meta-security: subtree update:b72cc7f87c..95fe86eb98
André Draszik (1):
linux-yocto: update the bbappend to 5.x
Armin Kuster (36):
README: add pull request option
sssd: drop py2 support
python3-fail2ban: update to latest
Apparmor: fix some runtime depends
linux-yocto-dev: remove "+"
checksecurity: fix runtime issues
buck-security: fix rdebends and minor style cleanup
swtpm: fix configure error
ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
bastille: convert to py3
tpm2-tools: update to 4.1.1
tpm2-tcti-uefi: fix build issue for i386 machine
tpm2-tss: update to 2.3.2
ibmswtpm2: update to 1563
python3-fail2ban: add 2-3 conversion changes
google-authenticator-libpam: install module in pam location
apparmor: update to tip
clamav: add bison-native to depend
meta-security-isafw: import layer from Intel
isafw: fix to work against master
layer.conf: add zeus
README.md: update to new maintainer
clamav-native: missed bison fix
secuirty*-image: remove dead var and minor cleanup
libtpm: fix build issue over pod2man
sssd: python2 not supported
libseccomp: update to 2.4.3
lynis: add missing rdepends
fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
chkrootkit: add rootkit recipe
clamav: move to recipes-scanners
checksec: move to recipe-scanners
checksecurity: move to recipes-scanners
buck-security: move to recipes-scanners
arpwatch: add new recipe
buck-security: fix runtime issue with missing per module
Bartosz Golaszewski (3):
linux: drop the bbappend for linux v4.x series
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
Haseeb Ashraf (1):
samhain: dnmalloc hash fix for aarch64 and mips64
Jan Luebbe (2):
apparmor: fix wrong executable permission on service file
apparmor: update to 2.13.4
Jonatan Pålsson (10):
README: Add meta-python to list of layer deps
sssd: Add PACKAGECONFIG for python2
sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
sssd: DEPEND on nss if nothing else is chosen
sssd: Sort PACKAGECONFIG entries
sssd: Add autofs PACKAGECONFIG
sssd: Add sudo PACKAGECONFIG
sssd: Add missing files to SYSTEMD_SERVICE
sssd: Add missing DEPENDS on jansson
sssd: Add infopipe PACKAGECONFIG
Kai Kang (1):
sssd: fix for ldblibdir and systemd etc
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for dunfell
Mingli Yu (1):
linux-yocto: update the bbappend to 5.x
Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
google-authenticator-libpam: upgrade 1.07 -> 1.08
Yi Zhao (5):
samhain: fix build with new version attr
scap-security-guide: fix xml parsing error when build remediation files
scap-security-guide: pass the correct schema file path to openscap-native
openscap-daemon: add missing runtime dependencies
samhain-server: add volatile file for systemd
Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/recipes-security/bastille/files/set_required_questions.py b/meta-security/recipes-security/bastille/files/set_required_questions.py
index 4a28358..f306109 100755
--- a/meta-security/recipes-security/bastille/files/set_required_questions.py
+++ b/meta-security/recipes-security/bastille/files/set_required_questions.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
@@ -83,7 +83,7 @@
@param name qlabel The question label for which the distro is to be added.
"""
questions_in = open(qfile)
- questions_out = tempfile.NamedTemporaryFile(delete=False)
+ questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False)
for l in add_requires(qlabel, distro, questions_in):
questions_out.write(l)
questions_out.close()
diff --git a/meta-security/recipes-security/buck-security/buck-security_0.7.bb b/meta-security/recipes-security/buck-security/buck-security_0.7.bb
deleted file mode 100644
index 3733c88..0000000
--- a/meta-security/recipes-security/buck-security/buck-security_0.7.bb
+++ /dev/null
@@ -1,63 +0,0 @@
-SUMMARY = "Linux security scanner"
-DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \
-system. This enables you to quickly overview the security status of your Linux system."
-SECTION = "security"
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-RDEPENDS_${PN} = "coreutils \
- gnupg \
- net-tools \
- perl \
- perl-module-data-dumper \
- perl-module-file-basename \
- perl-module-file-spec \
- perl-module-getopt-long \
- perl-module-lib \
- perl-module-posix \
- perl-module-term-ansicolor \
- perl-module-time-localtime \
- pinentry \
- "
-
-RDEPENDS_${PN}_class-native = "coreutils \
- net-tools \
- perl \
- perl-module-data-dumper \
- perl-module-file-basename \
- perl-module-file-spec \
- perl-module-getopt-long \
- perl-module-lib \
- perl-module-posix \
- perl-module-term-ansicolor \
- perl-module-time-localtime \
- "
-
-SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz"
-
-SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53"
-SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01"
-
-S = "${WORKDIR}/${BPN}_${PV}"
-
-do_configure() {
- :
-}
-
-do_compile() {
- :
-}
-
-do_install() {
- install -d ${D}${bindir}/buck
- cp -r ${S}/* ${D}${bindir}/buck
- cp -r ${S}/buck-security ${D}${bindir}
- sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security
- sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security
- sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security
- sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security
-
-}
-
-FILES_${PN} = "${bindir}/*"
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/checksec/checksec_2.1.0.bb b/meta-security/recipes-security/checksec/checksec_2.1.0.bb
deleted file mode 100644
index b67c98b..0000000
--- a/meta-security/recipes-security/checksec/checksec_2.1.0.bb
+++ /dev/null
@@ -1,19 +0,0 @@
-SUMMARY = "Linux system security checks"
-DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
-SECTION = "security"
-LICENSE = "BSD"
-HOMEPAGE="https://github.com/slimm609/checksec.sh"
-
-LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a"
-
-SRCREV = "04582bad41589ad479ca8b1f0170ed317475b5a5"
-SRC_URI = "git://github.com/slimm609/checksec.sh"
-
-S = "${WORKDIR}/git"
-
-do_install() {
- install -d ${D}${bindir}
- install -m 0755 ${S}/checksec ${D}${bindir}
-}
-
-RDEPENDS_${PN} = "bash openssl-bin binutils"
diff --git a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb
deleted file mode 100644
index 030bf25..0000000
--- a/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb
+++ /dev/null
@@ -1,21 +0,0 @@
-SUMMARY = "basic system security checks"
-DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
-SECTION = "security"
-LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
-
-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
- file://setuid-log-folder.patch \
- file://check-setuid-use-more-portable-find-args.patch"
-
-SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
-SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
-
-do_compile() {
-}
-
-do_install() {
- oe_runmake PREFIX=${D}
-}
-
-RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils coreutils"
diff --git a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
deleted file mode 100644
index f1fe8ed..0000000
--- a/meta-security/recipes-security/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
-From: Christopher Larson <chris_larson@mentor.com>
-Date: Wed, 5 Sep 2018 23:21:43 +0500
-Subject: [PATCH] check-setuid: use more portable find args
-
-Signed-off-by: Christopher Larson <chris_larson@mentor.com>
----
- plugins/check-setuid | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: checksecurity-2.0.15/plugins/check-setuid
-===================================================================
---- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
-+++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
-@@ -99,7 +99,7 @@
- ionice -t -c3 \
- find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
- -xdev $PATHCHK \
-- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
-+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
- $DEVCHK \) \) \
- -ignore_readdir_race \
- -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
diff --git a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch b/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch
deleted file mode 100644
index 540ea9c..0000000
--- a/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
-From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
-Date: Thu, 20 Jun 2013 15:14:55 +0300
-Subject: [PATCH] changed log folder for check-setuid
-
-check-setuid was creating logs in /var/log directory,
-which cannot be created persistently. To avoid errors
-the log folder was changed to /etc/checksecurity/.
-
-Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
----
- etc/check-setuid.conf | 2 +-
- plugins/check-setuid | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
-index 621336f..e1532c0 100644
---- a/etc/check-setuid.conf
-+++ b/etc/check-setuid.conf
-@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
- #
- # Location of setuid file databases.
- #
--LOGDIR=/var/log/setuid
-+LOGDIR=/etc/checksecurity/
-diff --git a/plugins/check-setuid b/plugins/check-setuid
-index 8d6f90b..bdb21c1 100755
---- a/plugins/check-setuid
-+++ b/plugins/check-setuid
-@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
- exit 1
- fi
-
--TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
--TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
-+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
-+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
-
- #
- # Check for NFS/AFS mounts that are not nosuid/nodev
-@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
- fi
-
- # Guard against undefined vars
--[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
-+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
- if [ ! -e "$LOGDIR" ] ; then
- echo "ERROR: Log directory $LOGDIR does not exist"
- exit 1
---
-1.7.9.5
-
diff --git a/meta-security/recipes-security/clamav/clamav_0.101.5.bb b/meta-security/recipes-security/clamav/clamav_0.101.5.bb
deleted file mode 100644
index a4c32e1..0000000
--- a/meta-security/recipes-security/clamav/clamav_0.101.5.bb
+++ /dev/null
@@ -1,169 +0,0 @@
-SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface"
-DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats."
-HOMEPAGE = "http://www.clamav.net/index.html"
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-
-DEPENDS = "libtool db libxml2 openssl zlib curl llvm clamav-native libmspack"
-DEPENDS_class-native = "db-native openssl-native zlib-native llvm-native curl-native"
-
-LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092"
-
-SRCREV = "482fcd413b07e9fd3ef9850e6d01a45f4e187108"
-
-SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.101 \
- file://clamd.conf \
- file://freshclam.conf \
- file://volatiles.03_clamav \
- file://tmpfiles.clamav \
- file://${BPN}.service \
- file://freshclam-native.conf \
- "
-
-S = "${WORKDIR}/git"
-
-LEAD_SONAME = "libclamav.so"
-SO_VER = "9.0.2"
-
-inherit autotools pkgconfig useradd systemd
-
-CLAMAV_UID ?= "clamav"
-CLAMAV_GID ?= "clamav"
-INSTALL_CLAMAV_CVD ?= "1"
-
-CLAMAV_USR_DIR = "${STAGING_DIR_NATIVE}/usr"
-CLAMAV_USR_DIR_class-target = "${STAGING_DIR_HOST}/usr"
-
-PACKAGECONFIG_class-target ?= "ncurses bz2"
-PACKAGECONFIG_class-target += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}"
-PACKAGECONFIG_class-target += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
-
-PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre"
-PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json-c,"
-PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6"
-PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${CLAMAV_USR_DIR}, --disable-bzip2, bzip2"
-PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${CLAMAV_USR_DIR}, --without-libncurses-prefix, ncurses, "
-PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, "
-
-EXTRA_OECONF_CLAMAV = "--without-libcheck-prefix --disable-unrar \
- --disable-mempool \
- --program-prefix="" \
- --disable-zlib-vcheck \
- --with-xml=${CLAMAV_USR_DIR} \
- --with-zlib=${CLAMAV_USR_DIR} \
- --with-openssl=${CLAMAV_USR_DIR} \
- --with-libcurl=${CLAMAV_USR_DIR} \
- --with-system-libmspack=${CLAMAV_USR_DIR} \
- --with-iconv=no \
- --enable-check=no \
- "
-
-EXTRA_OECONF_class-native += "${EXTRA_OECONF_CLAMAV}"
-EXTRA_OECONF_class-target += "--with-user=${CLAMAV_UID} --with-group=${CLAMAV_GID} ${EXTRA_OECONF_CLAMAV}"
-
-do_configure () {
- ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
-}
-
-do_configure_class-native () {
- ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
-}
-
-do_compile_append_class-target() {
- if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
- bbnote "CLAMAV creating cvd"
- install -d ${S}/clamav_db
- ${STAGING_BINDIR_NATIVE}/freshclam --datadir=${S}/clamav_db --config=${WORKDIR}/freshclam-native.conf
- fi
-}
-
-do_install_append_class-target () {
- install -d ${D}/${sysconfdir}
- install -d ${D}/${localstatedir}/lib/clamav
- install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
-
- install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir}
- install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir}
- install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav
- sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
- rm ${D}/${libdir}/libclamav.so
- install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
- if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
- install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
- install -d ${D}${sysconfdir}/tmpfiles.d
- install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
- fi
-}
-
-pkg_postinst_ontarget_${PN} () {
- if command -v systemd-tmpfiles >/dev/null; then
- systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
- elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
- ${sysconfdir}/init.d/populate-volatile.sh update
- fi
- mkdir -p ${localstatedir}/lib/clamav
- chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
-}
-
-
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc ${PN}-cvd \
- ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
-
-FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \
- ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
- ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \
- ${docdir}/clamav/* "
-
-FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
- ${docdir}/clamdscan/* \
- ${mandir}/man1/clamdscan* \
- "
-
-FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
- ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \
- ${mandir}/man5/clamd* ${mandir}/man8/clamd* \
- ${sysconfdir}/clamd.conf* \
- ${systemd_unitdir}/system/clamav-daemon/* \
- ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \
- ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon "
-
-FILES_${PN}-freshclam = "${bindir}/freshclam \
- ${sysconfdir}/freshclam.conf* \
- ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
- ${sysconfdir}/tmpfiles.d/*.conf \
- ${localstatedir}/lib/clamav \
- ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
- ${mandir}/man5/freshclam.conf.* \
- ${systemd_unitdir}/system/clamav-freshclam.service"
-
-FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
- ${libdir}/pkgconfig/*.pc \
- ${mandir}/man1/clamav-config.* \
- ${includedir}/*.h ${docdir}/libclamav* "
-
-FILES_${PN}-staticdev = "${libdir}/*.a"
-
-FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so*\
- ${docdir}/libclamav/* "
-
-FILES_${PN}-doc = "${mandir}/man/* \
- ${datadir}/man/* \
- ${docdir}/* "
-
-FILES_${PN}-cvd = "${localstatedir}/lib/clamav/*.cvd ${localstatedir}/lib/clamav/*.dat"
-
-USERADD_PACKAGES = "${PN}"
-GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
-USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir \
- ${localstatedir}/spool/${BPN} \
- --no-create-home --shell /bin/false ${BPN}"
-
-RPROVIDES_${PN} += "${PN}-systemd"
-RREPLACES_${PN} += "${PN}-systemd"
-RCONFLICTS_${PN} += "${PN}-systemd"
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
-
-RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
-RDEPENDS_${PN}_class-native = ""
-
-BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/clamav/files/clamav-freshclam.service b/meta-security/recipes-security/clamav/files/clamav-freshclam.service
deleted file mode 100644
index 0c909fb..0000000
--- a/meta-security/recipes-security/clamav/files/clamav-freshclam.service
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=ClamAV virus database updater
-Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/
-# If user wants it run from cron, don't start the daemon.
-ConditionPathExists=!/etc/cron.d/clamav-freshclam
-
-[Service]
-ExecStart=/usr/bin/freshclam -d --foreground=true
-StandardOutput=syslog
-
-[Install]
-WantedBy=multi-user.target
diff --git a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample b/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample
deleted file mode 100644
index ed0d519..0000000
--- a/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample
+++ /dev/null
@@ -1,293 +0,0 @@
-##
-## Example config file for clamav-milter
-##
-
-# Comment or remove the line below.
-Example
-
-
-##
-## Main options
-##
-
-# Define the interface through which we communicate with sendmail
-# This option is mandatory! Possible formats are:
-# [[unix|local]:]/path/to/file - to specify a unix domain socket
-# inet:port@[hostname|ip-address] - to specify an ipv4 socket
-# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
-#
-# Default: no default
-#MilterSocket /tmp/clamav-milter.socket
-#MilterSocket inet:7357
-
-# Define the group ownership for the (unix) milter socket.
-# Default: disabled (the primary group of the user running clamd)
-#MilterSocketGroup virusgroup
-
-# Sets the permissions on the (unix) milter socket to the specified mode.
-# Default: disabled (obey umask)
-#MilterSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-#
-# Default: yes
-#FixStaleSocket yes
-
-# Run as another user (clamav-milter must be started by root for this option to work)
-#
-# Default: unset (don't drop privileges)
-#User clamav
-
-# Initialize supplementary group access (clamav-milter must be started by root).
-#
-# Default: no
-#AllowSupplementaryGroups no
-
-# Waiting for data from clamd will timeout after this time (seconds).
-# Value of 0 disables the timeout.
-#
-# Default: 120
-#ReadTimeout 300
-
-# Don't fork into background.
-#
-# Default: no
-#Foreground yes
-
-# Chroot to the specified directory.
-# Chrooting is performed just after reading the config file and before dropping privileges.
-#
-# Default: unset (don't chroot)
-#Chroot /newroot
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-#
-# Default: disabled
-#PidFile /var/run/clamav/clamav-milter.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-#
-#TemporaryDirectory /var/tmp
-
-##
-## Clamd options
-##
-
-# Define the clamd socket to connect to for scanning.
-# This option is mandatory! Syntax:
-# ClamdSocket unix:path
-# ClamdSocket tcp:host:port
-# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
-# ClamdSocket unix:/var/run/clamd/clamd.socket
-# The second syntax specifies a tcp local or remote tcp socket: the
-# host can be a hostname or an ip address; the ":port" field is only required
-# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
-# ClamdSocket tcp:192.168.0.1
-#
-# This option can be repeated several times with different sockets or even
-# with the same socket: clamd servers will be selected in a round-robin fashion.
-#
-# Default: no default
-ClamdSocket /var/run/clamav/clamd
-
-
-##
-## Exclusions
-##
-
-# Messages originating from these hosts/networks will not be scanned
-# This option takes a host(name)/mask pair in CIRD notation and can be
-# repeated several times. If "/mask" is omitted, a host is assumed.
-# To specify a locally orignated, non-smtp, email use the keyword "local"
-#
-# Default: unset (scan everything regardless of the origin)
-#LocalNet local
-#LocalNet 192.168.0.0/24
-#LocalNet 1111:2222:3333::/48
-
-# This option specifies a file which contains a list of basic POSIX regular
-# expressions. Addresses (sent to or from - see below) matching these regexes
-# will not be scanned. Optionally each line can start with the string "From:"
-# or "To:" (note: no whitespace after the colon) indicating if it is,
-# respectively, the sender or recipient that is to be whitelisted.
-# If the field is missing, "To:" is assumed.
-# Lines starting with #, : or ! are ignored.
-#
-# Default unset (no exclusion applied)
-#Whitelist /etc/whitelisted_addresses
-
-# Messages from authenticated SMTP users matching this extended POSIX
-# regular expression (egrep-like) will not be scanned.
-# As an alternative, a file containing a plain (not regex) list of names (one
-# per line) can be specified using the prefix "file:".
-# e.g. SkipAuthenticated file:/etc/good_guys
-#
-# Note: this is the AUTH login name!
-#
-# Default: unset (no whitelisting based on SMTP auth)
-#SkipAuthenticated ^(tom|dick|henry)$
-
-# Messages larger than this value won't be scanned.
-# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
-#
-# Default: 25M
-#MaxFileSize 10M
-
-
-##
-## Actions
-##
-
-# The following group of options controls the delievery process under
-# different circumstances.
-# The following actions are available:
-# - Accept
-# The message is accepted for delievery
-# - Reject
-# Immediately refuse delievery (a 5xx error is returned to the peer)
-# - Defer
-# Return a temporary failure message (4xx) to the peer
-# - Blackhole (not available for OnFail)
-# Like Accept but the message is sent to oblivion
-# - Quarantine (not available for OnFail)
-# Like Accept but message is quarantined instead of being delivered
-#
-# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
-# For Postfix this causes the message to be placed on hold
-#
-# Action to be performed on clean messages (mostly useful for testing)
-# Default: Accept
-#OnClean Accept
-
-# Action to be performed on infected messages
-# Default: Quarantine
-#OnInfected Quarantine
-
-# Action to be performed on error conditions (this includes failure to
-# allocate data structures, no scanners available, network timeouts,
-# unknown scanner replies and the like)
-# Default: Defer
-#OnFail Defer
-
-# This option allows to set a specific rejection reason for infected messages
-# and it's therefore only useful together with "OnInfected Reject"
-# The string "%v", if present, will be replaced with the virus name.
-# Default: MTA specific
-#RejectMsg
-
-# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
-# "X-Virus-Status" headers will be attached to each processed message, possibly
-# replacing existing headers.
-# If it is set to Add, the X-Virus headers are added possibly on top of the
-# existing ones.
-# Note that while "Replace" can potentially break DKIM signatures, "Add" may
-# confuse procmail and similar filters.
-# Default: no
-#AddHeader Replace
-
-# When AddHeader is in use, this option allows to arbitrary set the reported
-# hostname. This may be desirable in order to avoid leaking internal names.
-# If unset the real machine name is used.
-# Default: disabled
-#ReportHostname my.mail.server.name
-
-# Execute a command (possibly searching PATH) when an infected message is found.
-# The following parameters are passed to the invoked program in this order:
-# virus name, queue id, sender, destination, subject, message id, message date.
-# Note #1: this requires MTA macroes to be available (see LogInfected below)
-# Note #2: the process is invoked in the context of clamav-milter
-# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
-# avoid unnecessary delays in email delievery
-# Default: disabled
-#VirusAction /usr/local/bin/my_infected_message_handler
-
-##
-## Logging options
-##
-
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-#
-# Default: disabled
-#LogFile /var/log/clamav/clamav-milter.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamav-milter multiple times.
-# This option disables log file locking.
-#
-# Default: no
-#LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-#
-# Default: 1M
-#LogFileMaxSize 2M
-
-# Log time with each message.
-#
-# Default: no
-#LogTime yes
-
-# Use system logger (can work together with LogFile).
-#
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-#
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-#
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows to tune what is logged when a message is infected.
-# Possible values are Off (the default - nothing is logged),
-# Basic (minimal info logged), Full (verbose info logged)
-# Note:
-# For this to work properly in sendmail, make sure the msg_id, mail_addr,
-# rcpt_addr and i macroes are available in eom. In other words add a line like:
-# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
-# to your .cf file. Alternatively use the macro:
-# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
-# Postfix should be working fine with the default settings.
-#
-# Default: disabled
-#LogInfected Basic
-
-# This option allows to tune what is logged when no threat is found in a scanned message.
-# See LogInfected for possible values and caveats.
-# Useful in debugging but drastically increases the log size.
-# Default: disabled
-#LogClean Basic
-
-# This option affects the behaviour of LogInfected, LogClean and VirusAction
-# when a message with multiple recipients is scanned:
-# If SupportMultipleRecipients is off (the default)
-# then one single log entry is generated for the message and, in case the
-# message is determined to be malicious, the command indicated by VirusAction
-# is executed just once. In both cases only the last recipient is reported.
-# If SupportMultipleRecipients is on:
-# then one line is logged for each recipient and the command indicated
-# by VirusAction is also executed once for each recipient.
-#
-# Note: although it's probably a good idea to enable this option, the default value
-# is currently set to off for legacy reasons.
-# Default: no
-#SupportMultipleRecipients yes
-
diff --git a/meta-security/recipes-security/clamav/files/clamav.service b/meta-security/recipes-security/clamav/files/clamav.service
deleted file mode 100644
index f13191f..0000000
--- a/meta-security/recipes-security/clamav/files/clamav.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=Clam AntiVirus userspace daemon
-Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/
-Requires=clamav-daemon.socket
-# Check for database existence
-ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc}
-ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc}
-
-[Service]
-ExecStart=/usr/sbin/clamd --foreground=true
-# Reload the database
-ExecReload=/bin/kill -USR2 $MAINPID
-StandardOutput=syslog
-
-[Install]
-WantedBy=multi-user.target
-Also=clamav-daemon.socket
diff --git a/meta-security/recipes-security/clamav/files/clamd.conf b/meta-security/recipes-security/clamav/files/clamd.conf
deleted file mode 100644
index 0457785..0000000
--- a/meta-security/recipes-security/clamav/files/clamd.conf
+++ /dev/null
@@ -1,595 +0,0 @@
-# Uncomment this option to enable logging.
-# LogFile must be writable for the user running daemon.
-# A full path is required.
-# Default: disabled
-LogFile /tmp/clamd.log
-
-# By default the log file is locked for writing - the lock protects against
-# running clamd multiple times (if want to run another clamd, please
-# copy the configuration file, change the LogFile variable, and run
-# the daemon with --config-file option).
-# This option disables log file locking.
-# Default: no
-LogFileUnlock yes
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
-# rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Also log clean files. Useful in debugging but drastically increases the
-# log size.
-# Default: no
-#LogClean yes
-
-# Use system logger (can work together with LogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# Log additional information about the infected file, such as its
-# size and hash, together with the virus name.
-ExtendedDetectionInfo yes
-
-# This option allows you to save a process identifier of the listening
-# daemon (main thread).
-# Default: disabled
-PidFile /var/run/clamd.pid
-
-# Optional path to the global temporary directory.
-# Default: system specific (usually /tmp or /var/tmp).
-TemporaryDirectory /var/tmp
-
-# Path to the database directory.
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/lib/clamav
-
-# Only load the official signatures published by the ClamAV project.
-# Default: no
-#OfficialDatabaseOnly no
-
-# The daemon can work in local mode, network mode or both.
-# Due to security reasons we recommend the local mode.
-
-# Path to a local socket file the daemon will listen on.
-# Default: disabled (must be specified by a user)
-LocalSocket /tmp/clamd.socket
-
-# Sets the group ownership on the unix socket.
-# Default: disabled (the primary group of the user running clamd)
-#LocalSocketGroup virusgroup
-
-# Sets the permissions on the unix socket to the specified mode.
-# Default: disabled (socket is world accessible)
-#LocalSocketMode 660
-
-# Remove stale socket after unclean shutdown.
-# Default: yes
-#FixStaleSocket yes
-
-# TCP port address.
-# Default: no
-#TCPSocket 3310
-
-# TCP address.
-# By default we bind to INADDR_ANY, probably not wise.
-# Enable the following to provide some degree of protection
-# from the outside world. This option can be specified multiple
-# times if you want to listen on multiple IPs. IPv6 is now supported.
-# Default: no
-#TCPAddr 127.0.0.1
-
-# Maximum length the queue of pending connections may grow to.
-# Default: 200
-#MaxConnectionQueueLength 30
-
-# Clamd uses FTP-like protocol to receive data from remote clients.
-# If you are using clamav-milter to balance load between remote clamd daemons
-# on firewall servers you may need to tune the options below.
-
-# Close the connection when the data size limit is exceeded.
-# The value should match your MTA's limit for a maximum attachment size.
-# Default: 25M
-#StreamMaxLength 10M
-
-# Limit port range.
-# Default: 1024
-#StreamMinPort 30000
-# Default: 2048
-#StreamMaxPort 32000
-
-# Maximum number of threads running at the same time.
-# Default: 10
-#MaxThreads 20
-
-# Waiting for data from a client socket will timeout after this time (seconds).
-# Default: 120
-#ReadTimeout 300
-
-# This option specifies the time (in seconds) after which clamd should
-# timeout if a client doesn't provide any initial command after connecting.
-# Default: 5
-#CommandReadTimeout 5
-
-# This option specifies how long to wait (in miliseconds) if the send buffer is full.
-# Keep this value low to prevent clamd hanging
-#
-# Default: 500
-#SendBufTimeout 200
-
-# Maximum number of queued items (including those being processed by MaxThreads threads)
-# It is recommended to have this value at least twice MaxThreads if possible.
-# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
-# the following condition should hold:
-# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
-#
-# Default: 100
-#MaxQueue 200
-
-# Waiting for a new job will timeout after this time (seconds).
-# Default: 30
-#IdleTimeout 60
-
-# Don't scan files and directories matching regex
-# This directive can be used multiple times
-# Default: scan all
-#ExcludePath ^/proc/
-#ExcludePath ^/sys/
-
-# Maximum depth directories are scanned at.
-# Default: 15
-#MaxDirectoryRecursion 20
-
-# Follow directory symlinks.
-# Default: no
-#FollowDirectorySymlinks yes
-
-# Follow regular file symlinks.
-# Default: no
-#FollowFileSymlinks yes
-
-# Scan files and directories on other filesystems.
-# Default: yes
-#CrossFilesystems yes
-
-# Perform a database check.
-# Default: 600 (10 min)
-#SelfCheck 600
-
-# Execute a command when virus is found. In the command string %v will
-# be replaced with the virus name.
-# Default: no
-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
-
-# Run as another user (clamd must be started by root for this option to work)
-# Default: don't drop privileges
-User clamav
-
-# Initialize supplementary group access (clamd must be started by root).
-# Default: no
-#AllowSupplementaryGroups no
-
-# Stop daemon when libclamav reports out of memory condition.
-#ExitOnOOM yes
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Do not remove temporary files (for debug purposes).
-# Default: no
-#LeaveTemporaryFiles yes
-
-# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
-# any ALLMATCHSCAN command as invalid.
-# Default: yes
-#AllowAllMatchScan no
-
-# Detect Possibly Unwanted Applications.
-# Default: no
-#DetectPUA yes
-
-# Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
-# the complete list of PUA categories.
-# Default: Load all categories (if DetectPUA is activated)
-#ExcludePUA NetTool
-#ExcludePUA PWTool
-
-# Only include a specific PUA category. This directive can be used multiple
-# times.
-# Default: Load all categories (if DetectPUA is activated)
-#IncludePUA Spy
-#IncludePUA Scanner
-#IncludePUA RAT
-
-# In some cases (eg. complex malware, exploits in graphic files, and others),
-# ClamAV uses special algorithms to provide accurate detection. This option
-# controls the algorithmic detection.
-# Default: yes
-#AlgorithmicDetection yes
-
-# This option causes memory or nested map scans to dump the content to disk.
-# If you turn on this option, more data is written to disk and is available
-# when the LeaveTemporaryFiles option is enabled.
-#ForceToDisk yes
-
-# This option allows you to disable the caching feature of the engine. By
-# default, the engine will store an MD5 in a cache of any files that are
-# not flagged as virus or that hit limits checks. Disabling the cache will
-# have a negative performance impact on large scans.
-# Default: no
-#DisableCache yes
-
-##
-## Executable files
-##
-
-# PE stands for Portable Executable - it's an executable file format used
-# in all 32 and 64-bit versions of Windows operating systems. This option allows
-# ClamAV to perform a deeper analysis of executable files and it's also
-# required for decompression of popular executable packers such as UPX, FSG,
-# and Petite. If you turn off this option, the original files will still be
-# scanned, but without additional processing.
-# Default: yes
-#ScanPE yes
-
-# Certain PE files contain an authenticode signature. By default, we check
-# the signature chain in the PE file against a database of trusted and
-# revoked certificates if the file being scanned is marked as a virus.
-# If any certificate in the chain validates against any trusted root, but
-# does not match any revoked certificate, the file is marked as whitelisted.
-# If the file does match a revoked certificate, the file is marked as virus.
-# The following setting completely turns off authenticode verification.
-# Default: no
-#DisableCertCheck yes
-
-# Executable and Linking Format is a standard format for UN*X executables.
-# This option allows you to control the scanning of ELF files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanELF yes
-
-# With this option clamav will try to detect broken executables (both PE and
-# ELF) and mark them as Broken.Executable.
-# Default: no
-#DetectBrokenExecutables yes
-
-
-##
-## Documents
-##
-
-# This option enables scanning of OLE2 files, such as Microsoft Office
-# documents and .msi files.
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-# Default: yes
-#ScanOLE2 yes
-
-# With this option enabled OLE2 files with VBA macros, which were not
-# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
-# Default: no
-#OLE2BlockMacros no
-
-# This option enables scanning within PDF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanPDF yes
-
-# This option enables scanning within SWF files.
-# If you turn off this option, the original files will still be scanned, but
-# without decoding and additional processing.
-# Default: yes
-#ScanSWF yes
-
-
-##
-## Mail files
-##
-
-# Enable internal e-mail scanner.
-# If you turn off this option, the original files will still be scanned, but
-# without parsing individual messages/attachments.
-# Default: yes
-#ScanMail yes
-
-# Scan RFC1341 messages split over many emails.
-# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
-# WARNING: This option may open your system to a DoS attack.
-# Never use it on loaded servers.
-# Default: no
-#ScanPartialMessages yes
-
-# With this option enabled ClamAV will try to detect phishing attempts by using
-# signatures.
-# Default: yes
-#PhishingSignatures yes
-
-# Scan URLs found in mails for phishing attempts using heuristics.
-# Default: yes
-#PhishingScanURLs yes
-
-# Always block SSL mismatches in URLs, even if the URL isn't in the database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockSSLMismatch no
-
-# Always block cloaked URLs, even if URL isn't in database.
-# This can lead to false positives.
-#
-# Default: no
-#PhishingAlwaysBlockCloak no
-
-# Detect partition intersections in raw disk images using heuristics.
-# Default: no
-#PartitionIntersection no
-
-# Allow heuristic match to take precedence.
-# When enabled, if a heuristic scan (such as phishingScan) detects
-# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
-# scan-time.
-# When disabled, virus/phish detected by heuristic scans will be reported only at
-# the end of a scan. If an archive contains both a heuristically detected
-# virus/phish, and a real malware, the real malware will be reported
-#
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
-# differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first,
-# the scan is interrupted immediately, regardless of this config option.
-#
-# Default: no
-#HeuristicScanPrecedence yes
-
-
-##
-## Data Loss Prevention (DLP)
-##
-
-# Enable the DLP module
-# Default: No
-#StructuredDataDetection yes
-
-# This option sets the lowest number of Credit Card numbers found in a file
-# to generate a detect.
-# Default: 3
-#StructuredMinCreditCardCount 5
-
-# This option sets the lowest number of Social Security Numbers found
-# in a file to generate a detect.
-# Default: 3
-#StructuredMinSSNCount 5
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxx-yy-zzzz
-# Default: yes
-#StructuredSSNFormatNormal yes
-
-# With this option enabled the DLP module will search for valid
-# SSNs formatted as xxxyyzzzz
-# Default: no
-#StructuredSSNFormatStripped yes
-
-
-##
-## HTML
-##
-
-# Perform HTML normalisation and decryption of MS Script Encoder code.
-# Default: yes
-# If you turn off this option, the original files will still be scanned, but
-# without additional processing.
-#ScanHTML yes
-
-
-##
-## Archives
-##
-
-# ClamAV can scan within archives and compressed files.
-# If you turn off this option, the original files will still be scanned, but
-# without unpacking and additional processing.
-# Default: yes
-#ScanArchive yes
-
-# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
-# Default: no
-#ArchiveBlockEncrypted no
-
-
-##
-## Limits
-##
-
-# The options below protect your system against Denial of Service attacks
-# using archive bombs.
-
-# This option sets the maximum amount of data to be scanned for each input file.
-# Archives and other containers are recursively extracted and scanned up to this
-# value.
-# Value of 0 disables the limit
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 100M
-#MaxScanSize 150M
-
-# Files larger than this limit won't be scanned. Affects the input file itself
-# as well as files contained inside it (when the input file is an archive, a
-# document or some other kind of container).
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 25M
-#MaxFileSize 30M
-
-# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
-# file, all files within it will also be scanned. This options specifies how
-# deeply the process should be continued.
-# Note: setting this limit too high may result in severe damage to the system.
-# Default: 16
-#MaxRecursion 10
-
-# Number of files to be scanned within an archive, a document, or any other
-# container file.
-# Value of 0 disables the limit.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10000
-#MaxFiles 15000
-
-# Maximum size of a file to check for embedded PE. Files larger than this value
-# will skip the additional analysis step.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxEmbeddedPE 10M
-
-# Maximum size of a HTML file to normalize. HTML files larger than this value
-# will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 10M
-#MaxHTMLNormalize 10M
-
-# Maximum size of a normalized HTML file to scan. HTML files larger than this
-# value after normalization will not be scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 2M
-#MaxHTMLNoTags 2M
-
-# Maximum size of a script file to normalize. Script content larger than this
-# value will not be normalized or scanned.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 5M
-#MaxScriptNormalize 5M
-
-# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
-# than this value will skip the step to potentially reanalyze as PE.
-# Note: disabling this limit or setting it too high may result in severe damage
-# to the system.
-# Default: 1M
-#MaxZipTypeRcg 1M
-
-# This option sets the maximum number of partitions of a raw disk image to be scanned.
-# Raw disk images with more partitions than this value will have up to the value number
-# partitions scanned. Negative values are not allowed.
-# Note: setting this limit too high may result in severe damage or impact performance.
-# Default: 50
-#MaxPartitions 128
-
-# This option sets the maximum number of icons within a PE to be scanned.
-# PE files with more icons than this value will have up to the value number icons scanned.
-# Negative values are not allowed.
-# WARNING: setting this limit too high may result in severe damage or impact performance.
-# Default: 100
-#MaxIconsPE 200
-
-##
-## On-access Scan Settings
-##
-
-# Enable on-access scanning. Currently, this is supported via fanotify.
-# Clamuko/Dazuko support has been deprecated.
-# Default: no
-#ScanOnAccess yes
-
-# Don't scan files larger than OnAccessMaxFileSize
-# Value of 0 disables the limit.
-# Default: 5M
-#OnAccessMaxFileSize 10M
-
-# Set the include paths (all files inside them will be scanned). You can have
-# multiple OnAccessIncludePath directives but each directory must be added
-# in a separate line. (On-access scan only)
-# Default: disabled
-#OnAccessIncludePath /home
-#OnAccessIncludePath /students
-
-# Set the exclude paths. All subdirectories are also excluded.
-# (On-access scan only)
-# Default: disabled
-#OnAccessExcludePath /home/bofh
-
-# With this option you can whitelist specific UIDs. Processes with these UIDs
-# will be able to access all files.
