forked from evolix/evocheck
Merge branch 'master' into debian
This commit is contained in:
commit
a5eac93bbd
64
CHANGELOG
Normal file
64
CHANGELOG
Normal file
|
@ -0,0 +1,64 @@
|
|||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [0.12] - 2018-03-19
|
||||
|
||||
### Added
|
||||
|
||||
* New checks:
|
||||
IS_DUPLICATE_FS_LEVEL
|
||||
IS_EVOMAINTENANCE_FW
|
||||
|
||||
### Changed
|
||||
|
||||
* Enabling IS_EVOBACKUP by default
|
||||
* Better output for IS_MYSQLMUNIN
|
||||
|
||||
## [0.11] - 2018-02-07
|
||||
|
||||
### Added
|
||||
|
||||
* Bunch of new checks:
|
||||
IS_PRIVKEYWOLRDREADABLE
|
||||
IS_EVOLINUXSUDOGROUP
|
||||
IS_USERINADMGROUP
|
||||
IS_APACHE2EVOLINUXCONF
|
||||
IS_BACKPORTSCONF
|
||||
IS_BIND9MUNIN
|
||||
IS_BIND9LOGROTATE
|
||||
IS_BROADCOMFIRMWARE
|
||||
IS_HARDWARERAIDTOOL
|
||||
IS_LOG2MAILSYSTEMDUNIT
|
||||
IS_LISTUPGRADE
|
||||
IS_MARIADBEVOLINUXCONF
|
||||
IS_MARIADBSYSTEMDUNIT
|
||||
IS_MYSQLMUNIN
|
||||
IS_PHPEVOLINUXCONF
|
||||
IS_SQUIDLOGROTATE
|
||||
IS_SQUIDEVOLINUXCONF
|
||||
IS_SQL_BACKUP
|
||||
IS_POSTGRES_BACKUP
|
||||
IS_LDAP_BACKUP
|
||||
IS_REDIS_BACKUP
|
||||
IS_ELASTIC_BACKUP
|
||||
IS_MONGO_BACKUP
|
||||
IS_MOUNT_FSTAB
|
||||
IS_NETWORK_INTERFACES
|
||||
|
||||
### Changed
|
||||
|
||||
* IS_UPTIME added in --cron mode
|
||||
* is_pack_web() for Stretch
|
||||
* IS_DPKGWARNING for Stretch
|
||||
* IS_MOUNT_FSTAB is disabled if lsblk not available
|
||||
* IS_MINIFWPERMS for Stretch
|
||||
* IS_SQUID for Stretch
|
||||
* IS_LOG2MAILAPACHE for Stretch
|
||||
* IS_AUTOIF for Stretch
|
||||
* IS_UPTIME warn if uptime is more thant 2y, was 1y
|
||||
* IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d
|
||||
* IS_TUNE2FS_M5 use python in place of bc for calculation
|
||||
* IS_EVOMAINTENANCEUSERS for Stretch
|
||||
* IS_EVOMAINTENANCECONF check also the mode of the file (600)
|
|
@ -13,12 +13,12 @@ Checkout the branch debian, merge the master branch.
|
|||
git checkout debian
|
||||
git merge master --no-ff
|
||||
dch -v <VERSION>-1
|
||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-ignore-new
|
||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new
|
||||
```
|
||||
|
||||
If the build is OK, you can now build the final package.
|
||||
|
||||
```
|
||||
dch -D stretch -r
|
||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-tag --git-sign --git-keyid=<KEY>
|
||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>
|
||||
```
|
||||
|
|
73
evocheck.sh
73
evocheck.sh
|
@ -98,6 +98,9 @@ IS_ELASTIC_BACKUP=1
|
|||
IS_MONGO_BACKUP=1
|
||||
IS_MOUNT_FSTAB=1
|
||||
IS_NETWORK_INTERFACES=1
|
||||
IS_EVOBACKUP=1
|
||||
IS_DUPLICATE_FS_LABEL=1
|
||||
IS_EVOMAINTENANCE_FW=1
|
||||
|
||||
#Proper to OpenBSD
|
||||
IS_SOFTDEP=1
|
||||
|
@ -144,6 +147,11 @@ is_debianversion(){
|
|||
[ $(lsb_release -c -s) = $1 ] && return 0
|
||||
}
|
||||
|
||||
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
|
||||
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
|
||||
|
||||
#-----------------------------------------------------------
|
||||
#Vérifie si c'est une debian et fait les tests appropriés.
|
||||
#-----------------------------------------------------------
|
||||
|
@ -283,10 +291,7 @@ if [ -e /etc/debian_version ]; then
|
|||
fi
|
||||
|
||||
if [ "$IS_MINIFWPERMS" = 1 ]; then
|
||||
is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
||||
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||
|
@ -339,17 +344,23 @@ if [ -e /etc/debian_version ]; then
|
|||
# Verification de l'activation de Squid dans le cas d'un pack mail
|
||||
if [ "$IS_SQUID" = 1 ]; then
|
||||
squidconffile=/etc/squid*/squid.conf
|
||||
is_debianversion squeeze && f=/etc/firewall.rc
|
||||
is_debianversion wheezy && f=/etc/firewall.rc
|
||||
is_debianversion jessie && f=/etc/default/minifirewall
|
||||
is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf
|
||||
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
|
||||
is_pack_web && ( is_installed squid || is_installed squid3 \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' )
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
|
||||
fi
|
||||
|
||||
|
||||
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||
if [ -f "$MINIFW_FILE" ]; then
|
||||
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||
if [ "$rulesNumber" -lt 4 ]; then
|
||||
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la conf et de l'activation de mod-deflate
|
||||
if [ "$IS_MODDEFLATE" = 1 ]; then
|
||||
f=/etc/apache2/mods-enabled/deflate.conf
|
||||
|
@ -426,7 +437,7 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
# Verification de la mise en place d'evobackup
|
||||
if [ "$IS_EVOBACKUP" = 1 ]; then
|
||||
ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!'
|
||||
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
|
||||
fi
|
||||
|
||||
# Verification de la presence du userlogrotate
|
||||
|
@ -564,7 +575,7 @@ if [ -e /etc/debian_version ]; then
|
|||
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
||||
grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -676,8 +687,17 @@ if [ -e /etc/debian_version ]; then
|
|||
|
||||
if [ "$IS_MYSQLMUNIN" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do
|
||||
test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!'
|
||||
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
||||
mysql_threads mysql_connections mysql_files_tables \
|
||||
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
|
||||
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
|
||||
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
|
||||
mysql_sorts mysql_tmp_tables; do
|
||||
|
||||
if [[ ! -L /etc/munin/plugins/$file ]]; then
|
||||
echo 'IS_MYSQLMUNIN FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
@ -715,6 +735,25 @@ if [ -e /etc/debian_version ]; then
|
|||
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
|
||||
# Only on systems which have lsblk
|
||||
if [ -x "$(which lsblk)" ]; then
|
||||
tmpFile=$(mktemp -p /tmp)
|
||||
for part in $(lsblk -n -o LABEL); do
|
||||
echo "$part" >> "$tmpFile"
|
||||
done
|
||||
tmpOutput=$(sort < "$tmpFile" | uniq -d)
|
||||
# If there is no duplicate, uniq will have no output
|
||||
# So, if $tmpOutput is not null, there is a duplicate
|
||||
if [ -n "$tmpOutput" ]; then
|
||||
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
|
||||
# For debug, you may echo the contents of $tmpOutput
|
||||
# echo $tmpOutput
|
||||
fi
|
||||
rm $tmpFile
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue