"
+ 
+-from __builtin__ import open as fopen
++from builtins import open as fopen
+ import unittest
+ import os
+ import re
+@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line
+ 	else:
+ 		fin = in_
+ 	# Skip
+-	for i in xrange(skip):
++	for i in range(skip):
+ 		fin.readline()
+ 	# Read
+ 	i = 0
+@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p
+ 	# Required for filtering
+ 	fields.update(TEST_JOURNAL_FIELDS)
+ 	# Skip
+-	for i in xrange(skip):
++	for i in range(skip):
+ 		fin.readline()
+ 	# Read/Write
+ 	i = 0
+@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase):
+ 	def testTest_tm(self):
+ 		unittest.F2B.SkipIfFast()
+ 		## test function "_tm" works correct (returns the same as slow strftime):
+-		for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600):
++		for i in range(1417512352, (1417512352 // 3600 + 3) * 3600):
+ 			tm = MyTime.time2str(i)
+ 			if _tm(i) != tm: # pragma: no cover - never reachable
+ 				self.assertEqual((_tm(i), i), (tm, i))
+ 
+ 	def testWrongCharInTupleLine(self):
+ 		## line tuple has different types (ascii after ascii / unicode):
+-		for a1 in ('', u'', b''):
+-			for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'):
++		for a1 in ('', '', b''):
++			for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'):
+ 				for a3 in (
+ 					'Fail for "g\xc3\xb6ran" from 192.0.2.1', 
+-					u'Fail for "g\xc3\xb6ran" from 192.0.2.1',
++					'Fail for "g\xc3\xb6ran" from 192.0.2.1',
+ 					b'Fail for "g\xc3\xb6ran" from 192.0.2.1'
+ 				):
+ 					# join should work if all arguments have the same type:
+@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase):
+ 
+ 	def testAddAttempt(self):
+ 		self.filter.setMaxRetry(3)
+-		for i in xrange(1, 1+3):
++		for i in range(1, 1+3):
+ 			self.filter.addAttempt('192.0.2.1')
+ 			self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True)
+ 		self.jail.actions._Actions__checkBan()
+@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase):
+ 		# like both test-cases above, just cached (so once per key)...
+ 		self.filter.ignoreCache = {"key":"<ip>"}
+ 		self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1'
+-		for i in xrange(5):
++		for i in range(5):
+ 			self.pruneLog()
+ 			self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1"))
+ 			self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0"))
+@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase):
+ 		# by host of IP:
+ 		self.filter.ignoreCache = {"key":"<ip-host>"}
+ 		self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1'
+-		for i in xrange(5):
++		for i in range(5):
+ 			self.pruneLog()
+ 			self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1")))
+ 			self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff")))
+@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase):
+ 		self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"}
+ 		self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60])
+ 		self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1'
+-		for i in xrange(5):
++		for i in range(5):
+ 			self.pruneLog()
+ 			self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'})))
+ 			self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'})))
+@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase):
+ 			fc = FileContainer(fname, self.filter.getLogEncoding())
+ 			fc.open()
+ 			# no time - nothing should be found :
+-			for i in xrange(10):
++			for i in range(10):
+ 				f.write("[sshd] error: PAM: failure len 1\n")
+ 				f.flush()
+ 				fc.setPos(0); self.filter.seekToTime(fc, time)
+@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase):
+ 			# variable length of file (ca 45K or 450K before and hereafter):
+ 			# write lines with smaller as search time:
+ 			t = time - count - 1
+-			for i in xrange(count):
++			for i in range(count):
+ 				f.write("%s [sshd] error: PAM: failure\n" % _tm(t))
+ 				t += 1
+ 			f.flush()
+ 			fc.setPos(0); self.filter.seekToTime(fc, time)
+ 			self.assertEqual(fc.getPos(), 47*count)
+ 			# write lines with exact search time:
+-			for i in xrange(10):
++			for i in range(10):
+ 				f.write("%s [sshd] error: PAM: failure\n" % _tm(time))
+ 			f.flush()
+ 			fc.setPos(0); self.filter.seekToTime(fc, time)
+@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase):
+ 			self.assertEqual(fc.getPos(), 47*count)
+ 			# write lines with greater as search time:
+ 			t = time+1
+-			for i in xrange(count//500):
+-				for j in xrange(500):
++			for i in range(count//500):
++				for j in range(500):
+ 					f.write("%s [sshd] error: PAM: failure\n" % _tm(t))
+ 					t += 1
+ 				f.flush()
+@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover
+ 			# Add direct utf, unicode, blob:
+ 			for l in (
+ 		    "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
+-		   u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
++		   "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
+ 		   b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'),
+ 		    "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
+-		   u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
++		   "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
+ 		   b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace')
+ 			):
+ 				fields = self.journal_fields
+@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase):
+ 
+ 	# so that they could be reused by other tests
+ 	FAILURES_01 = ('193.168.0.128', 3, 1124013599.0,
+-				  [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3)
++				  ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3)
+ 
+ 	def setUp(self):
+ 		"""Call before every test case."""
+@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase):
+ 
+ 	def testGetFailures02(self):
+ 		output = ('141.3.81.106', 4, 1124013539.0,
+-				  [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2'
+-				   % m for m in 53, 54, 57, 58])
++				  ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2'
++				   % m for m in (53, 54, 57, 58)])
+ 
+ 		self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0)
+ 		self.filter.addFailRegex(r"Failed .* from <HOST>")
+@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase):
+ 		# We should still catch failures with usedns = no ;-)
+ 		output_yes = (
+ 			('93.184.216.34', 2, 1124013539.0,
+-			  [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2',
+-			   u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
++			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2',
++			   'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
+ 			),
+ 			('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0,
+-			  [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
++			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
+ 			),
+ 		)
+ 
+ 		output_no = (
+ 			('93.184.216.34', 1, 1124013539.0,
+-			  [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
++			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
+ 			)
+ 		)
+ 
+@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase):
+ 		self.assertTrue(c.get('a') is None)
+ 		self.assertEqual(c.get('a', 'test'), 'test')
+ 		# exact 5 elements :
+-		for i in xrange(5):
++		for i in range(5):
+ 			c.set(i, i)
+-		for i in xrange(5):
++		for i in range(5):
+ 			self.assertEqual(c.get(i), i)
+ 		# remove unavailable key:
+ 		c.unset('a'); c.unset('a')
+@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase):
+ 	def testCacheMaxSize(self):
+ 		c = Utils.Cache(maxCount=5, maxTime=60)
+ 		# exact 5 elements :
+-		for i in xrange(5):
++		for i in range(5):
+ 			c.set(i, i)
+-		self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)])
+-		self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5)))
++		self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)])
++		self.assertNotIn(-1, (c.get(i, -1) for i in range(5)))
+ 		# add one - too many:
+ 		c.set(10, i)
+ 		# one element should be removed :
+-		self.assertIn(-1, (c.get(i, -1) for i in xrange(5)))
++		self.assertIn(-1, (c.get(i, -1) for i in range(5)))
+ 		# test max size (not expired):
+-		for i in xrange(10):
++		for i in range(10):
+ 			c.set(i, 1)
+ 		self.assertEqual(len(c), 5)
+ 
+ 	def testCacheMaxTime(self):
+ 		# test max time (expired, timeout reached) :
+ 		c = Utils.Cache(maxCount=5, maxTime=0.0005)
+-		for i in xrange(10):
++		for i in range(10):
+ 			c.set(i, 1)
+ 		st = time.time()
+ 		self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1))
+ 		# we have still 5 elements (or fewer if too slow test mashine):
+ 		self.assertTrue(len(c) <= 5)
+ 		# but all that are expiered also:
+-		for i in xrange(10):
++		for i in range(10):
+ 			self.assertTrue(c.get(i) is None)
+ 		# here the whole cache should be empty:
+ 		self.assertEqual(len(c), 0)
+@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase):
+ 					c = count
+ 					while c:
+ 						c -= 1
+-						s = xrange(0, 256, 1) if forw else xrange(255, -1, -1)
++						s = range(0, 256, 1) if forw else range(255, -1, -1)
+ 						if random: shuffle([i for i in s])
+ 						for i in s:
+ 							IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4)
+@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 
+ 	def testAddr2bin(self):
+ 		res = IPAddr('10.0.0.0')
+-		self.assertEqual(res.addr, 167772160L)
++		self.assertEqual(res.addr, 167772160)
+ 		res = IPAddr('10.0.0.0', cidr=None)
+-		self.assertEqual(res.addr, 167772160L)
+-		res = IPAddr('10.0.0.0', cidr=32L)
+-		self.assertEqual(res.addr, 167772160L)
+-		res = IPAddr('10.0.0.1', cidr=32L)
+-		self.assertEqual(res.addr, 167772161L)
+-		res = IPAddr('10.0.0.1', cidr=31L)
+-		self.assertEqual(res.addr, 167772160L)
++		self.assertEqual(res.addr, 167772160)
++		res = IPAddr('10.0.0.0', cidr=32)
++		self.assertEqual(res.addr, 167772160)
++		res = IPAddr('10.0.0.1', cidr=32)
++		self.assertEqual(res.addr, 167772161)
++		res = IPAddr('10.0.0.1', cidr=31)
++		self.assertEqual(res.addr, 167772160)
+ 
+ 		self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000')
+ 		self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002')
+@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 			'93.184.216.34': 'ip4-test', 
+ 			'2606:2800:220:1:248:1893:25c8:1946': 'ip6-test'
+ 		}
+-		d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()])
+-		self.assertTrue(isinstance(d.keys()[0], basestring))
+-		self.assertTrue(isinstance(d2.keys()[0], IPAddr))
++		d2 = dict([(IPAddr(k), v) for k, v in d.items()])
++		self.assertTrue(isinstance(list(d.keys())[0], str))
++		self.assertTrue(isinstance(list(d2.keys())[0], IPAddr))
+ 		self.assertEqual(d.get(ip4[2], ''), 'ip4-test')
+ 		self.assertEqual(d.get(ip6[2], ''), 'ip6-test')
+ 		self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test')
+diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py
+index 9b986f53..94f7a8de 100644
+--- a/fail2ban/tests/misctestcase.py
++++ b/fail2ban/tests/misctestcase.py
+@@ -29,9 +29,9 @@ import tempfile
+ import shutil
+ import fnmatch
+ from glob import glob
+-from StringIO import StringIO
++from io import StringIO
+ 
+-from utils import LogCaptureTestCase, logSys as DefLogSys
++from .utils import LogCaptureTestCase, logSys as DefLogSys
+ 
+ from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \
+ 	splitwords, uni_decode, uni_string
+@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase):
+ 		self.assertEqual(splitwords(' 1\n  2'), ['1', '2'])
+ 		self.assertEqual(splitwords(' 1\n  2, 3'), ['1', '2', '3'])
+ 		# string as unicode:
+-		self.assertEqual(splitwords(u' 1\n  2, 3'), ['1', '2', '3'])
++		self.assertEqual(splitwords(' 1\n  2, 3'), ['1', '2', '3'])
+ 
+ 
+ if sys.version_info >= (2,7):
+@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase):
+ 
+ 	def testUniConverters(self):
+ 		self.assertRaises(Exception, uni_decode, 
+-			(b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding')
+-		uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf'))
++			(b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding')
++		uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf'))
+ 		uni_string(b'test\xcf')
+ 		uni_string('test\xcf')
+-		uni_string(u'test\xcf')
++		uni_string('test\xcf')
+ 
+ 	def testSafeLogging(self):
+ 		# logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc)
+@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ 				if self.err:
+ 					raise Exception('no represenation for test!')
+ 				else:
+-					return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf'
++					return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf'
+ 		test = Test()
+ 		logSys.log(logging.NOTICE, "test 1a: %r", test)
+ 		self.assertLogged("Traceback", "no represenation for test!")
+@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ 					func_raise()
+ 
+ 			try:
+-				print deep_function(3)
++				print(deep_function(3))
+ 			except ValueError:
+ 				s = tb()
+ 
+@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ 			self.assertIn(':', s)
+ 
+ 	def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs):
+-		self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs)
++		self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs)
+ 	
+ 	def testExtendedAssertRaisesRE(self):
+ 		## test _testAssertionErrorRE several fail cases:
+@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase):
+ 		self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'",
+ 			self.assertNotIn, 'a', 'cba')
+ 		self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]",
+-			self.assertNotIn, 1, xrange(3))
++			self.assertNotIn, 1, range(3))
+ 		self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]",
+ 			self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b'))
+ 		self._testAssertionErrorRE(r"'a' was not found in 'xyz'",
+ 			self.assertIn, 'a', 'xyz')
+ 		self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]",
+-			self.assertIn, 5, xrange(3))
++			self.assertIn, 5, range(3))
+ 		self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]",
+ 			self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a'))
+ 		## assertLogged, assertNotLogged positive case:
+diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py
+index 8e944454..ed520286 100644
+--- a/fail2ban/tests/observertestcase.py
++++ b/fail2ban/tests/observertestcase.py
+@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase):
+ 		a.setBanTimeExtra('multipliers', multipliers)
+ 		# test algorithm and max time 24 hours :
+ 		self.assertEqual(
+-			[a.calcBanTime(600, i) for i in xrange(1, 11)],
++			[a.calcBanTime(600, i) for i in range(1, 11)],
+ 			[1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400]
+ 		)
+ 		# with extra large max time (30 days):
+@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase):
+ 			if multcnt < 11:
+ 				arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt))
+ 		self.assertEqual(
+-			[a.calcBanTime(600, i) for i in xrange(1, 11)],
++			[a.calcBanTime(600, i) for i in range(1, 11)],
+ 			arr
+ 		)
+ 		a.setBanTimeExtra('maxtime', '1d')
+ 		# change factor :
+ 		a.setBanTimeExtra('factor', '2');
+ 		self.assertEqual(
+-			[a.calcBanTime(600, i) for i in xrange(1, 11)],
++			[a.calcBanTime(600, i) for i in range(1, 11)],
+ 			[2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400]
+ 		)
+ 		# factor is float :
+ 		a.setBanTimeExtra('factor', '1.33');
+ 		self.assertEqual(
+-			[int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++			[int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ 			[1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400]
+ 		)
+ 		a.setBanTimeExtra('factor', None);
+ 		# change max time :
+ 		a.setBanTimeExtra('maxtime', '12h')
+ 		self.assertEqual(
+-			[a.calcBanTime(600, i) for i in xrange(1, 11)],
++			[a.calcBanTime(600, i) for i in range(1, 11)],
+ 			[1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200]
+ 		)
+ 		a.setBanTimeExtra('maxtime', '24h')
+ 		## test randomization - not possibe all 10 times we have random = 0:
+ 		a.setBanTimeExtra('rndtime', '5m')
+ 		self.assertTrue(
+-			False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)]
++			False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)]
+ 		)
+ 		a.setBanTimeExtra('rndtime', None)
+ 		self.assertFalse(
+-			False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)]
++			False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)]
+ 		)
+ 		# restore default:
+ 		a.setBanTimeExtra('multipliers', None)
+@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase):
+ 		# this multipliers has the same values as default formula, we test stop growing after count 9:
+ 		self.testDefault('1 2 4 8 16 32 64 128 256')
+ 		# this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only):
+-		self.testDefault(' '.join([str(1<<i) for i in xrange(31)]))
++		self.testDefault(' '.join([str(1<<i) for i in range(31)]))
+ 
+ 	def testFormula(self):
+ 		a = self.__jail;
+@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase):
+ 		a.setBanTimeExtra('multipliers', None)
+ 		# test algorithm and max time 24 hours :
+ 		self.assertEqual(
+-			[int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++			[int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ 			[1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400]
+ 		)
+ 		# with extra large max time (30 days):
+ 		a.setBanTimeExtra('maxtime', '30d')
+ 		self.assertEqual(
+-			[int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++			[int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ 			[1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407]
+ 		)
+ 		a.setBanTimeExtra('maxtime', '24h')
+ 		# change factor :
+ 		a.setBanTimeExtra('factor', '1');
+ 		self.assertEqual(
+-			[int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++			[int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ 			[1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400]
+ 		)
+ 		a.setBanTimeExtra('factor', '2.0 / 2.885385')
+ 		# change max time :
+ 		a.setBanTimeExtra('maxtime', '12h')
+ 		self.assertEqual(
+-			[int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++			[int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ 			[1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200]
+ 		)
+ 		a.setBanTimeExtra('maxtime', '24h')
+ 		## test randomization - not possibe all 10 times we have random = 0:
+ 		a.setBanTimeExtra('rndtime', '5m')
+ 		self.assertTrue(
+-			False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)]
++			False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)]
+ 		)
+ 		a.setBanTimeExtra('rndtime', None)
+ 		self.assertFalse(
+-			False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)]
++			False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)]
+ 		)
+ 		# restore default:
+ 		a.setBanTimeExtra('factor', None);
+@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ 		ticket = FailTicket(ip, stime, [])
+ 		# test ticket not yet found
+ 		self.assertEqual(
+-			[self.incrBanTime(ticket, 10) for i in xrange(3)], 
++			[self.incrBanTime(ticket, 10) for i in range(3)], 
+ 			[10, 10, 10]
+ 		)
+ 		# add a ticket banned
+@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ 		)
+ 		# increase ban multiple times:
+ 		lastBanTime = 20
+-		for i in xrange(10):
++		for i in range(10):
+ 			ticket.setTime(stime + lastBanTime + 5)
+ 			banTime = self.incrBanTime(ticket, 10)
+ 			self.assertEqual(banTime, lastBanTime * 2)