-# This option can be used multiple times (one per line).
-# Default: disabled
-#OnAccessExcludeUID 0
-
-
-##
-## Bytecode
-##
-
-# With this option enabled ClamAV will load bytecode from the database.
-# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
-# Default: yes
-#Bytecode yes
-
-# Set bytecode security level.
-# Possible values:
-# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
-# This value is only available if clamav was built with --enable-debug!
-# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
-# insert runtime safety checks for bytecode loaded from other sources
-# Paranoid - don't trust any bytecode, insert runtime checks for all
-# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
-# Note that by default only signed bytecode is loaded, currently you can only
-# load unsigned bytecode in --enable-debug mode.
-#
-# Default: TrustSigned
-#BytecodeSecurity TrustSigned
-
-# Set bytecode timeout in miliseconds.
-#
-# Default: 5000
-# BytecodeTimeout 1000
-
-##
-## Statistics gathering and submitting
-##
-
-# Enable statistical reporting.
-# Default: no
-#StatsEnabled yes
-
-# Disable submission of individual PE sections for files flagged as malware.
-# Default: no
-#StatsPEDisabled yes
-
-# HostID in the form of an UUID to use when submitting statistical information.
-# Default: auto
-#StatsHostID auto
-
-# Time in seconds to wait for the stats server to come back with a response
-# Default: 10
-#StatsTimeout 10
diff --git a/meta-security/recipes-security/clamav/files/freshclam-native.conf b/meta-security/recipes-security/clamav/files/freshclam-native.conf
deleted file mode 100644
index aaa8cf4..0000000
--- a/meta-security/recipes-security/clamav/files/freshclam-native.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-# Path to the database directory.
-# WARNING: It must match clamd.conf's directive!
-# Default: hardcoded (depends on installation options)
-#DatabaseDirectory /var/lib/clamav
-
-# Path to the log file (make sure it has proper permissions)
-# Default: disabled
-#UpdateLogFile /var/log/clamav/freshclam.log
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
-# log rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Use system logger (can work together with UpdateLogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows you to save the process identifier of the daemon
-# Default: disabled
-#PidFile /var/run/freshclam.pid
-
-# By default when started freshclam drops privileges and switches to the
-# "clamav" user. This directive allows you to change the database owner.
-# Default: clamav (may depend on installation options)
-DatabaseOwner clamav
-
-# Initialize supplementary group access (freshclam must be started by root).
-# Default: no
-#AllowSupplementaryGroups yes
-
-# Use DNS to verify virus database version. Freshclam uses DNS TXT records
-# to verify database and software versions. With this directive you can change
-# the database verification domain.
-# WARNING: Do not touch it unless you're configuring freshclam to use your
-# own database verification domain.
-# Default: current.cvd.clamav.net
-#DNSDatabaseInfo current.cvd.clamav.net
-
-# Uncomment the following line and replace XY with your country
-# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
-# You can use db.XY.ipv6.clamav.net for IPv6 connections.
-#DatabaseMirror db.XY.clamav.net
-
-# database.clamav.net is a round-robin record which points to our most
-# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
-# not working. DO NOT TOUCH the following line unless you know what you
-# are doing.
-DatabaseMirror database.clamav.net
-
-# How many attempts to make before giving up.
-# Default: 3 (per mirror)
-#MaxAttempts 5
-
-# With this option you can control scripted updates. It's highly recommended
-# to keep it enabled.
-# Default: yes
-#ScriptedUpdates yes
-
-# By default freshclam will keep the local databases (.cld) uncompressed to
-# make their handling faster. With this option you can enable the compression;
-# the change will take effect with the next database update.
-# Default: no
-#CompressLocalDatabase no
-
-# With this option you can provide custom sources (http:// or file://) for
-# database files. This option can be used multiple times.
-# Default: no custom URLs
-#DatabaseCustomURL http://myserver.com/mysigs.ndb
-#DatabaseCustomURL file:///mnt/nfs/local.hdb
-
-# This option allows you to easily point freshclam to private mirrors.
-# If PrivateMirror is set, freshclam does not attempt to use DNS
-# to determine whether its databases are out-of-date, instead it will
-# use the If-Modified-Since request or directly check the headers of the
-# remote database files. For each database, freshclam first attempts
-# to download the CLD file. If that fails, it tries to download the
-# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
-# and ScriptedUpdates. It can be used multiple times to provide
-# fall-back mirrors.
-# Default: disabled
-#PrivateMirror mirror1.mynetwork.com
-#PrivateMirror mirror2.mynetwork.com
-
-# Number of database checks per day.
-# Default: 12 (every two hours)
-#Checks 24
-
-# Proxy settings
-# Default: disabled
-#HTTPProxyServer myproxy.com
-#HTTPProxyPort 1234
-#HTTPProxyUsername myusername
-#HTTPProxyPassword mypass
-
-# If your servers are behind a firewall/proxy which applies User-Agent
-# filtering you can use this option to force the use of a different
-# User-Agent header.
-# Default: clamav/version_number
-#HTTPUserAgent SomeUserAgentIdString
-
-# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
-# multi-homed systems.
-# Default: Use OS'es default outgoing IP address.
-#LocalIPAddress aaa.bbb.ccc.ddd
-
-# Send the RELOAD command to clamd.
-# Default: no
-#NotifyClamd /path/to/clamd.conf
-
-# Run command after successful database update.
-# Default: disabled
-#OnUpdateExecute command
-
-# Run command when database update process fails.
-# Default: disabled
-#OnErrorExecute command
-
-# Run command when freshclam reports outdated version.
-# In the command string %v will be replaced by the new version number.
-# Default: disabled
-#OnOutdatedExecute command
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Timeout in seconds when connecting to database server.
-# Default: 30
-#ConnectTimeout 60
-
-# Timeout in seconds when reading from database server.
-# Default: 30
-#ReceiveTimeout 60
-
-# With this option enabled, freshclam will attempt to load new
-# databases into memory to make sure they are properly handled
-# by libclamav before replacing the old ones.
-# Default: yes
-#TestDatabases yes
-
-# When enabled freshclam will submit statistics to the ClamAV Project about
-# the latest virus detections in your environment. The ClamAV maintainers
-# will then use this data to determine what types of malware are the most
-# detected in the field and in what geographic area they are.
-# Freshclam will connect to clamd in order to get recent statistics.
-# Default: no
-#SubmitDetectionStats /path/to/clamd.conf
-
-# Country of origin of malware/detection statistics (for statistical
-# purposes only). The statistics collector at ClamAV.net will look up
-# your IP address to determine the geographical origin of the malware
-# reported by your installation. If this installation is mainly used to
-# scan data which comes from a different location, please enable this
-# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
-# of the country of origin.
-# Default: disabled
-#DetectionStatsCountry country-code
-
-# This option enables support for our "Personal Statistics" service.
-# When this option is enabled, the information on malware detected by
-# your clamd installation is made available to you through our website.
-# To get your HostID, log on http://www.stats.clamav.net and add a new
-# host to your host list. Once you have the HostID, uncomment this option
-# and paste the HostID here. As soon as your freshclam starts submitting
-# information to our stats collecting service, you will be able to view
-# the statistics of this clamd installation by logging into
-# http://www.stats.clamav.net with the same credentials you used to
-# generate the HostID. For more information refer to:
-# http://www.clamav.net/documentation.html#cctts
-# This feature requires SubmitDetectionStats to be enabled.
-# Default: disabled
-#DetectionStatsHostID unique-id
-
-# This option enables support for Google Safe Browsing. When activated for
-# the first time, freshclam will download a new database file (safebrowsing.cvd)
-# which will be automatically loaded by clamd and clamscan during the next
-# reload, provided that the heuristic phishing detection is turned on. This
-# database includes information about websites that may be phishing sites or
-# possible sources of malware. When using this option, it's mandatory to run
-# freshclam at least every 30 minutes.
-# Freshclam uses the ClamAV's mirror infrastructure to distribute the
-# database and its updates but all the contents are provided under Google's
-# terms of use. See http://www.google.com/transparencyreport/safebrowsing
-# and http://www.clamav.net/documentation.html#safebrowsing
-# for more information.
-# Default: disabled
-#SafeBrowsing yes
-
-# This option enables downloading of bytecode.cvd, which includes additional
-# detection mechanisms and improvements to the ClamAV engine.
-# Default: enabled
-#Bytecode yes
-
-# Download an additional 3rd party signature database distributed through
-# the ClamAV mirrors.
-# This option can be used multiple times.
-#ExtraDatabase dbname1
-#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/clamav/files/freshclam.conf b/meta-security/recipes-security/clamav/files/freshclam.conf
deleted file mode 100644
index 100724f..0000000
--- a/meta-security/recipes-security/clamav/files/freshclam.conf
+++ /dev/null
@@ -1,224 +0,0 @@
-# Path to the database directory.
-# WARNING: It must match clamd.conf's directive!
-# Default: hardcoded (depends on installation options)
-DatabaseDirectory /var/lib/clamav
-
-# Path to the log file (make sure it has proper permissions)
-# Default: disabled
-UpdateLogFile /var/log/clamav/freshclam.log
-
-# Maximum size of the log file.
-# Value of 0 disables the limit.
-# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
-# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
-# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
-# log rotation (the LogRotate option) will always be enabled.
-# Default: 1M
-LogFileMaxSize 2M
-
-# Log time with each message.
-# Default: no
-LogTime yes
-
-# Enable verbose logging.
-# Default: no
-#LogVerbose yes
-
-# Use system logger (can work together with UpdateLogFile).
-# Default: no
-#LogSyslog yes
-
-# Specify the type of syslog messages - please refer to 'man syslog'
-# for facility names.
-# Default: LOG_LOCAL6
-#LogFacility LOG_MAIL
-
-# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
-# Default: no
-#LogRotate yes
-
-# This option allows you to save the process identifier of the daemon
-# Default: disabled
-PidFile /var/run/freshclam.pid
-
-# By default when started freshclam drops privileges and switches to the
-# "clamav" user. This directive allows you to change the database owner.
-# Default: clamav (may depend on installation options)
-DatabaseOwner clamav
-
-# Initialize supplementary group access (freshclam must be started by root).
-# Default: no
-#AllowSupplementaryGroups yes
-
-# Use DNS to verify virus database version. Freshclam uses DNS TXT records
-# to verify database and software versions. With this directive you can change
-# the database verification domain.
-# WARNING: Do not touch it unless you're configuring freshclam to use your
-# own database verification domain.
-# Default: current.cvd.clamav.net
-#DNSDatabaseInfo current.cvd.clamav.net
-
-# Uncomment the following line and replace XY with your country
-# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
-# You can use db.XY.ipv6.clamav.net for IPv6 connections.
-#DatabaseMirror db.XY.clamav.net
-
-# database.clamav.net is a round-robin record which points to our most
-# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
-# not working. DO NOT TOUCH the following line unless you know what you
-# are doing.
-DatabaseMirror database.clamav.net
-
-# How many attempts to make before giving up.
-# Default: 3 (per mirror)
-#MaxAttempts 5
-
-# With this option you can control scripted updates. It's highly recommended
-# to keep it enabled.
-# Default: yes
-#ScriptedUpdates yes
-
-# By default freshclam will keep the local databases (.cld) uncompressed to
-# make their handling faster. With this option you can enable the compression;
-# the change will take effect with the next database update.
-# Default: no
-#CompressLocalDatabase no
-
-# With this option you can provide custom sources (http:// or file://) for
-# database files. This option can be used multiple times.
-# Default: no custom URLs
-#DatabaseCustomURL http://myserver.com/mysigs.ndb
-#DatabaseCustomURL file:///mnt/nfs/local.hdb
-
-# This option allows you to easily point freshclam to private mirrors.
-# If PrivateMirror is set, freshclam does not attempt to use DNS
-# to determine whether its databases are out-of-date, instead it will
-# use the If-Modified-Since request or directly check the headers of the
-# remote database files. For each database, freshclam first attempts
-# to download the CLD file. If that fails, it tries to download the
-# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
-# and ScriptedUpdates. It can be used multiple times to provide
-# fall-back mirrors.
-# Default: disabled
-#PrivateMirror mirror1.mynetwork.com
-#PrivateMirror mirror2.mynetwork.com
-
-# Number of database checks per day.
-# Default: 12 (every two hours)
-#Checks 24
-
-# Proxy settings
-# Default: disabled
-#HTTPProxyServer myproxy.com
-#HTTPProxyPort 1234
-#HTTPProxyUsername myusername
-#HTTPProxyPassword mypass
-
-# If your servers are behind a firewall/proxy which applies User-Agent
-# filtering you can use this option to force the use of a different
-# User-Agent header.
-# Default: clamav/version_number
-#HTTPUserAgent SomeUserAgentIdString
-
-# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
-# multi-homed systems.
-# Default: Use OS'es default outgoing IP address.
-#LocalIPAddress aaa.bbb.ccc.ddd
-
-# Send the RELOAD command to clamd.
-# Default: no
-#NotifyClamd /path/to/clamd.conf
-
-# Run command after successful database update.
-# Default: disabled
-#OnUpdateExecute command
-
-# Run command when database update process fails.
-# Default: disabled
-#OnErrorExecute command
-
-# Run command when freshclam reports outdated version.
-# In the command string %v will be replaced by the new version number.
-# Default: disabled
-#OnOutdatedExecute command
-
-# Don't fork into background.
-# Default: no
-#Foreground yes
-
-# Enable debug messages in libclamav.
-# Default: no
-#Debug yes
-
-# Timeout in seconds when connecting to database server.
-# Default: 30
-#ConnectTimeout 60
-
-# Timeout in seconds when reading from database server.
-# Default: 30
-#ReceiveTimeout 60
-
-# With this option enabled, freshclam will attempt to load new
-# databases into memory to make sure they are properly handled
-# by libclamav before replacing the old ones.
-# Default: yes
-#TestDatabases yes
-
-# When enabled freshclam will submit statistics to the ClamAV Project about
-# the latest virus detections in your environment. The ClamAV maintainers
-# will then use this data to determine what types of malware are the most
-# detected in the field and in what geographic area they are.
-# Freshclam will connect to clamd in order to get recent statistics.
-# Default: no
-#SubmitDetectionStats /path/to/clamd.conf
-
-# Country of origin of malware/detection statistics (for statistical
-# purposes only). The statistics collector at ClamAV.net will look up
-# your IP address to determine the geographical origin of the malware
-# reported by your installation. If this installation is mainly used to
-# scan data which comes from a different location, please enable this
-# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
-# of the country of origin.
-# Default: disabled
-#DetectionStatsCountry country-code
-
-# This option enables support for our "Personal Statistics" service.
-# When this option is enabled, the information on malware detected by
-# your clamd installation is made available to you through our website.
-# To get your HostID, log on http://www.stats.clamav.net and add a new
-# host to your host list. Once you have the HostID, uncomment this option
-# and paste the HostID here. As soon as your freshclam starts submitting
-# information to our stats collecting service, you will be able to view
-# the statistics of this clamd installation by logging into
-# http://www.stats.clamav.net with the same credentials you used to
-# generate the HostID. For more information refer to:
-# http://www.clamav.net/documentation.html#cctts
-# This feature requires SubmitDetectionStats to be enabled.
-# Default: disabled
-#DetectionStatsHostID unique-id
-
-# This option enables support for Google Safe Browsing. When activated for
-# the first time, freshclam will download a new database file (safebrowsing.cvd)
-# which will be automatically loaded by clamd and clamscan during the next
-# reload, provided that the heuristic phishing detection is turned on. This
-# database includes information about websites that may be phishing sites or
-# possible sources of malware. When using this option, it's mandatory to run
-# freshclam at least every 30 minutes.
-# Freshclam uses the ClamAV's mirror infrastructure to distribute the
-# database and its updates but all the contents are provided under Google's
-# terms of use. See http://www.google.com/transparencyreport/safebrowsing
-# and http://www.clamav.net/documentation.html#safebrowsing
-# for more information.
-# Default: disabled
-#SafeBrowsing yes
-
-# This option enables downloading of bytecode.cvd, which includes additional
-# detection mechanisms and improvements to the ClamAV engine.
-# Default: enabled
-#Bytecode yes
-
-# Download an additional 3rd party signature database distributed through
-# the ClamAV mirrors.
-# This option can be used multiple times.
-#ExtraDatabase dbname1
-#ExtraDatabase dbname2
diff --git a/meta-security/recipes-security/clamav/files/tmpfiles.clamav b/meta-security/recipes-security/clamav/files/tmpfiles.clamav
deleted file mode 100644
index fd5adfe..0000000
--- a/meta-security/recipes-security/clamav/files/tmpfiles.clamav
+++ /dev/null
@@ -1,3 +0,0 @@
-#Type Path Mode UID GID Age Argument
-d /var/log/clamav 0755 clamav clamav -
-f /var/log/clamav/freshclam.log 0644 clamav clamav -
diff --git a/meta-security/recipes-security/clamav/files/volatiles.03_clamav b/meta-security/recipes-security/clamav/files/volatiles.03_clamav
deleted file mode 100644
index ee2153c..0000000
--- a/meta-security/recipes-security/clamav/files/volatiles.03_clamav
+++ /dev/null
@@ -1,3 +0,0 @@
-# <type> <owner> <group> <mode> <path> <linksource>
-d clamav clamav 0755 /var/log/clamav none
-f clamav clamav 0655 /var/log/clamav/freshclam.log none
diff --git a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
index e45ee0b..d8cd06f 100644
--- a/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
+++ b/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb
@@ -41,7 +41,7 @@
PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,"
do_configure_prepend() {
- export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3"
+ export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3"
export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3"
export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}"
export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils"
diff --git a/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch
new file mode 100644
index 0000000..ee872ec
--- /dev/null
+++ b/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch
@@ -0,0 +1,2527 @@
+From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 12 Feb 2020 17:19:15 +0000
+Subject: [PATCH] python3-fail2ban: 2-3 conversion
+
+Upstream-Status: OE specific.
