From 3979b71831e438c34ca6c695d8d6f7debc77d085 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 09:17:43 +0100 Subject: [PATCH] Check for files before going further Some non conventional servers might have important files or programs missing. --- evocheck.sh | 81 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 26 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 379d3fc..09ae844 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -306,11 +306,14 @@ if is_debian; then is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall if [ "$IS_LSBRELEASE" = 1 ]; then - test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" - ## only the major version matters - lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) - rhs=$(cut -d "." -f 1 < /etc/debian_version) - test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi fi if [ "$IS_DPKGWARNING" = 1 ]; then @@ -470,16 +473,24 @@ if is_debian; then fi if [ "$IS_TMOUTPROFILE" = 1 ]; then - grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" fi if [ "$IS_ALERT5BOOT" = 1 ]; then - grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ]; then - grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ - || failed "IS_ALERT5MINIFW" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then @@ -488,7 +499,7 @@ if is_debian; then fi if [ "$IS_NRPEPERMS" = 1 ]; then - if test -d /etc/nagios; then + if [ -d /etc/nagios ]; then actual=$(stat --format "%A" /etc/nagios) expected="drwxr-x---" test "$expected" = "$actual" || failed "IS_NRPEPERMS" @@ -496,9 +507,11 @@ if is_debian; then fi if [ "$IS_MINIFWPERMS" = 1 ]; then - actual=$(stat --format "%A" $MINIFW_FILE) - expected="-rw-------" - test "$expected" = "$actual" || failed "IS_MINIFWPERMS" + if [ -f "$MINIFW_FILE" ]; then + actual=$(stat --format "%A" $MINIFW_FILE) + expected="-rw-------" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" + fi fi if [ "$IS_NRPEDISKS" = 1 ]; then @@ -808,14 +821,27 @@ if is_debian; then # Check if munin-node running and RRD files are up to date. if [ "$IS_MUNINRUNNING" = 1 ]; then - pgrep munin-node >/dev/null || failed "IS_MUNINRUNNING" + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") - limit=$(date +"%s" -d "now - 10 minutes") - updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) - [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi - updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) - grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi fi # Check if files in /home/backup/ are up-to-date @@ -1403,13 +1429,16 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then - for f in /etc/ssl/private/*; do - perms=$(stat -L -c "%a" "$f") - if [ "${perms: -1}" != 0 ]; then - failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" - test "${VERBOSE}" = 1 || break - fi - done + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi fi exit ${RC}