+@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ 		ticket = FailTicket(ip, stime-120, [])
+ 		failManager = FailManager()
+ 		failManager.setMaxRetry(3)
+-		for i in xrange(3):
++		for i in range(3):
+ 			failManager.addFailure(ticket)
+ 			obs.add('failureFound', failManager, jail, ticket)
+ 		obs.wait_empty(5)
+diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py
+index 0bbd05f5..479b564a 100644
+--- a/fail2ban/tests/samplestestcase.py
++++ b/fail2ban/tests/samplestestcase.py
+@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase):
+ 
+ 	@staticmethod
+ 	def _filterOptions(opts):
+-				return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.'))
++				return dict((k, v) for k, v in opts.items() if not k.startswith('test.'))
+ 		
+ def testSampleRegexsFactory(name, basedir):
+ 	def testFilter(self):
+@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir):
+ 						self.assertTrue(faildata.get('match', False), 
+ 							"Line matched when shouldn't have")
+ 						self.assertEqual(len(ret), 1,
+-							"Multiple regexs matched %r" % (map(lambda x: x[0], ret)))
++							"Multiple regexs matched %r" % ([x[0] for x in ret]))
+ 
+ 						# Verify match captures (at least fid/host) and timestamp as expected
+-						for k, v in faildata.iteritems():
++						for k, v in faildata.items():
+ 							if k not in ("time", "match", "desc", "filter"):
+ 								fv = fail.get(k, None)
+ 								if fv is None:
+@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir):
+ 								'\n'.join(pprint.pformat(fail).splitlines())))
+ 
+ 		# check missing samples for regex using each filter-options combination:
+-		for fltName, flt in self._filters.iteritems():
++		for fltName, flt in self._filters.items():
+ 			flt, regexsUsedIdx = flt
+ 			regexList = flt.getFailRegex()
+ 			for failRegexIndex, failRegex in enumerate(regexList):
+diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
+index 55e72455..7925ab1e 100644
+--- a/fail2ban/tests/servertestcase.py
++++ b/fail2ban/tests/servertestcase.py
+@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase):
+ 			self.transm.proceed(["get", jail, cmd]), (0, []))
+ 		for n, value in enumerate(values):
+ 			ret = self.transm.proceed(["set", jail, cmdAdd, value])
+-			self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2)
++			self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2)
+ 			ret = self.transm.proceed(["get", jail, cmd])
+-			self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2)
++			self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2)
+ 		for n, value in enumerate(values):
+ 			ret = self.transm.proceed(["set", jail, cmdDel, value])
+-			self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2)
++			self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2)
+ 			ret = self.transm.proceed(["get", jail, cmd])
+-			self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2)
++			self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2)
+ 
+ 	def jailAddDelRegexTest(self, cmd, inValues, outValues, jail):
+ 		cmdAdd = "add" + cmd
+@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase):
+ 
+ 	def testLogTarget(self):
+ 		logTargets = []
+-		for _ in xrange(3):
++		for _ in range(3):
+ 			tmpFile = tempfile.mkstemp("fail2ban", "transmitter")
+ 			logTargets.append(tmpFile[1])
+ 			os.close(tmpFile[0])
+@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase):
+ 				self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over"))
+ 				l.warning("After flushlogs")
+ 				with open(fn2,'r') as f:
+-					line1 = f.next()
++					line1 = next(f)
+ 					if line1.find('Changed logging target to') >= 0:
+-						line1 = f.next()
++						line1 = next(f)
+ 					self.assertTrue(line1.endswith("Before file moved\n"))
+-					line2 = f.next()
++					line2 = next(f)
+ 					self.assertTrue(line2.endswith("After file moved\n"))
+ 					try:
+-						n = f.next()
++						n = next(f)
+ 						if n.find("Command: ['flushlogs']") >=0:
+-							self.assertRaises(StopIteration, f.next)
++							self.assertRaises(StopIteration, f.__next__)
+ 						else:
+ 							self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n)
+ 					except StopIteration:
+ 						pass # on higher debugging levels this is expected
+ 				with open(fn,'r') as f:
+-					line1 = f.next()
++					line1 = next(f)
+ 					if line1.find('rollover performed on') >= 0:
+-						line1 = f.next()
++						line1 = next(f)
+ 					self.assertTrue(line1.endswith("After flushlogs\n"))
+-					self.assertRaises(StopIteration, f.next)
++					self.assertRaises(StopIteration, f.__next__)
+ 					f.close()
+ 			finally:
+ 				os.remove(fn2)
+@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase):
+ 					os.remove(f)
+ 
+ 
+-from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR
++from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR
+ 
+ class ServerConfigReaderTests(LogCaptureTestCase):
+ 
+diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py
+index 69bf8d8b..60f49e57 100644
+--- a/fail2ban/tests/sockettestcase.py
++++ b/fail2ban/tests/sockettestcase.py
+@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase):
+ 		org_handler = RequestHandler.found_terminator
+ 		try:
+ 			RequestHandler.found_terminator = lambda self: self.close()
+-			self.assertRaisesRegexp(RuntimeError, r"socket connection broken", 
++			self.assertRaisesRegex(RuntimeError, r"socket connection broken", 
+ 				lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10)))
+ 		finally:
+ 			RequestHandler.found_terminator = org_handler
+diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
+index fcfddba7..cb234e0d 100644
+--- a/fail2ban/tests/utils.py
++++ b/fail2ban/tests/utils.py
+@@ -35,7 +35,7 @@ import time
+ import threading
+ import unittest
+ 
+-from cStringIO import StringIO
++from io import StringIO
+ from functools import wraps
+ 
+ from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode
+@@ -174,8 +174,8 @@ def initProcess(opts):
+ 
+ 	# Let know the version
+ 	if opts.verbosity != 0:
+-		print("Fail2ban %s test suite. Python %s. Please wait..." \
+-				% (version, str(sys.version).replace('\n', '')))
++		print(("Fail2ban %s test suite. Python %s. Please wait..." \
++				% (version, str(sys.version).replace('\n', ''))))
+ 
+ 	return opts;
+ 
+@@ -322,7 +322,7 @@ def initTests(opts):
+ 	c = DNSUtils.CACHE_ipToName
+ 	# increase max count and max time (too many entries, long time testing):