+
+fail2ban handles py3 via a 2-3 conversion utility.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ fail2ban/client/actionreader.py | 4 +-
+ fail2ban/client/configparserinc.py | 10 +-
+ fail2ban/client/configreader.py | 4 +-
+ fail2ban/client/csocket.py | 4 +-
+ fail2ban/client/fail2banclient.py | 4 +-
+ fail2ban/client/fail2banregex.py | 20 +-
+ fail2ban/client/filterreader.py | 2 +-
+ fail2ban/client/jailreader.py | 4 +-
+ fail2ban/helpers.py | 15 +-
+ fail2ban/server/action.py | 19 +-
+ fail2ban/server/actions.py | 24 +-
+ fail2ban/server/asyncserver.py | 4 +-
+ fail2ban/server/banmanager.py | 18 +-
+ fail2ban/server/database.py | 6 +-
+ fail2ban/server/failmanager.py | 8 +-
+ fail2ban/server/failregex.py | 9 +-
+ fail2ban/server/filter.py | 12 +-
+ fail2ban/server/filterpoll.py | 2 +-
+ fail2ban/server/filterpyinotify.py | 6 +-
+ fail2ban/server/ipdns.py | 16 +-
+ fail2ban/server/jail.py | 14 +-
+ fail2ban/server/mytime.py | 2 +-
+ fail2ban/server/server.py | 18 +-
+ fail2ban/server/strptime.py | 6 +-
+ fail2ban/server/ticket.py | 14 +-
+ fail2ban/server/transmitter.py | 2 +-
+ fail2ban/server/utils.py | 6 +-
+ fail2ban/tests/action_d/test_badips.py | 2 +-
+ fail2ban/tests/actiontestcase.py | 4 +-
+ fail2ban/tests/clientreadertestcase.py | 4 +-
+ fail2ban/tests/databasetestcase.py | 16 +-
+ fail2ban/tests/datedetectortestcase.py | 6 +-
+ fail2ban/tests/fail2banclienttestcase.py | 8 +-
+ fail2ban/tests/failmanagertestcase.py | 10 +-
+ .../tests/files/config/apache-auth/digest.py | 20 +-
+ fail2ban/tests/filtertestcase.py | 92 ++---
+ fail2ban/tests/misctestcase.py | 22 +-
+ fail2ban/tests/observertestcase.py | 34 +-
+ fail2ban/tests/samplestestcase.py | 8 +-
+ fail2ban/tests/servertestcase.py | 28 +-
+ fail2ban/tests/sockettestcase.py | 2 +-
+ fail2ban/tests/utils.py | 22 +-
+ setup.py | 326 ------------------
+ 43 files changed, 264 insertions(+), 593 deletions(-)
+ delete mode 100755 setup.py
+
+diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py
+index 80617a50..ecf323c5 100644
+--- a/fail2ban/client/actionreader.py
++++ b/fail2ban/client/actionreader.py
+@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader):
+ stream = list()
+ stream.append(head + ["addaction", self._name])
+ multi = []
+- for opt, optval in opts.iteritems():
++ for opt, optval in opts.items():
+ if opt in self._configOpts and not opt.startswith('known/'):
+ multi.append([opt, optval])
+ if self._initOpts:
+- for opt, optval in self._initOpts.iteritems():
++ for opt, optval in self._initOpts.items():
+ if opt not in self._configOpts and not opt.startswith('known/'):
+ multi.append([opt, optval])
+ if len(multi) > 1:
+diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py
+index e0f39579..45c77437 100644
+--- a/fail2ban/client/configparserinc.py
++++ b/fail2ban/client/configparserinc.py
+@@ -62,7 +62,7 @@ if sys.version_info >= (3,2):
+ parser, option, accum, rest, section, map, *args, **kwargs)
+
+ else: # pragma: no cover
+- from ConfigParser import SafeConfigParser, \
++ from configparser import SafeConfigParser, \
+ InterpolationMissingOptionError, NoOptionError, NoSectionError
+
+ # Interpolate missing known/option as option from default section
+@@ -327,7 +327,7 @@ after = 1.conf
+ # mix it with defaults:
+ return set(opts.keys()) | set(self._defaults)
+ # only own option names:
+- return opts.keys()
++ return list(opts.keys())
+
+ def read(self, filenames, get_includes=True):
+ if not isinstance(filenames, list):
+@@ -356,7 +356,7 @@ after = 1.conf
+ ret += i
+ # merge defaults and all sections to self:
+ alld.update(cfg.get_defaults())
+- for n, s in cfg.get_sections().iteritems():
++ for n, s in cfg.get_sections().items():
+ # conditional sections
+ cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n)
+ if cond:
+@@ -366,7 +366,7 @@ after = 1.conf
+ del(s['__name__'])
+ except KeyError:
+ pass
+- for k in s.keys():
++ for k in list(s.keys()):
+ v = s.pop(k)
+ s[k + cond] = v
+ s2 = alls.get(n)
+@@ -399,7 +399,7 @@ after = 1.conf
+ sec.update(options)
+ return
+ sk = {}
+- for k, v in options.iteritems():
++ for k, v in options.items():
+ if not k.startswith(pref) and k != '__name__':
+ sk[pref+k] = v
+ sec.update(sk)
+diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py
+index 20709b72..b5167409 100644
+--- a/fail2ban/client/configreader.py
++++ b/fail2ban/client/configreader.py
+@@ -26,7 +26,7 @@ __license__ = "GPL"
+
+ import glob
+ import os
+-from ConfigParser import NoOptionError, NoSectionError
++from configparser import NoOptionError, NoSectionError
+
+ from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel
+ from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags
+@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
+ config_files += sorted(glob.glob('%s/*.local' % config_dir))
+
+ # choose only existing ones
+- config_files = filter(os.path.exists, config_files)
++ config_files = list(filter(os.path.exists, config_files))
+
+ if len(config_files):
+ # at least one config exists and accessible
+diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py
+index ab3e294b..9417cde9 100644
+--- a/fail2ban/client/csocket.py
++++ b/fail2ban/client/csocket.py
+@@ -47,7 +47,7 @@ class CSocket:
+
+ def send(self, msg, nonblocking=False, timeout=None):
+ # Convert every list member to string
+- obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL)
++ obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL)
+ self.__csock.send(obj + CSPROTO.END)
+ return self.receive(self.__csock, nonblocking, timeout)
+
+@@ -71,7 +71,7 @@ class CSocket:
+ @staticmethod
+ def convert(m):
+ """Convert every "unexpected" member of message to string"""
+- if isinstance(m, (basestring, bool, int, float, list, dict, set)):
++ if isinstance(m, (str, bool, int, float, list, dict, set)):
+ return m
+ else: # pragma: no cover
+ return str(m)
+diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py
+index 7c90ca40..7eb11684 100755
+--- a/fail2ban/client/fail2banclient.py
++++ b/fail2ban/client/fail2banclient.py
+@@ -45,7 +45,7 @@ def _thread_name():
+ return threading.current_thread().__class__.__name__
+
+ def input_command(): # pragma: no cover
+- return raw_input(PROMPT)
++ return input(PROMPT)
+
+ ##
+ #
+@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread):
+ return False
+ finally:
+ self._alive = False
+- for s, sh in _prev_signals.iteritems():
++ for s, sh in _prev_signals.items():
+ signal.signal(s, sh)
+
+
+diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py
+index 513b765d..4a71b3c0 100644
+--- a/fail2ban/client/fail2banregex.py
++++ b/fail2ban/client/fail2banregex.py
+@@ -41,10 +41,10 @@ import shlex
+ import sys
+ import time
+ import time
+-import urllib
++import urllib.request, urllib.parse, urllib.error
+ from optparse import OptionParser, Option
+
+-from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError
++from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError
+
+ try: # pragma: no cover
+ from ..server.filtersystemd import FilterSystemd
+@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"):
+ 'flavor': 'python'
+ }
+ if multiline: args['flags'] = 'm'
+- return 'https://www.debuggex.com/?' + urllib.urlencode(args)
++ return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args)
+
+ def output(args): # pragma: no cover (overriden in test-cases)
+ print(args)
+@@ -244,7 +244,7 @@ class Fail2banRegex(object):
+
+ def __init__(self, opts):
+ # set local protected members from given options:
+- self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems()))
++ self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items()))
+ self._opts = opts
+ self._maxlines_set = False # so we allow to override maxlines in cmdline
+ self._datepattern_set = False
+@@ -304,7 +304,7 @@ class Fail2banRegex(object):
+ realopts = {}
+ combopts = reader.getCombined()
+ # output all options that are specified in filter-argument as well as some special (mostly interested):
+- for k in ['logtype', 'datepattern'] + fltOpt.keys():
++ for k in ['logtype', 'datepattern'] + list(fltOpt.keys()):
+ # combined options win, but they contain only a sub-set in filter expected keys,
+ # so get the rest from definition section:
+ try:
+@@ -424,7 +424,7 @@ class Fail2banRegex(object):
+ self.output( "Use %11s line : %s" % (regex, shortstr(value)) )
+ regex_values = {regextype: [RegexStat(value)]}
+
+- for regextype, regex_values in regex_values.iteritems():
++ for regextype, regex_values in regex_values.items():
+ regex = regextype + 'regex'
+ setattr(self, "_" + regex, regex_values)
+ for regex in regex_values:
+@@ -523,10 +523,10 @@ class Fail2banRegex(object):
+ output(ret[1])
+ elif self._opts.out == 'msg':
+ for ret in ret:
+- output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches'))))
++ output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')]))
+ elif self._opts.out == 'row':
+ for ret in ret:
+- output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches')))
++ output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches')))
+ else:
+ for ret in ret:
+ output(ret[3].get(self._opts.out))
+@@ -565,9 +565,9 @@ class Fail2banRegex(object):
+ ans = [[]]
+ for arg in [l, regexlist]:
+ ans = [ x + [y] for x in ans for y in arg ]
+- b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' +
++ b = [a[0] + ' | ' + a[1].getFailRegex() + ' | ' +
+ debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(),
+- multiline, self._opts.usedns), ans)
++ multiline, self._opts.usedns) for a in ans]
+ pprint_list([x.rstrip() for x in b], header)
+ else:
+ output( "%s too many to print. Use --print-all-%s " \
+diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py
+index 413f125e..4f0cc4cf 100644
+--- a/fail2ban/client/filterreader.py
++++ b/fail2ban/client/filterreader.py
+@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader):
+ @staticmethod
+ def _fillStream(stream, opts, jailName):
+ prio0idx = 0
+- for opt, value in opts.iteritems():
++ for opt, value in opts.items():
+ if opt in ("failregex", "ignoreregex"):
+ if value is None: continue
+ multi = []
+diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py
+index 50c1d047..969d0bc0 100644
+--- a/fail2ban/client/jailreader.py
++++ b/fail2ban/client/jailreader.py
+@@ -117,7 +117,7 @@ class JailReader(ConfigReader):
+ }
+ _configOpts.update(FilterReader._configOpts)
+
+- _ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys())
++ _ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys()))
+
+ def getOptions(self):
+
+@@ -236,7 +236,7 @@ class JailReader(ConfigReader):
+ stream.extend(self.__filter.convert())
+ # and using options from jail:
+ FilterReader._fillStream(stream, self.__opts, self.__name)
+- for opt, value in self.__opts.iteritems():
++ for opt, value in self.__opts.items():
+ if opt == "logpath":
+ if self.__opts.get('backend', '').startswith("systemd"): continue
+ found_files = 0
+diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py
+index 6f2bcdd7..7e563696 100644
+--- a/fail2ban/helpers.py
++++ b/fail2ban/helpers.py
+@@ -31,6 +31,7 @@ import traceback
+ from threading import Lock
+
+ from .server.mytime import MyTime
++import importlib
+
+ try:
+ import ctypes
+@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover
+ from imp import load_dynamic as __ldm
+ _sys = __ldm('_sys', 'sys')
+ except ImportError: # pragma: no cover - only if load_dynamic fails
+- reload(sys)
++ importlib.reload(sys)
+ _sys = sys
+ if hasattr(_sys, "setdefaultencoding"):
+ _sys.setdefaultencoding(encoding)
+@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover
+ else: # pragma: 3.x no cover
+ def uni_decode(x, enc=PREFER_ENC, errors='strict'):
+ try:
+- if isinstance(x, unicode):
++ if isinstance(x, str):
+ return x.encode(enc, errors)
+ return x
+ except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable
+@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover
+ return x.encode(enc, 'replace')
+ if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now
+ def uni_string(x):
+- if not isinstance(x, unicode):
++ if not isinstance(x, str):
+ return str(x)
+ return x.encode(PREFER_ENC, 'replace')
+ else:
+@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover
+
+
+ def _as_bool(val):
+- return bool(val) if not isinstance(val, basestring) \
++ return bool(val) if not isinstance(val, str) \
+ else val.lower() in ('1', 'on', 'true', 'yes')
+
+
+@@ -326,7 +327,7 @@ def splitwords(s):
+ """
+ if not s:
+ return []
+- return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s)))
++ return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)]))
+
+ if sys.version_info >= (3,5):
+ eval(compile(r'''if 1:
+@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='',
+ while True:
+ repFlag = False
+ # substitute each value:
+- for tag in tags.iterkeys():
++ for tag in tags.keys():
+ # ignore escaped or already done (or in ignore list):
+ if tag in ignore or tag in done: continue
+ # ignore replacing callable items from calling map - should be converted on demand only (by get):
+@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='',
+ m = tre_search(value, m.end())
+ continue
+ # if calling map - be sure we've string:
+- if not isinstance(repl, basestring): repl = uni_string(repl)
++ if not isinstance(repl, str): repl = uni_string(repl)
+ value = value.replace('<%s>' % rtag, repl)
+ #logSys.log(5, 'value now: %s' % value)
+ # increment reference count:
+diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py
+index 5c817fc0..81d50689 100644
+--- a/fail2ban/server/action.py
++++ b/fail2ban/server/action.py
+@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object):
+ def _asdict(self, calculated=False, checker=None):
+ d = dict(self.data, **self.storage)
+ if not calculated:
+- return dict((n,v) for n,v in d.iteritems() \
++ return dict((n,v) for n,v in d.items() \
+ if not callable(v) or n in self.CM_REPR_ITEMS)
+- for n,v in d.items():
++ for n,v in list(d.items()):
+ if callable(v):
+ try:
+ # calculate:
+@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object):
+ return self.__class__(_merge_copy_dicts(self.data, self.storage))
+
+
+-class ActionBase(object):
++class ActionBase(object, metaclass=ABCMeta):
+ """An abstract base class for actions in Fail2Ban.
+
+ Action Base is a base definition of what methods need to be in
+@@ -209,7 +209,6 @@ class ActionBase(object):
+ Any additional arguments specified in `jail.conf` or passed
+ via `fail2ban-client` will be passed as keyword arguments.
+ """
+- __metaclass__ = ABCMeta
+
+ @classmethod
+ def __subclasshook__(cls, C):
+@@ -420,7 +419,7 @@ class CommandAction(ActionBase):
+ if not callable(family): # pragma: no cover
+ return self.__substCache.get(key, {}).get(family)
+ # family as expression - use it to filter values:
+- return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)]
++ return [v for f, v in self.__substCache.get(key, {}).items() if family(f)]
+ cmd = args[0]
+ if cmd: # set:
+ try:
+@@ -432,7 +431,7 @@ class CommandAction(ActionBase):
+ try:
+ famd = self.__substCache[key]
+ cmd = famd.pop(family)
+- for family, v in famd.items():
++ for family, v in list(famd.items()):
+ if v == cmd:
+ del famd[family]
+ except KeyError: # pragma: no cover
+@@ -448,7 +447,7 @@ class CommandAction(ActionBase):
+ res = True
+ err = 'Script error'
+ if not family: # all started:
+- family = [famoper for (famoper,v) in self.__started.iteritems() if v]
++ family = [famoper for (famoper,v) in self.__started.items() if v]
+ for famoper in family:
+ try:
+ cmd = self._getOperation(tag, famoper)
+@@ -617,7 +616,7 @@ class CommandAction(ActionBase):
+ and executes the resulting command.
+ """
+ # collect started families, may be started on demand (conditional):
+- family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items
++ family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items
+ # if nothing contains items:
+ if not family: return True
+ # flush:
+@@ -642,7 +641,7 @@ class CommandAction(ActionBase):
+ """
+ # collect started families, if started on demand (conditional):
+ if family is None:
+- family = [f for (f,v) in self.__started.iteritems() if v]
++ family = [f for (f,v) in self.__started.items() if v]
+ # if no started (on demand) actions:
+ if not family: return True
+ self.__started = {}
+@@ -676,7 +675,7 @@ class CommandAction(ActionBase):
+ ret = True
+ # for each started family:
+ if self.actioncheck:
+- for (family, started) in self.__started.items():
++ for (family, started) in list(self.__started.items()):
+ if started and not self._invariantCheck(family, beforeRepair):
+ # reset started flag and command of executed operation:
+ self.__started[family] = 0
+diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py
+index 24fea838..94b9c3ed 100644
+--- a/fail2ban/server/actions.py
++++ b/fail2ban/server/actions.py
+@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping):
+ else:
+ if hasattr(self, '_reload_actions'):
+ # reload actions after all parameters set via stream:
+- for name, initOpts in self._reload_actions.iteritems():
++ for name, initOpts in self._reload_actions.items():
+ if name in self._actions:
+ self._actions[name].reload(**(initOpts if initOpts else {}))
+ # remove obsolete actions (untouched by reload process):
+- delacts = OrderedDict((name, action) for name, action in self._actions.iteritems()
++ delacts = OrderedDict((name, action) for name, action in self._actions.items()
+ if name not in self._reload_actions)
+ if len(delacts):
+ # unban all tickets using removed actions only:
+@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping):
+ """
+ if actions is None:
+ actions = self._actions
+- revactions = actions.items()
++ revactions = list(actions.items())
+ revactions.reverse()
+ for name, action in revactions:
+ try:
+@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping):
+ True when the thread exits nicely.