+ 	c.setOptions(maxCount=10000, maxTime=5*60)
+-	for i in xrange(256):
++	for i in range(256):
+ 		c.set('192.0.2.%s' % i, None)
+ 		c.set('198.51.100.%s' % i, None)
+ 		c.set('203.0.113.%s' % i, None)
+@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None):
+ import difflib, pprint
+ if not hasattr(unittest.TestCase, 'assertDictEqual'):
+ 	def assertDictEqual(self, d1, d2, msg=None):
+-		self.assert_(isinstance(d1, dict), 'First argument is not a dictionary')
+-		self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary')
++		self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary')
++		self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary')
+ 		if d1 != d2:
+ 			standardMsg = '%r != %r' % (d1, d2)
+ 			diff = ('\n' + '\n'.join(difflib.ndiff(
+@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None):
+ 	# used to recognize having element as nested dict, list or tuple:
+ 	def _is_nested(v):
+ 		if isinstance(v, dict):
+-			return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues())
++			return any(isinstance(v, (dict, list, tuple)) for v in v.values())
+ 		return any(isinstance(v, (dict, list, tuple)) for v in v)
+ 	# level comparison routine:
+ 	def _assertSortedEqual(a, b, level, nestedOnly, key):
+@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None):
+ 				return
+ 			raise ValueError('%r != %r' % (a, b))
+ 		if isinstance(a, dict) and isinstance(b, dict): # compare dict's:
+-			for k, v1 in a.iteritems():
++			for k, v1 in a.items():
+ 				v2 = b[k]
+ 				if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)):
+ 					_assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key)
+@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'):
+ 				self.fail('\"%s\" does not match \"%s\"' % (regexp, e))
+ 		else:
+ 			self.fail('%s not raised' % getattr(exccls, '__name__'))
+-	unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp
++	unittest.TestCase.assertRaisesRegex = assertRaisesRegexp
+ 
+ # always custom following methods, because we use atm better version of both (support generators)
+ if True: ## if not hasattr(unittest.TestCase, 'assertIn'):
+ 	def assertIn(self, a, b, msg=None):
+ 		bb = b
+ 		wrap = False
+-		if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring):
++		if msg is None and hasattr(b, '__iter__') and not isinstance(b, str):
+ 			b, bb = itertools.tee(b)
+ 			wrap = True
+ 		if a not in b:
+@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'):
+ 	def assertNotIn(self, a, b, msg=None):
+ 		bb = b
+ 		wrap = False
+-		if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring):
++		if msg is None and hasattr(b, '__iter__') and not isinstance(b, str):
+ 			b, bb = itertools.tee(b)
+ 			wrap = True
+ 		if a in b:
+diff --git a/setup.py b/setup.py
+deleted file mode 100755
+index ce1eedf6..00000000
+--- a/setup.py
++++ /dev/null
+@@ -1,326 +0,0 @@
+-#!/usr/bin/env python
+-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+-# vi: set ft=python sts=4 ts=4 sw=4 noet :
+-
+-# This file is part of Fail2Ban.
+-#
+-# Fail2Ban is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 2 of the License, or
+-# (at your option) any later version.
+-#
+-# Fail2Ban is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with Fail2Ban; if not, write to the Free Software
+-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+-
+-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko"
+-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors"
+-__license__ = "GPL"
+-
+-import platform
+-
+-try:
+-	import setuptools
+-	from setuptools import setup
+-	from setuptools.command.install import install
+-	from setuptools.command.install_scripts import install_scripts
+-except ImportError:
+-	setuptools = None
+-	from distutils.core import setup
+-
+-# all versions
+-from distutils.command.build_py import build_py
+-from distutils.command.build_scripts import build_scripts
+-if setuptools is None:
+-	from distutils.command.install import install
+-	from distutils.command.install_scripts import install_scripts
+-try:
+-	# python 3.x
+-	from distutils.command.build_py import build_py_2to3
+-	from distutils.command.build_scripts import build_scripts_2to3
+-	_2to3 = True
+-except ImportError:
+-	# python 2.x
+-	_2to3 = False
+-
+-import os
+-from os.path import isfile, join, isdir, realpath
+-import re
+-import sys
+-import warnings
+-from glob import glob
+-
+-from fail2ban.setup import updatePyExec
+-
+-
+-source_dir = os.path.realpath(os.path.dirname(
+-	# __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+-	sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__
+-))
+-
+-# Wrapper to install python binding (to current python version):
+-class install_scripts_f2b(install_scripts):
+-
+-	def get_outputs(self):
+-		outputs = install_scripts.get_outputs(self)
+-		# setup.py --dry-run install:
+-		dry_run = not outputs
+-		self.update_scripts(dry_run)
+-		if dry_run:
+-			#bindir = self.install_dir
+-			bindir = self.build_dir
+-			print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,))
+-			print('Copying content of %s to %s' % (self.build_dir, self.install_dir));
+-			return outputs
+-		fn = None
+-		for fn in outputs:
+-			if os.path.basename(fn) == 'fail2ban-server':
+-				break
+-		bindir = os.path.dirname(fn)
+-		print('creating fail2ban-python binding -> %s' % (bindir,))
+-		updatePyExec(bindir)
+-		return outputs
+-
+-	def update_scripts(self, dry_run=False):
+-		buildroot = os.path.dirname(self.build_dir)
+-		install_dir = self.install_dir
+-		try:
+-			# remove root-base from install scripts path:
+-			root = self.distribution.command_options['install']['root'][1]
+-			if install_dir.startswith(root):
+-				install_dir = install_dir[len(root):]
+-		except: # pragma: no cover
+-			print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
+-		print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
+-		with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
+-			lines = fn.readlines()
+-		fn = None
+-		if not dry_run:
+-			fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
+-		try:
+-			for ln in lines:
+-				ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+-				if dry_run:
+-					sys.stdout.write(' | ' + ln)
+-					continue
+-				fn.write(ln)
+-		finally:
+-			if fn: fn.close()
+-		if dry_run:
+-			print(' `')
+-
+-
+-# Wrapper to specify fail2ban own options:
+-class install_command_f2b(install):
+-	user_options = install.user_options + [
+-		('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+-		('without-tests', None, 'without tests files installation'),
+-	]
+-	def initialize_options(self):
+-		self.disable_2to3 = None
+-		self.without_tests = None
+-		install.initialize_options(self)
+-	def finalize_options(self):
+-		global _2to3
+-		## in the test cases 2to3 should be already done (fail2ban-2to3):
+-		if self.disable_2to3:
+-			_2to3 = False
+-		if _2to3:
+-			cmdclass = self.distribution.cmdclass
+-			cmdclass['build_py'] = build_py_2to3
+-			cmdclass['build_scripts'] = build_scripts_2to3
+-		if self.without_tests:
+-			self.distribution.scripts.remove('bin/fail2ban-testcases')
+-
+-			self.distribution.packages.remove('fail2ban.tests')
+-			self.distribution.packages.remove('fail2ban.tests.action_d')
+-
+-			del self.distribution.package_data['fail2ban.tests']
+-		install.finalize_options(self)
+-	def run(self):
+-		install.run(self)
+-
+-
+-# Update fail2ban-python env to current python version (where f2b-modules located/installed)
+-updatePyExec(os.path.join(source_dir, 'bin'))
+-
+-if setuptools and "test" in sys.argv:
+-	import logging
+-	logSys = logging.getLogger("fail2ban")
+-	hdlr = logging.StreamHandler(sys.stdout)
+-	fmt = logging.Formatter("%(asctime)-15s %(message)s")
+-	hdlr.setFormatter(fmt)
+-	logSys.addHandler(hdlr)
+-	if set(["-q", "--quiet"]) & set(sys.argv):
+-		logSys.setLevel(logging.CRITICAL)
+-		warnings.simplefilter("ignore")
+-		sys.warnoptions.append("ignore")
+-	elif set(["-v", "--verbose"]) & set(sys.argv):
+-		logSys.setLevel(logging.DEBUG)
+-	else:
+-		logSys.setLevel(logging.INFO)
+-elif "test" in sys.argv:
+-	print("python distribute required to execute fail2ban tests")
+-	print("")
+-
+-longdesc = '''
+-Fail2Ban scans log files like /var/log/pwdfail or
+-/var/log/apache/error_log and bans IP that makes
+-too many password failures. It updates firewall rules
+-to reject the IP address or executes user defined
+-commands.'''
+-
+-if setuptools:
+-	setup_extra = {
+-		'test_suite': "fail2ban.tests.utils.gatherTests",
+-		'use_2to3': True,
+-	}
+-else:
+-	setup_extra = {}
+-
+-data_files_extra = []
+-if os.path.exists('/var/run'):
+-	# if we are on the system with /var/run -- we are to use it for having fail2ban/
+-	# directory there for socket file etc.
+-	# realpath is used to possibly resolve /var/run -> /run symlink
+-	data_files_extra += [(realpath('/var/run/fail2ban'), '')]
+-
+-# Installing documentation files only under Linux or other GNU/ systems
+-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding
+-# installation there (see e.g. #1233)
+-platform_system = platform.system().lower()
+-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt']
+-if platform_system in ('solaris', 'sunos'):
+-	doc_files.append('README.Solaris')
+-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'):
+-	data_files_extra.append(
+-		('/usr/share/doc/fail2ban', doc_files)
+-	)
+-
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+-
+-setup(
+-	name = "fail2ban",
+-	version = version,
+-	description = "Ban IPs that make too many password failures",
+-	long_description = longdesc,
+-	author = "Cyril Jaquier & Fail2Ban Contributors",
+-	author_email = "cyril.jaquier@fail2ban.org",
+-	url = "http://www.fail2ban.org",
+-	license = "GPL",
+-	platforms = "Posix",
+-	cmdclass = {
+-		'build_py': build_py, 'build_scripts': build_scripts,
+-		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+-	},
+-	scripts = [
+-		'bin/fail2ban-client',
+-		'bin/fail2ban-server',
+-		'bin/fail2ban-regex',
+-		'bin/fail2ban-testcases',
+-		# 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
+-	],
+-	packages = [
+-		'fail2ban',
+-		'fail2ban.client',
+-		'fail2ban.server',
+-		'fail2ban.tests',
+-		'fail2ban.tests.action_d',
+-	],
+-	package_data = {
+-		'fail2ban.tests':
+-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-				for w in os.walk('fail2ban/tests/files')
+-				for f in w[2]] +
+-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-				for w in os.walk('fail2ban/tests/config')
+-				for f in w[2]] +
+-			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-				for w in os.walk('fail2ban/tests/action_d')
+-				for f in w[2]]
+-	},
+-	data_files = [
+-		('/etc/fail2ban',
+-			glob("config/*.conf")
+-		),
+-		('/etc/fail2ban/filter.d',
+-			glob("config/filter.d/*.conf")
+-		),
+-		('/etc/fail2ban/filter.d/ignorecommands',
+-			[p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)]
+-		),
+-		('/etc/fail2ban/action.d',
+-			glob("config/action.d/*.conf") +
+-			glob("config/action.d/*.py")
+-		),
+-		('/etc/fail2ban/fail2ban.d',
+-			''
+-		),
+-		('/etc/fail2ban/jail.d',
+-			''
+-		),
+-		('/var/lib/fail2ban',
+-			''
+-		),
+-	] + data_files_extra,
+-	**setup_extra
+-)
+-
+-# Do some checks after installation
+-# Search for obsolete files.
+-obsoleteFiles = []
+-elements = {
+-	"/etc/":
+-		[
+-			"fail2ban.conf"
+-		],
+-	"/usr/bin/":
+-		[
+-			"fail2ban.py"
+-		],
+-	"/usr/lib/fail2ban/":
+-		[
+-			"version.py",
+-			"protocol.py"
+-		]
+-}
+-
+-for directory in elements:
+-	for f in elements[directory]:
+-		path = join(directory, f)
+-		if isfile(path):
+-			obsoleteFiles.append(path)
+-
+-if obsoleteFiles:
+-	print("")
+-	print("Obsolete files from previous Fail2Ban versions were found on "
+-		  "your system.")
+-	print("Please delete them:")
+-	print("")
+-	for f in obsoleteFiles:
+-		print("\t" + f)
+-	print("")
+-
+-if isdir("/usr/lib/fail2ban"):
+-	print("")
+-	print("Fail2ban is not installed under /usr/lib anymore. The new "
+-		  "location is under /usr/share. Please remove the directory "
+-		  "/usr/lib/fail2ban and everything under this directory.")
+-	print("")
+-
+-# Update config file
+-if sys.argv[1] == "install":
+-	print("")
+-	print("Please do not forget to update your configuration files.")
+-	print("They are in \"/etc/fail2ban/\".")
+-	print("")
+-	print("You can also install systemd service-unit file from \"build/fail2ban.service\"")
+-	print("resp. corresponding init script from \"files/*-initd\".")
+-	print("")
+-- 
+2.17.1
+
diff --git a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
index a5d4ed6..e231949 100755
--- a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
+++ b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
@@ -1,4 +1,3 @@
-#!/usr/bin/env python
 # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
 # vi: set ft=python sts=4 ts=4 sw=4 noet :
 