+ """
+ cnt = 0
+- for name, action in self._actions.iteritems():
++ for name, action in self._actions.items():
+ try:
+ action.start()
+ except Exception as e:
+@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping):
+ Observers.Main.add('banFound', bTicket, self._jail, btime)
+ logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip)
+ # do actions :
+- for name, action in self._actions.iteritems():
++ for name, action in self._actions.items():
+ try:
+ if ticket.restored and getattr(action, 'norestored', False):
+ continue
+@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping):
+ if bTicket.banEpoch == self.banEpoch and diftm > 3:
+ # avoid too often checks:
+ if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3:
+- for action in self._actions.itervalues():
++ for action in self._actions.values():
+ action.consistencyCheck()
+ self.__lastConsistencyCheckTM = MyTime.time()
+ # check epoch in order to reban it:
+ if bTicket.banEpoch < self.banEpoch:
+ if not rebanacts: rebanacts = dict(
+- (name, action) for name, action in self._actions.iteritems()
++ (name, action) for name, action in self._actions.items()
+ if action.banEpoch > bTicket.banEpoch)
+ cnt += self.__reBan(bTicket, actions=rebanacts)
+ else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions:
+@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping):
+ ip = ticket.getIP()
+ aInfo = self.__getActionInfo(ticket)
+ if log:
+- logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else ''))
+- for name, action in actions.iteritems():
++ logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else ''))
++ for name, action in actions.items():
+ try:
+ logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip)
+ if not aInfo.immutable: aInfo.reset()
+@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping):
+ if not self.__banManager._inBanList(ticket): return
+ # do actions :
+ aInfo = None
+- for name, action in self._actions.iteritems():
++ for name, action in self._actions.items():
+ try:
+ if ticket.restored and getattr(action, 'norestored', False):
+ continue
+@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping):
+ cnt = 0
+ # first we'll execute flush for actions supporting this operation:
+ unbactions = {}
+- for name, action in (actions if actions is not None else self._actions).iteritems():
++ for name, action in (actions if actions is not None else self._actions).items():
+ try:
+ if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush):
+ logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name)
+@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping):
+ aInfo = self.__getActionInfo(ticket)
+ if log:
+ logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"])
+- for name, action in unbactions.iteritems():
++ for name, action in unbactions.items():
+ try:
+ logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip)
+ if not aInfo.immutable: aInfo.reset()
+diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py
+index e3400737..f5f9740b 100644
+--- a/fail2ban/server/asyncserver.py
++++ b/fail2ban/server/asyncserver.py
+@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None):
+ elif err_count['listen'] > 100: # pragma: no cover - normally unreachable
+ if (
+ e.args[0] == errno.EMFILE # [Errno 24] Too many open files
+- or sum(err_count.itervalues()) > 1000
++ or sum(err_count.values()) > 1000
+ ):
+ logSys.critical("Too many errors - critical count reached %r", err_count)
+ break
+@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher):
+ elif self.__errCount['accept'] > 100:
+ if (
+ (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files
+- or sum(self.__errCount.itervalues()) > 1000
++ or sum(self.__errCount.values()) > 1000
+ ):
+ logSys.critical("Too many errors - critical count reached %r", self.__errCount)
+ self.stop()
+diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py
+index 5770bfd7..9bb44971 100644
+--- a/fail2ban/server/banmanager.py
++++ b/fail2ban/server/banmanager.py
+@@ -105,9 +105,9 @@ class BanManager:
+ def getBanList(self, ordered=False, withTime=False):
+ with self.__lock:
+ if not ordered:
+- return self.__banList.keys()
++ return list(self.__banList.keys())
+ lst = []
+- for ticket in self.__banList.itervalues():
++ for ticket in self.__banList.values():
+ eob = ticket.getEndOfBanTime(self.__banTime)
+ lst.append((ticket,eob))
+ lst.sort(key=lambda t: t[1])
+@@ -126,7 +126,7 @@ class BanManager:
+
+ def __iter__(self):
+ with self.__lock:
+- return self.__banList.itervalues()
++ return iter(self.__banList.values())
+
+ ##
+ # Returns normalized value
+@@ -165,7 +165,7 @@ class BanManager:
+ return return_dict
+ # get ips in lock:
+ with self.__lock:
+- banIPs = [banData.getIP() for banData in self.__banList.values()]
++ banIPs = [banData.getIP() for banData in list(self.__banList.values())]
+ # get cymru info:
+ try:
+ for ip in banIPs:
+@@ -341,7 +341,7 @@ class BanManager:
+ # Gets the list of ticket to remove (thereby correct next unban time).
+ unBanList = {}
+ nextUnbanTime = BanTicket.MAX_TIME
+- for fid,ticket in self.__banList.iteritems():
++ for fid,ticket in self.__banList.items():
+ # current time greater as end of ban - timed out:
+ eob = ticket.getEndOfBanTime(self.__banTime)
+ if time > eob:
+@@ -357,15 +357,15 @@ class BanManager:
+ if len(unBanList):
+ if len(unBanList) / 2.0 <= len(self.__banList) / 3.0:
+ # few as 2/3 should be removed - remove particular items:
+- for fid in unBanList.iterkeys():
++ for fid in unBanList.keys():
+ del self.__banList[fid]
+ else:
+ # create new dictionary without items to be deleted:
+- self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \
++ self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \
+ if fid not in unBanList)
+
+ # return list of tickets:
+- return unBanList.values()
++ return list(unBanList.values())
+
+ ##
+ # Flush the ban list.
+@@ -375,7 +375,7 @@ class BanManager:
+
+ def flushBanList(self):
+ with self.__lock:
+- uBList = self.__banList.values()
++ uBList = list(self.__banList.values())
+ self.__banList = dict()
+ return uBList
+
+diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py
+index ed736a7a..0e8c9aec 100644
+--- a/fail2ban/server/database.py
++++ b/fail2ban/server/database.py
+@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover
+ else: # pragma: 3.x no cover
+ def _normalize(x):
+ if isinstance(x, dict):
+- return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems())
++ return dict((_normalize(k), _normalize(v)) for k, v in x.items())
+ elif isinstance(x, (list, set)):
+ return [_normalize(element) for element in x]
+- elif isinstance(x, unicode):
++ elif isinstance(x, str):
+ # in 2.x default text_factory is unicode - so return proper unicode here:
+ return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC)
+- elif isinstance(x, basestring):
++ elif isinstance(x, str):
+ return x.decode(PREFER_ENC, 'replace')
+ return x
+
+diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py
+index 93c028fb..a9c6b5f6 100644
+--- a/fail2ban/server/failmanager.py
++++ b/fail2ban/server/failmanager.py
+@@ -57,7 +57,7 @@ class FailManager:
+ def getFailCount(self):
+ # may be slow on large list of failures, should be used for test purposes only...
+ with self.__lock:
+- return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()])
++ return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())])
+
+ def getFailTotal(self):
+ with self.__lock:
+@@ -125,7 +125,7 @@ class FailManager:
+ # in case of having many active failures, it should be ran only
+ # if debug level is "low" enough
+ failures_summary = ', '.join(['%s:%d' % (k, v.getRetry())
+- for k,v in self.__failList.iteritems()])
++ for k,v in self.__failList.items()])
+ logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s"
+ % (self.__failTotal, len(self.__failList), failures_summary))
+
+@@ -138,7 +138,7 @@ class FailManager:
+
+ def cleanup(self, time):
+ with self.__lock:
+- todelete = [fid for fid,item in self.__failList.iteritems() \
++ todelete = [fid for fid,item in self.__failList.items() \
+ if item.getLastTime() + self.__maxTime <= time]
+ if len(todelete) == len(self.__failList):
+ # remove all:
+@@ -152,7 +152,7 @@ class FailManager:
+ del self.__failList[fid]
+ else:
+ # create new dictionary without items to be deleted:
+- self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \
++ self.__failList = dict((fid,item) for fid,item in self.__failList.items() \
+ if item.getLastTime() + self.__maxTime > time)
+ self.__bgSvc.service()
+
+diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py
+index f7dafbef..fb75187d 100644
+--- a/fail2ban/server/failregex.py
++++ b/fail2ban/server/failregex.py
+@@ -128,10 +128,7 @@ class Regex:
+ self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0)
+ self._regex = regex
+ self._altValues = {}
+- for k in filter(
+- lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE),
+- self._regexObj.groupindex
+- ):
++ for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]:
+ n = ALTNAME_CRE.match(k).group(1)
+ self._altValues[k] = n
+ self._altValues = list(self._altValues.items()) if len(self._altValues) else None
+@@ -211,7 +208,7 @@ class Regex:
+ #
+ @staticmethod
+ def _tupleLinesBuf(tupleLines):
+- return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n"
++ return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n"
+
+ ##
+ # Searches the regular expression.
+@@ -223,7 +220,7 @@ class Regex:
+
+ def search(self, tupleLines, orgLines=None):
+ buf = tupleLines
+- if not isinstance(tupleLines, basestring):
++ if not isinstance(tupleLines, str):
+ buf = Regex._tupleLinesBuf(tupleLines)
+ self._matchCache = self._regexObj.search(buf)
+ if self._matchCache:
+diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py
+index 998fe298..d181fd38 100644
+--- a/fail2ban/server/filter.py
++++ b/fail2ban/server/filter.py
+@@ -292,7 +292,7 @@ class Filter(JailThread):
+ dd = DateDetector()
+ dd.default_tz = self.__logtimezone
+ if not isinstance(pattern, (list, tuple)):
+- pattern = filter(bool, map(str.strip, re.split('\n+', pattern)))
++ pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern)))))
+ for pattern in pattern:
+ dd.appendTemplate(pattern)
+ self.dateDetector = dd
+@@ -987,7 +987,7 @@ class FileFilter(Filter):
+ # @return log paths
+
+ def getLogPaths(self):
+- return self.__logs.keys()
++ return list(self.__logs.keys())
+
+ ##
+ # Get the log containers
+@@ -995,7 +995,7 @@ class FileFilter(Filter):
+ # @return log containers
+
+ def getLogs(self):
+- return self.__logs.values()
++ return list(self.__logs.values())
+
+ ##
+ # Get the count of log containers
+@@ -1021,7 +1021,7 @@ class FileFilter(Filter):
+
+ def setLogEncoding(self, encoding):
+ encoding = super(FileFilter, self).setLogEncoding(encoding)
+- for log in self.__logs.itervalues():
++ for log in self.__logs.values():
+ log.setEncoding(encoding)
+
+ def getLog(self, path):
+@@ -1183,7 +1183,7 @@ class FileFilter(Filter):
+ """Status of Filter plus files being monitored.
+ """
+ ret = super(FileFilter, self).status(flavor=flavor)
+- path = self.__logs.keys()
++ path = list(self.__logs.keys())
+ ret.append(("File list", path))
+ return ret
+
+@@ -1191,7 +1191,7 @@ class FileFilter(Filter):
+ """Stop monitoring of log-file(s)
+ """
+ # stop files monitoring:
+- for path in self.__logs.keys():
++ for path in list(self.__logs.keys()):
+ self.delLogPath(path)
+ # stop thread:
+ super(Filter, self).stop()
+diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py
+index 228a2c8b..d49315cc 100644
+--- a/fail2ban/server/filterpoll.py
++++ b/fail2ban/server/filterpoll.py
+@@ -176,4 +176,4 @@ class FilterPoll(FileFilter):
+ return False
+
+ def getPendingPaths(self):
+- return self.__file404Cnt.keys()
++ return list(self.__file404Cnt.keys())
+diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py
+index ca6b253f..b683b860 100644
+--- a/fail2ban/server/filterpyinotify.py
++++ b/fail2ban/server/filterpyinotify.py
+@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter):
+ except KeyError: pass
+
+ def getPendingPaths(self):
+- return self.__pending.keys()
++ return list(self.__pending.keys())
+
+ def _checkPending(self):
+ if not self.__pending:
+@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter):
+ return
+ found = {}
+ minTime = 60
+- for path, (retardTM, isDir) in self.__pending.iteritems():
++ for path, (retardTM, isDir) in self.__pending.items():
+ if ntm - self.__pendingChkTime < retardTM:
+ if minTime > retardTM: minTime = retardTM
+ continue
+@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter):
+ self.__pendingChkTime = time.time()
+ self.__pendingMinTime = minTime
+ # process now because we've missed it in monitoring:
+- for path, isDir in found.iteritems():
++ for path, isDir in found.items():
+ self._delPending(path)
+ # refresh monitoring of this:
+ self._refreshWatcher(path, isDir=isDir)
+diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py
+index 6648dac6..fe8f8db8 100644
+--- a/fail2ban/server/ipdns.py
++++ b/fail2ban/server/ipdns.py
+@@ -275,7 +275,7 @@ class IPAddr(object):
+ raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,))
+ if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask
+ s[1] = IPAddr.masktoplen(s[1])
+- s[1] = long(s[1])
++ s[1] = int(s[1])
+ return s
+
+ def __init(self, ipstr, cidr=CIDR_UNSPEC):
+@@ -309,7 +309,7 @@ class IPAddr(object):
+
+ # mask out host portion if prefix length is supplied
+ if cidr is not None and cidr >= 0:
+- mask = ~(0xFFFFFFFFL >> cidr)
++ mask = ~(0xFFFFFFFF >> cidr)
+ self._addr &= mask
+ self._plen = cidr
+
+@@ -321,13 +321,13 @@ class IPAddr(object):
+
+ # mask out host portion if prefix length is supplied
+ if cidr is not None and cidr >= 0:
+- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr)
++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr)
+ self._addr &= mask
+ self._plen = cidr
+
+ # if IPv6 address is a IPv4-compatible, make instance a IPv4
+ elif self.isInNet(IPAddr.IP6_4COMPAT):
+- self._addr = lo & 0xFFFFFFFFL
++ self._addr = lo & 0xFFFFFFFF
+ self._family = socket.AF_INET
+ self._plen = 32
+ else:
+@@ -445,7 +445,7 @@ class IPAddr(object):
+ elif self.isIPv6:
+ # convert network to host byte order
+ hi = self._addr >> 64
+- lo = self._addr & 0xFFFFFFFFFFFFFFFFL
++ lo = self._addr & 0xFFFFFFFFFFFFFFFF
+ binary = struct.pack("!QQ", hi, lo)
+ if self._plen and self._plen < 128:
+ add = "/%d" % self._plen
+@@ -503,9 +503,9 @@ class IPAddr(object):
+ if self.family != net.family:
+ return False
+ if self.isIPv4:
+- mask = ~(0xFFFFFFFFL >> net.plen)
++ mask = ~(0xFFFFFFFF >> net.plen)
+ elif self.isIPv6:
+- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen)
++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen)
+ else:
+ return False
+
+@@ -517,7 +517,7 @@ class IPAddr(object):
+ m4 = (1 << 32)-1
+ mmap = {m6: 128, m4: 32, 0: 0}
+ m = 0
+- for i in xrange(0, 128):
++ for i in range(0, 128):
+ m |= 1 << i
+ if i < 32:
+ mmap[m ^ m4] = 32-1-i
+diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py
+index ce9968a8..5fa5ef10 100644
+--- a/fail2ban/server/jail.py
++++ b/fail2ban/server/jail.py
+@@ -26,7 +26,7 @@ __license__ = "GPL"
+ import logging
+ import math
+ import random
+-import Queue
++import queue
+
+ from .actions import Actions
+ from ..helpers import getLogger, _as_bool, extractOptions, MyTime
+@@ -76,7 +76,7 @@ class Jail(object):
+ "might not function correctly. Please shorten"
+ % name)
+ self.__name = name
+- self.__queue = Queue.Queue()
++ self.__queue = queue.Queue()
+ self.__filter = None
+ # Extra parameters for increase ban time
+ self._banExtra = {};
+@@ -127,25 +127,25 @@ class Jail(object):
+ "Failed to initialize any backend for Jail %r" % self.name)
+
+ def _initPolling(self, **kwargs):
+- from filterpoll import FilterPoll
++ from .filterpoll import FilterPoll
+ logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs))
+ self.__filter = FilterPoll(self, **kwargs)
+
+ def _initGamin(self, **kwargs):
+ # Try to import gamin
+- from filtergamin import FilterGamin
++ from .filtergamin import FilterGamin
+ logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs))
+ self.__filter = FilterGamin(self, **kwargs)
+
+ def _initPyinotify(self, **kwargs):
+ # Try to import pyinotify
+- from filterpyinotify import FilterPyinotify
++ from .filterpyinotify import FilterPyinotify
+ logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs))
+ self.__filter = FilterPyinotify(self, **kwargs)
+
+ def _initSystemd(self, **kwargs): # pragma: systemd no cover
+ # Try to import systemd
+- from filtersystemd import FilterSystemd
++ from .filtersystemd import FilterSystemd
+ logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs))
+ self.__filter = FilterSystemd(self, **kwargs)
+
+@@ -213,7 +213,7 @@ class Jail(object):
+ try:
+ ticket = self.__queue.get(False)
+ return ticket
+- except Queue.Empty:
++ except queue.Empty:
+ return False
+
+ def setBanTimeExtra(self, opt, value):
+diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py
+index 98b69bd4..24bba5cf 100644
+--- a/fail2ban/server/mytime.py
++++ b/fail2ban/server/mytime.py
+@@ -162,7 +162,7 @@ class MyTime:
+
+ @returns number (calculated seconds from expression "val")
+ """
+- if isinstance(val, (int, long, float, complex)):
++ if isinstance(val, (int, float, complex)):
+ return val
+ # replace together standing abbreviations, example '1d12h' -> '1d 12h':
+ val = MyTime._str2sec_prep.sub(r" \1", val)
+diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py
+index 159f6506..fc948e8c 100644
+--- a/fail2ban/server/server.py
++++ b/fail2ban/server/server.py
+@@ -97,7 +97,7 @@ class Server:
+
+ def start(self, sock, pidfile, force=False, observer=True, conf={}):
+ # First set the mask to only allow access to owner
+- os.umask(0077)
++ os.umask(0o077)
+ # Second daemonize before logging etc, because it will close all handles:
+ if self.__daemon: # pragma: no cover
+ logSys.info("Starting in daemon mode")
+@@ -190,7 +190,7 @@ class Server:
+
+ # Restore default signal handlers:
+ if _thread_name() == '_MainThread':
+- for s, sh in self.__prev_signals.iteritems():
++ for s, sh in self.__prev_signals.items():
+ signal.signal(s, sh)
+
+ # Give observer a small chance to complete its work before exit
+@@ -268,10 +268,10 @@ class Server:
+ logSys.info("Stopping all jails")
+ with self.__lock:
+ # 1st stop all jails (signal and stop actions/filter thread):
+- for name in self.__jails.keys():
++ for name in list(self.__jails.keys()):
+ self.delJail(name, stop=True, join=False)
+ # 2nd wait for end and delete jails:
+- for name in self.__jails.keys():
++ for name in list(self.__jails.keys()):
+ self.delJail(name, stop=False, join=True)
+
+ def reloadJails(self, name, opts, begin):
+@@ -302,7 +302,7 @@ class Server:
+ if "--restart" in opts:
+ self.stopAllJail()
+ # first set all affected jail(s) to idle and reset filter regex and other lists/dicts:
+- for jn, jail in self.__jails.iteritems():
++ for jn, jail in self.__jails.items():
+ if name == '--all' or jn == name:
+ jail.idle = True
+ self.__reload_state[jn] = jail
+@@ -313,7 +313,7 @@ class Server:
+ # end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started:
+ with self.__lock:
+ deljails = []
+- for jn, jail in self.__jails.iteritems():
++ for jn, jail in self.__jails.items():
+ # still in reload state:
+ if jn in self.__reload_state:
+ # remove jails that are not reloaded (untouched, so not in new configuration)
+@@ -513,7 +513,7 @@ class Server:
+ jails = [self.__jails[name]]
+ else:
+ # in all jails:
+- jails = self.__jails.values()
++ jails = list(self.__jails.values())
+ # unban given or all (if value is None):
+ cnt = 0
+ ifexists |= (name is None)
+@@ -551,7 +551,7 @@ class Server:
+ def isAlive(self, jailnum=None):
+ if jailnum is not None and len(self.__jails) != jailnum:
+ return 0
+- for jail in self.__jails.values():
++ for jail in list(self.__jails.values()):
+ if not jail.isAlive():
+ return 0
+ return 1
+@@ -759,7 +759,7 @@ class Server:
+ return "flushed"
+
+ def setThreadOptions(self, value):
+- for o, v in value.iteritems():
++ for o, v in value.items():
+ if o == 'stacksize':
+ threading.stack_size(int(v)*1024)
+ else: # pragma: no cover
+diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py
+index 498d284b..a5579fdc 100644
+--- a/fail2ban/server/strptime.py
++++ b/fail2ban/server/strptime.py
+@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3)
+ timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3)
+
+ def getTimePatternRE():
+- keys = timeRE.keys()
++ keys = list(timeRE.keys())
+ patt = (r"%%(%%|%s|[%s])" % (
+ "|".join([k for k in keys if len(k) > 1]),
+ "".join([k for k in keys if len(k) == 1]),
+@@ -134,7 +134,7 @@ def zone2offset(tz, dt):
+ """
+ if isinstance(tz, int):
+ return tz
+- if isinstance(tz, basestring):
++ if isinstance(tz, str):
+ return validateTimeZone(tz)
+ tz, tzo = tz
+ if tzo is None or tzo == '': # without offset
+@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None):
+ year = month = day = hour = minute = tzoffset = \
+ weekday = julian = week_of_year = None
+ second = fraction = 0
+- for key, val in found_dict.iteritems():
++ for key, val in found_dict.items():
+ if val is None: continue
+ # Directives not explicitly handled below:
+ # c, x, X
+diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py
+index f67e0d23..f0b727c2 100644
+--- a/fail2ban/server/ticket.py
++++ b/fail2ban/server/ticket.py
+@@ -55,7 +55,7 @@ class Ticket(object):
+ self._time = time if time is not None else MyTime.time()
+ self._data = {'matches': matches or [], 'failures': 0}
+ if data is not None:
+- for k,v in data.iteritems():
++ for k,v in data.items():
+ if v is not None:
+ self._data[k] = v
+ if ticket:
+@@ -89,7 +89,7 @@ class Ticket(object):
+
+ def setIP(self, value):
+ # guarantee using IPAddr instead of unicode, str for the IP
+- if isinstance(value, basestring):
++ if isinstance(value, str):
+ value = IPAddr(value)
+ self._ip = value
+
+@@ -181,7 +181,7 @@ class Ticket(object):
+ if len(args) == 1:
+ # todo: if support >= 2.7 only:
+ # self._data = {k:v for k,v in args[0].iteritems() if v is not None}
+- self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None])
++ self._data = dict([(k,v) for k,v in args[0].items() if v is not None])
+ # add k,v list or dict (merge):
+ elif len(args) == 2:
+ self._data.update((args,))
+@@ -192,7 +192,7 @@ class Ticket(object):
+ # filter (delete) None values:
+ # todo: if support >= 2.7 only:
+ # self._data = {k:v for k,v in self._data.iteritems() if v is not None}
+- self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None])
++ self._data = dict([(k,v) for k,v in self._data.items() if v is not None])
+
+ def getData(self, key=None, default=None):
+ # return whole data dict:
+@@ -201,17 +201,17 @@ class Ticket(object):
+ # return default if not exists:
+ if not self._data:
+ return default
+- if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)):
++ if not isinstance(key,(str,type(None),int,float,bool,complex)):
+ # return filtered by lambda/function:
+ if callable(key):
+ # todo: if support >= 2.7 only:
+ # return {k:v for k,v in self._data.iteritems() if key(k)}
+- return dict([(k,v) for k,v in self._data.iteritems() if key(k)])
++ return dict([(k,v) for k,v in self._data.items() if key(k)])
+ # return filtered by keys:
+ if hasattr(key, '__iter__'):
+ # todo: if support >= 2.7 only:
+ # return {k:v for k,v in self._data.iteritems() if k in key}
+- return dict([(k,v) for k,v in self._data.iteritems() if k in key])
++ return dict([(k,v) for k,v in self._data.items() if k in key])
+ # return single value of data:
+ return self._data.get(key, default)
+
+diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py
+index f83e9d5f..80726cb4 100644
+--- a/fail2ban/server/transmitter.py
++++ b/fail2ban/server/transmitter.py
+@@ -475,7 +475,7 @@ class Transmitter:
+ opt = command[1][len("bantime."):]
+ return self.__server.getBanTimeExtra(name, opt)
+ elif command[1] == "actions":
+- return self.__server.getActions(name).keys()
++ return list(self.__server.getActions(name).keys())
+ elif command[1] == "action":
+ actionname = command[2]
+ actionvalue = command[3]
+diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py
+index d4461a7d..13c24e76 100644
+--- a/fail2ban/server/utils.py
++++ b/fail2ban/server/utils.py
+@@ -57,7 +57,7 @@ _RETCODE_HINTS = {
+
+ # Dictionary to lookup signal name from number
+ signame = dict((num, name)
+- for name, num in signal.__dict__.iteritems() if name.startswith("SIG"))
++ for name, num in signal.__dict__.items() if name.startswith("SIG"))
+
+ class Utils():
+ """Utilities provide diverse static methods like executes OS shell commands, etc.
+@@ -109,7 +109,7 @@ class Utils():
+ break
+ else: # pragma: 3.x no cover (dict is in 2.6 only)
+ remlst = []
+- for (ck, cv) in cache.iteritems():
++ for (ck, cv) in cache.items():
+ # if expired:
+ if cv[1] <= t:
+ remlst.append(ck)
+@@ -152,7 +152,7 @@ class Utils():
+ if not isinstance(realCmd, list):
+ realCmd = [realCmd]
+ i = len(realCmd)-1
+- for k, v in varsDict.iteritems():
++ for k, v in varsDict.items():
+ varsStat += "%s=$%s " % (k, i)
+ realCmd.append(v)
+ i += 1
+diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py
+index 013c0fdb..3c35e4d7 100644
+--- a/fail2ban/tests/action_d/test_badips.py
++++ b/fail2ban/tests/action_d/test_badips.py
+@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR
+ if sys.version_info >= (3, ): # pragma: 2.x no cover
+ from urllib.error import HTTPError, URLError
+ else: # pragma: 3.x no cover
+- from urllib2 import HTTPError, URLError
++ from urllib.error import HTTPError, URLError
+
+ def skip_if_not_available(f):
+ """Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway".
+diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py
+index 1a00c040..ecd09246 100644
+--- a/fail2ban/tests/actiontestcase.py
++++ b/fail2ban/tests/actiontestcase.py
+@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase):
+ setattr(self.__action, 'ab', "<ac>")
+ setattr(self.__action, 'x?family=inet6', "")
+ # produce self-referencing properties except:
+- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions",
++ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions",
+ lambda: self.__action.replaceTag("<a><b>",
+ self.__action._properties, conditional="family=inet4")
+ )
+ # remore self-referencing in props:
+ delattr(self.__action, 'ac')
+ # produce self-referencing query except:
+- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query",
++ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query",
+ lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>",
+ self.__action._properties, conditional="family=inet6")
+ )
+diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
+index 2c1d0a0e..aa7908c4 100644
+--- a/fail2ban/tests/clientreadertestcase.py
++++ b/fail2ban/tests/clientreadertestcase.py
+@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase):
+ # And multiple groups (`][` instead of `,`)
+ result = extractOptions(option.replace(',', ']['))
+ expected2 = (expected[0],
+- dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems())
++ dict((k, v.replace(',', '][')) for k, v in expected[1].items())
+ )
+ self.assertEqual(expected2, result)
+
+@@ -975,7 +975,7 @@ filter = testfilter1
+ self.assertEqual(add_actions[-1][-1], "{}")
+
+ def testLogPathFileFilterBackend(self):
+- self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail",
++ self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail",
+ self._testLogPath, backend='polling')
+
+ def testLogPathSystemdBackend(self):
+diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py
+index 9a5e9fa1..562461a6 100644
+--- a/fail2ban/tests/databasetestcase.py
++++ b/fail2ban/tests/databasetestcase.py
+@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase):
+
+ @property
+ def db(self):
+- if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:':
++ if isinstance(self._db, str) and self._db == ':auto-create-in-memory:':
+ self._db = getFail2BanDb(self.dbFilename)
+ return self._db
+ @db.setter
+@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase):
+ self.db = Fail2BanDb(self.dbFilename)
+ self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets']))
+ self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log']))
+- ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"])
++ ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"])
+ self.assertEqual(self.db.getBans()[0], ticket)
+
+ self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__)
+@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase):
+ self.assertEqual(len(bans), 2)
+ # compare first ticket completely:
+ ticket = FailTicket("1.2.3.7", 1417595494, [
+- u'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
+- u'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
+- u'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7'
++ 'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
++ 'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7',
++ 'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7'
+ ])
+ ticket.setAttempt(3)
+ self.assertEqual(bans[0], ticket)
+@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase):
+ # invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ...
+ tickets = [
+ FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+- FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
++ FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+ FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']),
+- FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']),
++ FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']),
+ FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']),
+- FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']),
++ FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']),
+ FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf'])
+ ]
+ for ticket in tickets:
+diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py
+index 458f76ef..49ada60d 100644
+--- a/fail2ban/tests/datedetectortestcase.py
++++ b/fail2ban/tests/datedetectortestcase.py
+@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase):
+ self.assertEqual(logTime, mu)
+ self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17')
+ # confuse it with year being at the end
+- for i in xrange(10):
++ for i in range(10):
+ ( logTime, logMatch ) = self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0')
+ self.assertEqual(logTime, mu)
+ self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17')
+@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase):
+ date = dd.getTime(line)
+ if matched:
+ self.assertTrue(date)
+- if isinstance(matched, basestring):
++ if isinstance(matched, str):
+ self.assertEqual(matched, date[1].group(1))
+ else:
+ self.assertEqual(matched, date[0])
+@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase):
+ date = dd.getTime(line)
+ if matched:
+ self.assertTrue(date)
+- if isinstance(matched, basestring): # pragma: no cover
++ if isinstance(matched, str): # pragma: no cover
+ self.assertEqual(matched, date[1].group(1))
+ else:
+ self.assertEqual(matched, date[0])
+diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py
+index 95f73ed3..bba354fa 100644
+--- a/fail2ban/tests/fail2banclienttestcase.py
++++ b/fail2ban/tests/fail2banclienttestcase.py
+@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}):
+ # several commands to server in body of decorated function:
+ return f(self, tmp, startparams, *args, **kwargs)
+ except Exception as e: # pragma: no cover
+- print('=== Catch an exception: %s' % e)
++ print(('=== Catch an exception: %s' % e))
+ log = self.getLog()
+ if log:
+- print('=== Error of server, log: ===\n%s===' % log)
++ print(('=== Error of server, log: ===\n%s===' % log))
+ self.pruneLog()
+ raise
+ finally:
+@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase):
+ )
+ except: # pragma: no cover
+ if _inherited_log(startparams):
+- print('=== Error by wait fot server, log: ===\n%s===' % self.getLog())
++ print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog()))
+ self.pruneLog()
+ log = pjoin(tmp, "f2b.log")
+ if isfile(log):
+@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase):
+ self.stopAndWaitForServerEnd(SUCCESS)
+
+ def testServerStartStop(self):
+- for i in xrange(2000):
++ for i in range(2000):
+ self._testServerStartStop()
+
+diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py
+index a5425286..2a94cc82 100644
+--- a/fail2ban/tests/failmanagertestcase.py
++++ b/fail2ban/tests/failmanagertestcase.py
+@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase):
+ super(AddFailure, self).tearDown()
+
+ def _addDefItems(self):
+- self.__items = [[u'193.168.0.128', 1167605999.0],
+- [u'193.168.0.128', 1167605999.0],
+- [u'193.168.0.128', 1167605999.0],
+- [u'193.168.0.128', 1167605999.0],
+- [u'193.168.0.128', 1167605999.0],
++ self.__items = [['193.168.0.128', 1167605999.0],
++ ['193.168.0.128', 1167605999.0],
++ ['193.168.0.128', 1167605999.0],
++ ['193.168.0.128', 1167605999.0],
++ ['193.168.0.128', 1167605999.0],
+ ['87.142.124.10', 1167605999.0],
+ ['87.142.124.10', 1167605999.0],
+ ['87.142.124.10', 1167605999.0],
+diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py
+index 03588594..e2297ab3 100755
+--- a/fail2ban/tests/files/config/apache-auth/digest.py
++++ b/fail2ban/tests/files/config/apache-auth/digest.py
+@@ -41,7 +41,7 @@ def auth(v):
+ response="%s"
+ """ % ( username, algorithm, realm, url, nonce, qop, response )
+ # opaque="%s",
+- print(p.method, p.url, p.headers)
++ print((p.method, p.url, p.headers))
+ s = requests.Session()
+ return s.send(p)
+
+@@ -76,18 +76,18 @@ r = auth(v)
+
+ # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/
+
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ v['algorithm'] = algorithm
+
+
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+
+ nonce = v['nonce']
+ v['nonce']=v['nonce'][5:-5]
+
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+
+ # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/
+
+@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text)
+ v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:]
+
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+
+ #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b
+
+@@ -107,7 +107,7 @@ import time
+ time.sleep(1)
+
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+
+ # Obtained by putting the following code in modules/aaa/mod_auth_digest.c
+ # in the function initialize_secret
+@@ -137,7 +137,7 @@ s = sha.sha(apachesecret)
+
+ v=preauth()
+
+-print(v['nonce'])
++print((v['nonce']))
+ realm = v['Digest realm'][1:-1]
+
+ (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13]))
+@@ -156,13 +156,13 @@ print(v)
+
+ r = auth(v)
+ #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+
+ url='/digest_onetime/'
+ v=preauth()
+
+ # Need opaque header handling in auth
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+ r = auth(v)
+-print(r.status_code,r.headers, r.text)
++print((r.status_code,r.headers, r.text))
+diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
+index 35785a58..8eeb6902 100644
+--- a/fail2ban/tests/filtertestcase.py
++++ b/fail2ban/tests/filtertestcase.py
+@@ -22,7 +22,7 @@
+ __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko"
+ __license__ = "GPL"
+
+-from __builtin__ import open as fopen
++from builtins import open as fopen
+ import unittest
+ import os
+ import re
+@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line
+ else:
+ fin = in_
+ # Skip
+- for i in xrange(skip):
++ for i in range(skip):
+ fin.readline()
+ # Read
+ i = 0
+@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p
+ # Required for filtering
+ fields.update(TEST_JOURNAL_FIELDS)
+ # Skip
+- for i in xrange(skip):
++ for i in range(skip):
+ fin.readline()
+ # Read/Write
+ i = 0
+@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase):
+ def testTest_tm(self):
+ unittest.F2B.SkipIfFast()
+ ## test function "_tm" works correct (returns the same as slow strftime):
+- for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600):
++ for i in range(1417512352, (1417512352 // 3600 + 3) * 3600):
+ tm = MyTime.time2str(i)
+ if _tm(i) != tm: # pragma: no cover - never reachable
+ self.assertEqual((_tm(i), i), (tm, i))
+
+ def testWrongCharInTupleLine(self):
+ ## line tuple has different types (ascii after ascii / unicode):
+- for a1 in ('', u'', b''):
+- for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'):
++ for a1 in ('', '', b''):
++ for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'):
+ for a3 in (
+ 'Fail for "g\xc3\xb6ran" from 192.0.2.1',
+- u'Fail for "g\xc3\xb6ran" from 192.0.2.1',
++ 'Fail for "g\xc3\xb6ran" from 192.0.2.1',
+ b'Fail for "g\xc3\xb6ran" from 192.0.2.1'
+ ):
+ # join should work if all arguments have the same type:
+@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase):
+
+ def testAddAttempt(self):
+ self.filter.setMaxRetry(3)
+- for i in xrange(1, 1+3):
++ for i in range(1, 1+3):
+ self.filter.addAttempt('192.0.2.1')
+ self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True)
+ self.jail.actions._Actions__checkBan()
+@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase):
+ # like both test-cases above, just cached (so once per key)...
+ self.filter.ignoreCache = {"key":"<ip>"}
+ self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1'
+- for i in xrange(5):
++ for i in range(5):
+ self.pruneLog()
+ self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1"))
+ self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0"))
+@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase):
+ # by host of IP:
+ self.filter.ignoreCache = {"key":"<ip-host>"}
+ self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1'
+- for i in xrange(5):
++ for i in range(5):
+ self.pruneLog()
+ self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1")))
+ self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff")))
+@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase):
+ self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"}
+ self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60])
+ self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1'
+- for i in xrange(5):
++ for i in range(5):
+ self.pruneLog()
+ self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'})))
+ self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'})))
+@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase):
+ fc = FileContainer(fname, self.filter.getLogEncoding())
+ fc.open()
+ # no time - nothing should be found :
+- for i in xrange(10):
++ for i in range(10):
+ f.write("[sshd] error: PAM: failure len 1\n")
+ f.flush()
+ fc.setPos(0); self.filter.seekToTime(fc, time)
+@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase):
+ # variable length of file (ca 45K or 450K before and hereafter):
+ # write lines with smaller as search time:
+ t = time - count - 1
+- for i in xrange(count):
++ for i in range(count):
+ f.write("%s [sshd] error: PAM: failure\n" % _tm(t))
+ t += 1
+ f.flush()
+ fc.setPos(0); self.filter.seekToTime(fc, time)
+ self.assertEqual(fc.getPos(), 47*count)
+ # write lines with exact search time:
+- for i in xrange(10):
++ for i in range(10):
+ f.write("%s [sshd] error: PAM: failure\n" % _tm(time))
+ f.flush()
+ fc.setPos(0); self.filter.seekToTime(fc, time)
+@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase):
+ self.assertEqual(fc.getPos(), 47*count)
+ # write lines with greater as search time:
+ t = time+1
+- for i in xrange(count//500):
+- for j in xrange(500):
++ for i in range(count//500):
++ for j in range(500):
+ f.write("%s [sshd] error: PAM: failure\n" % _tm(t))
+ t += 1
+ f.flush()
+@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover
+ # Add direct utf, unicode, blob:
+ for l in (
+ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
+- u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
++ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1",
+ b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'),
+ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
+- u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
++ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2",
+ b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace')
+ ):
+ fields = self.journal_fields
+@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase):
+
+ # so that they could be reused by other tests
+ FAILURES_01 = ('193.168.0.128', 3, 1124013599.0,
+- [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3)
++ ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3)
+
+ def setUp(self):
+ """Call before every test case."""