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
index 53f94ff..e737f50 100644
--- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
@@ -9,13 +9,12 @@
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
 
-SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578"
-SRC_URI = " \
-	git://github.com/fail2ban/fail2ban.git;branch=0.11 \
-	file://initd \
+SRCREV ="3befbb177017957869425c81a560edb8e27db75a"
+SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \
+        file://initd \
         file://fail2ban_setup.py \
         file://run-ptest \
-        file://0001-To-fix-build-error-of-xrang.patch \
+        file://0001-python3-fail2ban-2-3-conversion.patch \
 "
 
 inherit update-rc.d ptest setuptools3
@@ -27,16 +26,16 @@
 }
 
 do_install_append () {
-	install -d ${D}/${sysconfdir}/fail2ban
-	install -d ${D}/${sysconfdir}/init.d
-    	install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
-	chown -R root:root ${D}/${bindir}
+    install -d ${D}/${sysconfdir}/fail2ban
+    install -d ${D}/${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+    chown -R root:root ${D}/${bindir}
 }
 
 do_install_ptest_append () {
-        install -d ${D}${PTEST_PATH}
-        sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
-        install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
+    install -d ${D}${PTEST_PATH}
+    sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
+    install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
 }
 
 FILES_${PN} += "/run"
@@ -47,5 +46,6 @@
 
 INSANE_SKIP_${PN}_append = "already-stripped"
 
-RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify"
+RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify"
+RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json"
 RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
similarity index 68%
rename from meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
rename to meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
index 98f895c..f9ca092 100644
--- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
+++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
@@ -4,7 +4,7 @@
 LICENSE = "Apache-2.0"
 
 SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
-SRCREV = "c9280f43610ce896f91eafd0f740a4eb4dcecedd"
+SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef"
 
 DEPENDS = "libpam"
 
@@ -14,7 +14,10 @@
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
+# Use the same dir location as PAM
+EXTRA_OECONF = "--libdir=${base_libdir}" 
+
 PACKAGES += "pam-google-authenticator"
-FILES_pam-google-authenticator = "${libdir}/security/pam_google_authenticator.so"
+FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so"
 