+@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase):
+
+ def testGetFailures02(self):
+ output = ('141.3.81.106', 4, 1124013539.0,
+- [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2'
+- % m for m in 53, 54, 57, 58])
++ ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2'
++ % m for m in (53, 54, 57, 58)])
+
+ self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0)
+ self.filter.addFailRegex(r"Failed .* from <HOST>")
+@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase):
+ # We should still catch failures with usedns = no ;-)
+ output_yes = (
+ ('93.184.216.34', 2, 1124013539.0,
+- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2',
+- u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2',
++ 'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
+ ),
+ ('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0,
+- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
+ ),
+ )
+
+ output_no = (
+ ('93.184.216.34', 1, 1124013539.0,
+- [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2']
+ )
+ )
+
+@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase):
+ self.assertTrue(c.get('a') is None)
+ self.assertEqual(c.get('a', 'test'), 'test')
+ # exact 5 elements :
+- for i in xrange(5):
++ for i in range(5):
+ c.set(i, i)
+- for i in xrange(5):
++ for i in range(5):
+ self.assertEqual(c.get(i), i)
+ # remove unavailable key:
+ c.unset('a'); c.unset('a')
+@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase):
+ def testCacheMaxSize(self):
+ c = Utils.Cache(maxCount=5, maxTime=60)
+ # exact 5 elements :
+- for i in xrange(5):
++ for i in range(5):
+ c.set(i, i)
+- self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)])
+- self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5)))
++ self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)])
++ self.assertNotIn(-1, (c.get(i, -1) for i in range(5)))
+ # add one - too many:
+ c.set(10, i)
+ # one element should be removed :
+- self.assertIn(-1, (c.get(i, -1) for i in xrange(5)))
++ self.assertIn(-1, (c.get(i, -1) for i in range(5)))
+ # test max size (not expired):
+- for i in xrange(10):
++ for i in range(10):
+ c.set(i, 1)
+ self.assertEqual(len(c), 5)
+
+ def testCacheMaxTime(self):
+ # test max time (expired, timeout reached) :
+ c = Utils.Cache(maxCount=5, maxTime=0.0005)
+- for i in xrange(10):
++ for i in range(10):
+ c.set(i, 1)
+ st = time.time()
+ self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1))
+ # we have still 5 elements (or fewer if too slow test mashine):
+ self.assertTrue(len(c) <= 5)
+ # but all that are expiered also:
+- for i in xrange(10):
++ for i in range(10):
+ self.assertTrue(c.get(i) is None)
+ # here the whole cache should be empty:
+ self.assertEqual(len(c), 0)
+@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase):
+ c = count
+ while c:
+ c -= 1
+- s = xrange(0, 256, 1) if forw else xrange(255, -1, -1)
++ s = range(0, 256, 1) if forw else range(255, -1, -1)
+ if random: shuffle([i for i in s])
+ for i in s:
+ IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4)
+@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+
+ def testAddr2bin(self):
+ res = IPAddr('10.0.0.0')
+- self.assertEqual(res.addr, 167772160L)
++ self.assertEqual(res.addr, 167772160)
+ res = IPAddr('10.0.0.0', cidr=None)
+- self.assertEqual(res.addr, 167772160L)
+- res = IPAddr('10.0.0.0', cidr=32L)
+- self.assertEqual(res.addr, 167772160L)
+- res = IPAddr('10.0.0.1', cidr=32L)
+- self.assertEqual(res.addr, 167772161L)
+- res = IPAddr('10.0.0.1', cidr=31L)
+- self.assertEqual(res.addr, 167772160L)
++ self.assertEqual(res.addr, 167772160)
++ res = IPAddr('10.0.0.0', cidr=32)
++ self.assertEqual(res.addr, 167772160)
++ res = IPAddr('10.0.0.1', cidr=32)
++ self.assertEqual(res.addr, 167772161)
++ res = IPAddr('10.0.0.1', cidr=31)
++ self.assertEqual(res.addr, 167772160)
+
+ self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000')
+ self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002')
+@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ '93.184.216.34': 'ip4-test',
+ '2606:2800:220:1:248:1893:25c8:1946': 'ip6-test'
+ }
+- d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()])
+- self.assertTrue(isinstance(d.keys()[0], basestring))
+- self.assertTrue(isinstance(d2.keys()[0], IPAddr))
++ d2 = dict([(IPAddr(k), v) for k, v in d.items()])
++ self.assertTrue(isinstance(list(d.keys())[0], str))
++ self.assertTrue(isinstance(list(d2.keys())[0], IPAddr))
+ self.assertEqual(d.get(ip4[2], ''), 'ip4-test')
+ self.assertEqual(d.get(ip6[2], ''), 'ip6-test')
+ self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test')
+diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py
+index 9b986f53..94f7a8de 100644
+--- a/fail2ban/tests/misctestcase.py
++++ b/fail2ban/tests/misctestcase.py
+@@ -29,9 +29,9 @@ import tempfile
+ import shutil
+ import fnmatch
+ from glob import glob
+-from StringIO import StringIO
++from io import StringIO
+
+-from utils import LogCaptureTestCase, logSys as DefLogSys
++from .utils import LogCaptureTestCase, logSys as DefLogSys
+
+ from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \
+ splitwords, uni_decode, uni_string
+@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase):
+ self.assertEqual(splitwords(' 1\n 2'), ['1', '2'])
+ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3'])
+ # string as unicode:
+- self.assertEqual(splitwords(u' 1\n 2, 3'), ['1', '2', '3'])
++ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3'])
+
+
+ if sys.version_info >= (2,7):
+@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase):
+
+ def testUniConverters(self):
+ self.assertRaises(Exception, uni_decode,
+- (b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding')
+- uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf'))
++ (b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding')
++ uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf'))
+ uni_string(b'test\xcf')
+ uni_string('test\xcf')
+- uni_string(u'test\xcf')
++ uni_string('test\xcf')
+
+ def testSafeLogging(self):
+ # logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc)
+@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ if self.err:
+ raise Exception('no represenation for test!')
+ else:
+- return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf'
++ return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf'
+ test = Test()
+ logSys.log(logging.NOTICE, "test 1a: %r", test)
+ self.assertLogged("Traceback", "no represenation for test!")
+@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ func_raise()
+
+ try:
+- print deep_function(3)
++ print(deep_function(3))
+ except ValueError:
+ s = tb()
+
+@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase):
+ self.assertIn(':', s)
+
+ def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs):
+- self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs)
++ self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs)
+
+ def testExtendedAssertRaisesRE(self):
+ ## test _testAssertionErrorRE several fail cases:
+@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase):
+ self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'",
+ self.assertNotIn, 'a', 'cba')
+ self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]",
+- self.assertNotIn, 1, xrange(3))
++ self.assertNotIn, 1, range(3))
+ self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]",
+ self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b'))
+ self._testAssertionErrorRE(r"'a' was not found in 'xyz'",
+ self.assertIn, 'a', 'xyz')
+ self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]",
+- self.assertIn, 5, xrange(3))
++ self.assertIn, 5, range(3))
+ self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]",
+ self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a'))
+ ## assertLogged, assertNotLogged positive case:
+diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py
+index 8e944454..ed520286 100644
+--- a/fail2ban/tests/observertestcase.py
++++ b/fail2ban/tests/observertestcase.py
+@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase):
+ a.setBanTimeExtra('multipliers', multipliers)
+ # test algorithm and max time 24 hours :
+ self.assertEqual(
+- [a.calcBanTime(600, i) for i in xrange(1, 11)],
++ [a.calcBanTime(600, i) for i in range(1, 11)],
+ [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400]
+ )
+ # with extra large max time (30 days):
+@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase):
+ if multcnt < 11:
+ arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt))
+ self.assertEqual(
+- [a.calcBanTime(600, i) for i in xrange(1, 11)],
++ [a.calcBanTime(600, i) for i in range(1, 11)],
+ arr
+ )
+ a.setBanTimeExtra('maxtime', '1d')
+ # change factor :
+ a.setBanTimeExtra('factor', '2');
+ self.assertEqual(
+- [a.calcBanTime(600, i) for i in xrange(1, 11)],
++ [a.calcBanTime(600, i) for i in range(1, 11)],
+ [2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400]
+ )
+ # factor is float :
+ a.setBanTimeExtra('factor', '1.33');
+ self.assertEqual(
+- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++ [int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ [1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400]
+ )
+ a.setBanTimeExtra('factor', None);
+ # change max time :
+ a.setBanTimeExtra('maxtime', '12h')
+ self.assertEqual(
+- [a.calcBanTime(600, i) for i in xrange(1, 11)],
++ [a.calcBanTime(600, i) for i in range(1, 11)],
+ [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200]
+ )
+ a.setBanTimeExtra('maxtime', '24h')
+ ## test randomization - not possibe all 10 times we have random = 0:
+ a.setBanTimeExtra('rndtime', '5m')
+ self.assertTrue(
+- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)]
++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)]
+ )
+ a.setBanTimeExtra('rndtime', None)
+ self.assertFalse(
+- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)]
++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)]
+ )
+ # restore default:
+ a.setBanTimeExtra('multipliers', None)
+@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase):
+ # this multipliers has the same values as default formula, we test stop growing after count 9:
+ self.testDefault('1 2 4 8 16 32 64 128 256')
+ # this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only):
+- self.testDefault(' '.join([str(1<<i) for i in xrange(31)]))
++ self.testDefault(' '.join([str(1<<i) for i in range(31)]))
+
+ def testFormula(self):
+ a = self.__jail;
+@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase):
+ a.setBanTimeExtra('multipliers', None)
+ # test algorithm and max time 24 hours :
+ self.assertEqual(
+- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++ [int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400]
+ )
+ # with extra large max time (30 days):
+ a.setBanTimeExtra('maxtime', '30d')
+ self.assertEqual(
+- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++ [int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ [1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407]
+ )
+ a.setBanTimeExtra('maxtime', '24h')
+ # change factor :
+ a.setBanTimeExtra('factor', '1');
+ self.assertEqual(
+- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++ [int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ [1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400]
+ )
+ a.setBanTimeExtra('factor', '2.0 / 2.885385')
+ # change max time :
+ a.setBanTimeExtra('maxtime', '12h')
+ self.assertEqual(
+- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)],
++ [int(a.calcBanTime(600, i)) for i in range(1, 11)],
+ [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200]
+ )
+ a.setBanTimeExtra('maxtime', '24h')
+ ## test randomization - not possibe all 10 times we have random = 0:
+ a.setBanTimeExtra('rndtime', '5m')
+ self.assertTrue(
+- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)]
++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)]
+ )
+ a.setBanTimeExtra('rndtime', None)
+ self.assertFalse(
+- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)]
++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)]
+ )
+ # restore default:
+ a.setBanTimeExtra('factor', None);
+@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ ticket = FailTicket(ip, stime, [])
+ # test ticket not yet found
+ self.assertEqual(
+- [self.incrBanTime(ticket, 10) for i in xrange(3)],
++ [self.incrBanTime(ticket, 10) for i in range(3)],
+ [10, 10, 10]
+ )
+ # add a ticket banned
+@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ )
+ # increase ban multiple times:
+ lastBanTime = 20
+- for i in xrange(10):
++ for i in range(10):
+ ticket.setTime(stime + lastBanTime + 5)
+ banTime = self.incrBanTime(ticket, 10)
+ self.assertEqual(banTime, lastBanTime * 2)
+@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase):
+ ticket = FailTicket(ip, stime-120, [])
+ failManager = FailManager()
+ failManager.setMaxRetry(3)
+- for i in xrange(3):
++ for i in range(3):
+ failManager.addFailure(ticket)
+ obs.add('failureFound', failManager, jail, ticket)
+ obs.wait_empty(5)
+diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py
+index 0bbd05f5..479b564a 100644
+--- a/fail2ban/tests/samplestestcase.py
++++ b/fail2ban/tests/samplestestcase.py
+@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase):
+
+ @staticmethod
+ def _filterOptions(opts):
+- return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.'))
++ return dict((k, v) for k, v in opts.items() if not k.startswith('test.'))
+
+ def testSampleRegexsFactory(name, basedir):
+ def testFilter(self):
+@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir):
+ self.assertTrue(faildata.get('match', False),
+ "Line matched when shouldn't have")
+ self.assertEqual(len(ret), 1,
+- "Multiple regexs matched %r" % (map(lambda x: x[0], ret)))
++ "Multiple regexs matched %r" % ([x[0] for x in ret]))
+
+ # Verify match captures (at least fid/host) and timestamp as expected
+- for k, v in faildata.iteritems():
++ for k, v in faildata.items():
+ if k not in ("time", "match", "desc", "filter"):
+ fv = fail.get(k, None)
+ if fv is None:
+@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir):
+ '\n'.join(pprint.pformat(fail).splitlines())))
+
+ # check missing samples for regex using each filter-options combination:
+- for fltName, flt in self._filters.iteritems():
++ for fltName, flt in self._filters.items():
+ flt, regexsUsedIdx = flt
+ regexList = flt.getFailRegex()
+ for failRegexIndex, failRegex in enumerate(regexList):
+diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py
+index 55e72455..7925ab1e 100644
+--- a/fail2ban/tests/servertestcase.py
++++ b/fail2ban/tests/servertestcase.py
+@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase):
+ self.transm.proceed(["get", jail, cmd]), (0, []))
+ for n, value in enumerate(values):
+ ret = self.transm.proceed(["set", jail, cmdAdd, value])
+- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2)
++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2)
+ ret = self.transm.proceed(["get", jail, cmd])
+- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2)
++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2)
+ for n, value in enumerate(values):
+ ret = self.transm.proceed(["set", jail, cmdDel, value])
+- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2)
++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2)
+ ret = self.transm.proceed(["get", jail, cmd])
+- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2)
++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2)
+
+ def jailAddDelRegexTest(self, cmd, inValues, outValues, jail):
+ cmdAdd = "add" + cmd
+@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase):
+
+ def testLogTarget(self):
+ logTargets = []
+- for _ in xrange(3):
++ for _ in range(3):
+ tmpFile = tempfile.mkstemp("fail2ban", "transmitter")
+ logTargets.append(tmpFile[1])
+ os.close(tmpFile[0])
+@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase):
+ self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over"))
+ l.warning("After flushlogs")
+ with open(fn2,'r') as f:
+- line1 = f.next()
++ line1 = next(f)
+ if line1.find('Changed logging target to') >= 0:
+- line1 = f.next()
++ line1 = next(f)
+ self.assertTrue(line1.endswith("Before file moved\n"))
+- line2 = f.next()
++ line2 = next(f)
+ self.assertTrue(line2.endswith("After file moved\n"))
+ try:
+- n = f.next()
++ n = next(f)
+ if n.find("Command: ['flushlogs']") >=0:
+- self.assertRaises(StopIteration, f.next)
++ self.assertRaises(StopIteration, f.__next__)
+ else:
+ self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n)
+ except StopIteration:
+ pass # on higher debugging levels this is expected
+ with open(fn,'r') as f:
+- line1 = f.next()
++ line1 = next(f)
+ if line1.find('rollover performed on') >= 0:
+- line1 = f.next()
++ line1 = next(f)
+ self.assertTrue(line1.endswith("After flushlogs\n"))
+- self.assertRaises(StopIteration, f.next)
++ self.assertRaises(StopIteration, f.__next__)
+ f.close()
+ finally:
+ os.remove(fn2)
+@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase):
+ os.remove(f)
+
+
+-from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR
++from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR
+
+ class ServerConfigReaderTests(LogCaptureTestCase):
+
+diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py
+index 69bf8d8b..60f49e57 100644
+--- a/fail2ban/tests/sockettestcase.py
++++ b/fail2ban/tests/sockettestcase.py
+@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase):
+ org_handler = RequestHandler.found_terminator
+ try:
+ RequestHandler.found_terminator = lambda self: self.close()
+- self.assertRaisesRegexp(RuntimeError, r"socket connection broken",
++ self.assertRaisesRegex(RuntimeError, r"socket connection broken",
+ lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10)))
+ finally:
+ RequestHandler.found_terminator = org_handler
+diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
+index fcfddba7..cb234e0d 100644
+--- a/fail2ban/tests/utils.py
++++ b/fail2ban/tests/utils.py
+@@ -35,7 +35,7 @@ import time
+ import threading
+ import unittest
+
+-from cStringIO import StringIO
++from io import StringIO
+ from functools import wraps
+
+ from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode
+@@ -174,8 +174,8 @@ def initProcess(opts):
+
+ # Let know the version
+ if opts.verbosity != 0:
+- print("Fail2ban %s test suite. Python %s. Please wait..." \
+- % (version, str(sys.version).replace('\n', '')))
++ print(("Fail2ban %s test suite. Python %s. Please wait..." \
++ % (version, str(sys.version).replace('\n', ''))))
+
+ return opts;
+
+@@ -322,7 +322,7 @@ def initTests(opts):
+ c = DNSUtils.CACHE_ipToName
+ # increase max count and max time (too many entries, long time testing):
+ c.setOptions(maxCount=10000, maxTime=5*60)
+- for i in xrange(256):
++ for i in range(256):
+ c.set('192.0.2.%s' % i, None)
+ c.set('198.51.100.%s' % i, None)
+ c.set('203.0.113.%s' % i, None)
+@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None):
+ import difflib, pprint
+ if not hasattr(unittest.TestCase, 'assertDictEqual'):
+ def assertDictEqual(self, d1, d2, msg=None):
+- self.assert_(isinstance(d1, dict), 'First argument is not a dictionary')
+- self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary')
++ self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary')
++ self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary')
+ if d1 != d2:
+ standardMsg = '%r != %r' % (d1, d2)
+ diff = ('\n' + '\n'.join(difflib.ndiff(
+@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None):
+ # used to recognize having element as nested dict, list or tuple:
+ def _is_nested(v):
+ if isinstance(v, dict):
+- return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues())
++ return any(isinstance(v, (dict, list, tuple)) for v in v.values())
+ return any(isinstance(v, (dict, list, tuple)) for v in v)
+ # level comparison routine:
+ def _assertSortedEqual(a, b, level, nestedOnly, key):
+@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None):
+ return
+ raise ValueError('%r != %r' % (a, b))
+ if isinstance(a, dict) and isinstance(b, dict): # compare dict's:
+- for k, v1 in a.iteritems():
++ for k, v1 in a.items():
+ v2 = b[k]
+ if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)):
+ _assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key)
+@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'):
+ self.fail('\"%s\" does not match \"%s\"' % (regexp, e))
+ else:
+ self.fail('%s not raised' % getattr(exccls, '__name__'))
+- unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp
++ unittest.TestCase.assertRaisesRegex = assertRaisesRegexp
+
+ # always custom following methods, because we use atm better version of both (support generators)
+ if True: ## if not hasattr(unittest.TestCase, 'assertIn'):
+ def assertIn(self, a, b, msg=None):
+ bb = b
+ wrap = False
+- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring):
++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str):
+ b, bb = itertools.tee(b)
+ wrap = True
+ if a not in b:
+@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'):
+ def assertNotIn(self, a, b, msg=None):
+ bb = b
+ wrap = False
+- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring):
++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str):
+ b, bb = itertools.tee(b)
+ wrap = True
+ if a in b:
+diff --git a/setup.py b/setup.py
+deleted file mode 100755
+index ce1eedf6..00000000
+--- a/setup.py
++++ /dev/null
+@@ -1,326 +0,0 @@
+-#!/usr/bin/env python
+-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
+-# vi: set ft=python sts=4 ts=4 sw=4 noet :
+-
+-# This file is part of Fail2Ban.
+-#
+-# Fail2Ban is free software; you can redistribute it and/or modify
+-# it under the terms of the GNU General Public License as published by
+-# the Free Software Foundation; either version 2 of the License, or
+-# (at your option) any later version.
+-#
+-# Fail2Ban is distributed in the hope that it will be useful,
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-# GNU General Public License for more details.
+-#
+-# You should have received a copy of the GNU General Public License
+-# along with Fail2Ban; if not, write to the Free Software
+-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+-
+-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko"
+-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors"
+-__license__ = "GPL"
+-
+-import platform
+-
+-try:
+- import setuptools
+- from setuptools import setup
+- from setuptools.command.install import install
+- from setuptools.command.install_scripts import install_scripts
+-except ImportError:
+- setuptools = None
+- from distutils.core import setup
+-
+-# all versions
+-from distutils.command.build_py import build_py
+-from distutils.command.build_scripts import build_scripts
+-if setuptools is None:
+- from distutils.command.install import install
+- from distutils.command.install_scripts import install_scripts
+-try:
+- # python 3.x
+- from distutils.command.build_py import build_py_2to3
+- from distutils.command.build_scripts import build_scripts_2to3
+- _2to3 = True
+-except ImportError:
+- # python 2.x
+- _2to3 = False
+-
+-import os
+-from os.path import isfile, join, isdir, realpath
+-import re
+-import sys
+-import warnings
+-from glob import glob
+-
+-from fail2ban.setup import updatePyExec
+-
+-
+-source_dir = os.path.realpath(os.path.dirname(
+- # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.):
+- sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__
+-))
+-
+-# Wrapper to install python binding (to current python version):
+-class install_scripts_f2b(install_scripts):
+-
+- def get_outputs(self):
+- outputs = install_scripts.get_outputs(self)
+- # setup.py --dry-run install:
+- dry_run = not outputs
+- self.update_scripts(dry_run)
+- if dry_run:
+- #bindir = self.install_dir
+- bindir = self.build_dir
+- print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,))
+- print('Copying content of %s to %s' % (self.build_dir, self.install_dir));
+- return outputs
+- fn = None
+- for fn in outputs:
+- if os.path.basename(fn) == 'fail2ban-server':
+- break
+- bindir = os.path.dirname(fn)
+- print('creating fail2ban-python binding -> %s' % (bindir,))
+- updatePyExec(bindir)
+- return outputs
+-
+- def update_scripts(self, dry_run=False):
+- buildroot = os.path.dirname(self.build_dir)
+- install_dir = self.install_dir
+- try:
+- # remove root-base from install scripts path:
+- root = self.distribution.command_options['install']['root'][1]
+- if install_dir.startswith(root):
+- install_dir = install_dir[len(root):]
+- except: # pragma: no cover
+- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".')
+- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir))
+- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn:
+- lines = fn.readlines()
+- fn = None
+- if not dry_run:
+- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w')
+- try:
+- for ln in lines:
+- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln)
+- if dry_run:
+- sys.stdout.write(' | ' + ln)
+- continue
+- fn.write(ln)
+- finally:
+- if fn: fn.close()
+- if dry_run:
+- print(' `')
+-
+-
+-# Wrapper to specify fail2ban own options:
+-class install_command_f2b(install):
+- user_options = install.user_options + [
+- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+- ('without-tests', None, 'without tests files installation'),
+- ]
+- def initialize_options(self):
+- self.disable_2to3 = None
+- self.without_tests = None
+- install.initialize_options(self)
+- def finalize_options(self):
+- global _2to3
+- ## in the test cases 2to3 should be already done (fail2ban-2to3):
+- if self.disable_2to3:
+- _2to3 = False
+- if _2to3:
+- cmdclass = self.distribution.cmdclass
+- cmdclass['build_py'] = build_py_2to3
+- cmdclass['build_scripts'] = build_scripts_2to3
+- if self.without_tests:
+- self.distribution.scripts.remove('bin/fail2ban-testcases')
+-
+- self.distribution.packages.remove('fail2ban.tests')
+- self.distribution.packages.remove('fail2ban.tests.action_d')
+-
+- del self.distribution.package_data['fail2ban.tests']
+- install.finalize_options(self)
+- def run(self):
+- install.run(self)
+-
+-
+-# Update fail2ban-python env to current python version (where f2b-modules located/installed)
+-updatePyExec(os.path.join(source_dir, 'bin'))
+-
+-if setuptools and "test" in sys.argv:
+- import logging
+- logSys = logging.getLogger("fail2ban")
+- hdlr = logging.StreamHandler(sys.stdout)
+- fmt = logging.Formatter("%(asctime)-15s %(message)s")
+- hdlr.setFormatter(fmt)
+- logSys.addHandler(hdlr)
+- if set(["-q", "--quiet"]) & set(sys.argv):
+- logSys.setLevel(logging.CRITICAL)
+- warnings.simplefilter("ignore")
+- sys.warnoptions.append("ignore")
+- elif set(["-v", "--verbose"]) & set(sys.argv):
+- logSys.setLevel(logging.DEBUG)
+- else:
+- logSys.setLevel(logging.INFO)
+-elif "test" in sys.argv:
+- print("python distribute required to execute fail2ban tests")
+- print("")
+-
+-longdesc = '''
+-Fail2Ban scans log files like /var/log/pwdfail or
+-/var/log/apache/error_log and bans IP that makes
+-too many password failures. It updates firewall rules
+-to reject the IP address or executes user defined
+-commands.'''
+-
+-if setuptools:
+- setup_extra = {
+- 'test_suite': "fail2ban.tests.utils.gatherTests",
+- 'use_2to3': True,
+- }
+-else:
+- setup_extra = {}
+-
+-data_files_extra = []
+-if os.path.exists('/var/run'):
+- # if we are on the system with /var/run -- we are to use it for having fail2ban/
+- # directory there for socket file etc.
+- # realpath is used to possibly resolve /var/run -> /run symlink
+- data_files_extra += [(realpath('/var/run/fail2ban'), '')]
+-
+-# Installing documentation files only under Linux or other GNU/ systems
+-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding
+-# installation there (see e.g. #1233)
+-platform_system = platform.system().lower()
+-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt']
+-if platform_system in ('solaris', 'sunos'):
+- doc_files.append('README.Solaris')
+-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'):
+- data_files_extra.append(
+- ('/usr/share/doc/fail2ban', doc_files)
+- )
+-
+-# Get version number, avoiding importing fail2ban.
+-# This is due to tests not functioning for python3 as 2to3 takes place later
+-exec(open(join("fail2ban", "version.py")).read())
+-
+-setup(
+- name = "fail2ban",
+- version = version,
+- description = "Ban IPs that make too many password failures",
+- long_description = longdesc,
+- author = "Cyril Jaquier & Fail2Ban Contributors",
+- author_email = "cyril.jaquier@fail2ban.org",
+- url = "http://www.fail2ban.org",
+- license = "GPL",
+- platforms = "Posix",
+- cmdclass = {
+- 'build_py': build_py, 'build_scripts': build_scripts,
+- 'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+- },
+- scripts = [
+- 'bin/fail2ban-client',
+- 'bin/fail2ban-server',
+- 'bin/fail2ban-regex',
+- 'bin/fail2ban-testcases',
+- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
+- ],
+- packages = [
+- 'fail2ban',
+- 'fail2ban.client',
+- 'fail2ban.server',
+- 'fail2ban.tests',
+- 'fail2ban.tests.action_d',
+- ],
+- package_data = {
+- 'fail2ban.tests':
+- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
+- for w in os.walk('fail2ban/tests/files')
+- for f in w[2]] +
+- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
+- for w in os.walk('fail2ban/tests/config')
+- for f in w[2]] +
+- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
+- for w in os.walk('fail2ban/tests/action_d')
+- for f in w[2]]
+- },
+- data_files = [
+- ('/etc/fail2ban',
+- glob("config/*.conf")
+- ),
+- ('/etc/fail2ban/filter.d',
+- glob("config/filter.d/*.conf")
+- ),
+- ('/etc/fail2ban/filter.d/ignorecommands',
+- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)]
+- ),
+- ('/etc/fail2ban/action.d',
+- glob("config/action.d/*.conf") +
+- glob("config/action.d/*.py")
+- ),
+- ('/etc/fail2ban/fail2ban.d',
+- ''
+- ),
+- ('/etc/fail2ban/jail.d',
+- ''
+- ),
+- ('/var/lib/fail2ban',
+- ''
+- ),
+- ] + data_files_extra,
+- **setup_extra
+-)
+-
+-# Do some checks after installation
+-# Search for obsolete files.
+-obsoleteFiles = []
+-elements = {
+- "/etc/":
+- [
+- "fail2ban.conf"
+- ],
+- "/usr/bin/":
+- [
+- "fail2ban.py"
+- ],
+- "/usr/lib/fail2ban/":
+- [
+- "version.py",
+- "protocol.py"
+- ]
+-}
+-
+-for directory in elements:
+- for f in elements[directory]:
+- path = join(directory, f)
+- if isfile(path):
+- obsoleteFiles.append(path)
+-
+-if obsoleteFiles:
+- print("")
+- print("Obsolete files from previous Fail2Ban versions were found on "
+- "your system.")
+- print("Please delete them:")
+- print("")
+- for f in obsoleteFiles:
+- print("\t" + f)
+- print("")
+-
+-if isdir("/usr/lib/fail2ban"):
+- print("")
+- print("Fail2ban is not installed under /usr/lib anymore. The new "
+- "location is under /usr/share. Please remove the directory "
+- "/usr/lib/fail2ban and everything under this directory.")
+- print("")
+-
+-# Update config file
+-if sys.argv[1] == "install":
+- print("")
+- print("Please do not forget to update your configuration files.")
+- print("They are in \"/etc/fail2ban/\".")
+- print("")
+- print("You can also install systemd service-unit file from \"build/fail2ban.service\"")
+- print("resp. corresponding init script from \"files/*-initd\".")
+- print("")
+--
+2.17.1
+
diff --git a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
index a5d4ed6..e231949 100755
--- a/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
+++ b/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py
@@ -1,4 +1,3 @@
-#!/usr/bin/env python
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
# vi: set ft=python sts=4 ts=4 sw=4 noet :
diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
index 53f94ff..e737f50 100644
--- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
+++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb
@@ -9,13 +9,12 @@
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
-SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578"
-SRC_URI = " \
- git://github.com/fail2ban/fail2ban.git;branch=0.11 \
- file://initd \
+SRCREV ="3befbb177017957869425c81a560edb8e27db75a"
+SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \
+ file://initd \
file://fail2ban_setup.py \
file://run-ptest \
- file://0001-To-fix-build-error-of-xrang.patch \
+ file://0001-python3-fail2ban-2-3-conversion.patch \
"
inherit update-rc.d ptest setuptools3
@@ -27,16 +26,16 @@
}
do_install_append () {
- install -d ${D}/${sysconfdir}/fail2ban
- install -d ${D}/${sysconfdir}/init.d
- install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
- chown -R root:root ${D}/${bindir}
+ install -d ${D}/${sysconfdir}/fail2ban
+ install -d ${D}/${sysconfdir}/init.d
+ install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
+ chown -R root:root ${D}/${bindir}
}
do_install_ptest_append () {
- install -d ${D}${PTEST_PATH}
- sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
- install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
+ install -d ${D}${PTEST_PATH}
+ sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
+ install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH}
}
FILES_${PN} += "/run"
@@ -47,5 +46,6 @@
INSANE_SKIP_${PN}_append = "already-stripped"
-RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify"
+RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify"
+RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json"
RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
similarity index 68%
rename from meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
rename to meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
index 98f895c..f9ca092 100644
--- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.07.bb
+++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb
@@ -4,7 +4,7 @@
LICENSE = "Apache-2.0"
SRC_URI = "git://github.com/google/google-authenticator-libpam.git"
-SRCREV = "c9280f43610ce896f91eafd0f740a4eb4dcecedd"
+SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef"
DEPENDS = "libpam"
@@ -14,7 +14,10 @@
REQUIRED_DISTRO_FEATURES = "pam"
+# Use the same dir location as PAM
+EXTRA_OECONF = "--libdir=${base_libdir}"
+
PACKAGES += "pam-google-authenticator"
-FILES_pam-google-authenticator = "${libdir}/security/pam_google_authenticator.so"
+FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so"
RDEPNEDS_pam-google-authenticator = "libpam"
diff --git a/meta-security/recipes-security/images/security-client-image.bb b/meta-security/recipes-security/images/security-client-image.bb
index 1a92479..f4ebc69 100644
--- a/meta-security/recipes-security/images/security-client-image.bb
+++ b/meta-security/recipes-security/images/security-client-image.bb
@@ -5,8 +5,7 @@
packagegroup-core-boot \
os-release \
samhain-client \
- ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \
- ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+ ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}"
IMAGE_LINGUAS ?= " "
diff --git a/meta-security/recipes-security/images/security-server-image.bb b/meta-security/recipes-security/images/security-server-image.bb
index 502b5c1..4927e0e 100644
--- a/meta-security/recipes-security/images/security-server-image.bb
+++ b/meta-security/recipes-security/images/security-server-image.bb
@@ -6,8 +6,7 @@
packagegroup-base \
packagegroup-core-boot \
samhain-server \
- os-release \
- ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}"
+ os-release "
IMAGE_LINGUAS ?= " "
diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
deleted file mode 100644
index a53433f..0000000
--- a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001
-From: Paul Moore <paul@paul-moore.com>
-Date: Tue, 5 Nov 2019 15:11:11 -0500
-Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls
-
-We recently changed how libseccomp handles syscall numbers that are
-not defined natively, but we missed test #15.
-
-Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
-Signed-off-by: Paul Moore <paul@paul-moore.com>
-
-Upstream-Status: Backport
-[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- tests/15-basic-resolver.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c
-index 6badef1..0c1eefe 100644
---- a/tests/15-basic-resolver.c
-+++ b/tests/15-basic-resolver.c
-@@ -55,15 +55,15 @@ int main(int argc, char *argv[])
- unsigned int arch;
- char *name = NULL;
-
-- if (seccomp_syscall_resolve_name("open") != __NR_open)
-+ if (seccomp_syscall_resolve_name("open") != __SNR_open)
- goto fail;
-- if (seccomp_syscall_resolve_name("read") != __NR_read)
-+ if (seccomp_syscall_resolve_name("read") != __SNR_read)
- goto fail;
- if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR)
- goto fail;
-
- rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat");
-- if (rc != __NR_openat)
-+ if (rc != __SNR_openat)
- goto fail;
-
- while ((arch = arch_list[iter++]) != -1) {
---
-2.17.1
-
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
similarity index 90%
rename from meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
rename to meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
index 07db82a..9ca41e6 100644
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb
+++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb
@@ -4,10 +4,9 @@
LICENSE = "LGPL-2.1"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563"
+SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427"
SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \
- file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \
file://run-ptest \
"
diff --git a/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
new file mode 100644
index 0000000..e350baf
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -0,0 +1,25 @@
+When calculate value of ldblibdir, it checks whether the directory of
+$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
+suitable for cross compile. Fix it that only re-assign ldblibdir when its value
+is empty.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/external/libldb.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
+index c400add..5e5f06d 100644
+--- a/src/external/libldb.m4
++++ b/src/external/libldb.m4
+@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+ ldblibdir=$with_ldb_lib_dir
+ else
+ ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
+- if ! test -d $ldblibdir; then
++ if test -z $ldblibdir; then
+ ldblibdir="${libdir}/ldb"
+ fi
+ fi
diff --git a/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/meta-security/recipes-security/sssd/files/volatiles.99_sssd
new file mode 100644
index 0000000..2a82413
--- /dev/null
+++ b/meta-security/recipes-security/sssd/files/volatiles.99_sssd
@@ -0,0 +1 @@
+d root root 0750 /var/log/sssd none
diff --git a/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
index 089a99e..7ea1586 100644
--- a/meta-security/recipes-security/sssd/sssd_1.16.4.bb
+++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb
@@ -8,13 +8,21 @@
DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
-SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
- file://sssd.conf "
+# If no crypto has been selected, default to DEPEND on nss, since that's what
+# sssd will pick if no active choice is made during configure
+DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
+ bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
+
+SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \
+ file://sssd.conf \
+ file://volatiles.99_sssd \
+ file://fix-ldblibdir.patch \
+ "
SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
-inherit autotools pkgconfig gettext python-dir features_check
+inherit autotools pkgconfig gettext python3-dir features_check systemd
REQUIRED_DISTRO_FEATURES = "pam"
@@ -22,29 +30,37 @@
SSSD_GID ?= "root"
CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
- ac_cv_path_NSUPDATE=${bindir} \
- ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
+ ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"
-PACKAGECONFIG ?="nss nscd"
+PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
-PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
+PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto"
+PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson"
+PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
+PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
+PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
+PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
+PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
+PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
+PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
-PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
-PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings"
-PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
-PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
-PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
-PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir="
-PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2"
-PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl"
+PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
+PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
-EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab"
+EXTRA_OECONF += " \
+ --disable-cifs-idmap-plugin \
+ --without-nfsv4-idmapd-plugin \
+ --without-ipa-getkeytab \
+ --without-python2-bindings \
+ --enable-pammoddir=${base_libdir}/security \
+ --without-python2-bindings \
+"
do_configure_prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
@@ -59,6 +75,12 @@
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
install -d ${D}/${sysconfdir}/${BPN}
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+ install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
+ fi
# Remove /var/run as it is created on startup
rm -rf ${D}${localstatedir}/run
@@ -76,10 +98,24 @@
INITSCRIPT_NAME = "sssd"
INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+SYSTEMD_SERVICE_${PN} = " \
+ ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
+ sssd-nss.service \
+ sssd-nss.socket \
+ sssd-pam-priv.socket \
+ sssd-pam.service \
+ sssd-pam.socket \
+ sssd-secrets.service \
+ sssd-secrets.socket \
+ sssd.service \
+"
SYSTEMD_AUTO_ENABLE = "disable"
-FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* "
+FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so"
FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
# The package contains symlinks that trip up insane