 RDEPNEDS_pam-google-authenticator  = "libpam"
diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb
index 1a92479..f4ebc69 100644
--- a/meta-security/recipes-security/images/security-client-image.bb
+++ b/meta-security/recipes-security/images/security-client-image.bb
@@ -5,8 +5,7 @@
     packagegroup-core-boot \
     os-release \
     samhain-client \
-    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \
-    ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+    ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
 
 IMAGE_LINGUAS ?= " "
 
diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb
index 502b5c1..4927e0e 100644
--- a/meta-security/recipes-security/images/security-server-image.bb
+++ b/meta-security/recipes-security/images/security-server-image.bb
@@ -6,8 +6,7 @@
     packagegroup-base \
     packagegroup-core-boot \
     samhain-server \
-    os-release \
-    ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+    os-release "
 
 IMAGE_LINGUAS ?= " "
 
diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
deleted file mode 100644
index a53433f..0000000
--- a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
-From: Paul Moore <paul@paul-moore.com>
-Date: Tue, 5 Nov 2019 15:11:11 -0500
-Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
-
-We recently changed how libseccomp handles syscall numbers that are
-not defined natively, but we missed test #15.
-
-Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-
-Upstream-Status: Backport
-[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- tests/15-basic-resolver.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
-index 6badef1..0c1eefe 100644
---- a/tests/15-basic-resolver.c
-+++ b/tests/15-basic-resolver.c
-@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
- 	unsigned int arch;
- 	char *name = NULL;
- 
--	if (seccomp_syscall_resolve_name("open") != __NR_open)
-+	if (seccomp_syscall_resolve_name("open") != __SNR_open)
- 		goto fail;
--	if (seccomp_syscall_resolve_name("read") != __NR_read)
-+	if (seccomp_syscall_resolve_name("read") != __SNR_read)
- 		goto fail;
- 	if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
- 		goto fail;
- 
- 	rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
--	if (rc != __NR_openat)
-+	if (rc != __SNR_openat)
- 		goto fail;
- 
- 	while ((arch = arch_list[iter++]) != -1) {
--- 
-2.17.1
-
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
similarity index 90%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
index 07db82a..9ca41e6 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
@@ -4,10 +4,9 @@
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
 
-SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
+SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427"
 
 SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
-           file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
            file://run-ptest \
 "
 
diff --git a/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
new file mode 100644
index 0000000..e350baf
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -0,0 +1,25 @@
+When calculate value of ldblibdir, it checks whether the directory of
+$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
+suitable for cross compile. Fix it that only re-assign ldblibdir when its value
+is empty.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/external/libldb.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
+index c400add..5e5f06d 100644
+--- a/src/external/libldb.m4
++++ b/src/external/libldb.m4
+@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+     ldblibdir=$with_ldb_lib_dir
+ else
+     ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
+-    if ! test -d $ldblibdir; then
++    if test -z $ldblibdir; then
+         ldblibdir="${libdir}/ldb"
+     fi
+ fi
diff --git a/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/meta-security/recipes-security/sssd/files/volatiles.99_sssd
new file mode 100644
index 0000000..2a82413
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/volatiles.99_sssd
@@ -0,0 +1 @@
+d root root 0750 /var/log/sssd none
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
index 089a99e..7ea1586 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
@@ -8,13 +8,21 @@
 DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
 DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
 
-SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
-            file://sssd.conf "
+# If no crypto has been selected, default to DEPEND on nss, since that's what
+# sssd will pick if no active choice is made during configure
+DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
+               bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
+
+SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
+           file://sssd.conf \
+           file://volatiles.99_sssd \
+           file://fix-ldblibdir.patch \
+           "
 
 SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
 SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
 
-inherit autotools pkgconfig gettext python-dir features_check
+inherit autotools pkgconfig gettext python3-dir features_check systemd
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
@@ -22,29 +30,37 @@
 SSSD_GID ?= "root"
 
 CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
-    ac_cv_path_NSUPDATE=${bindir} \
-    ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
+    ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
     "
 
-PACKAGECONFIG ?="nss nscd"
+PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
-PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
+PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
+PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson"
+PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
+PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
+PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
+PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
+PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
+PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
+PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
 PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
 PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
-PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
-PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings"
-PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
-PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
-PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
-PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir="
-PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
-PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl"
+PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
+PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
 
-EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab"
+EXTRA_OECONF += " \
+    --disable-cifs-idmap-plugin \
+    --without-nfsv4-idmapd-plugin \
+    --without-ipa-getkeytab \
+    --without-python2-bindings \
+    --enable-pammoddir=${base_libdir}/security \
+    --without-python2-bindings \
+"
 
 do_configure_prepend() {
     mkdir -p ${AUTOTOOLS_AUXDIR}/build
@@ -59,6 +75,12 @@
     rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
     install -d ${D}/${sysconfdir}/${BPN}
     install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+    install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
+    fi
 
     # Remove /var/run as it is created on startup
     rm -rf ${D}${localstatedir}/run
@@ -76,10 +98,24 @@
 
 INITSCRIPT_NAME = "sssd"
 INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+SYSTEMD_SERVICE_${PN} = " \
+    ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
+    sssd-nss.service \
+    sssd-nss.socket \
+    sssd-pam-priv.socket \
+    sssd-pam.service \
+    sssd-pam.socket \
+    sssd-secrets.service \
+    sssd-secrets.socket \
+    sssd.service \
+"
 SYSTEMD_AUTO_ENABLE = "disable"
 
-FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* "
+FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so"
 FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
 
 # The package contains symlinks that trip up insane