diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..315d0e2 --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,64 @@ +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [0.12] - 2018-03-19 + +### Added + +* New checks: + IS_DUPLICATE_FS_LEVEL + IS_EVOMAINTENANCE_FW + +### Changed + +* Enabling IS_EVOBACKUP by default +* Better output for IS_MYSQLMUNIN + +## [0.11] - 2018-02-07 + +### Added + + * Bunch of new checks: + IS_PRIVKEYWOLRDREADABLE + IS_EVOLINUXSUDOGROUP + IS_USERINADMGROUP + IS_APACHE2EVOLINUXCONF + IS_BACKPORTSCONF + IS_BIND9MUNIN + IS_BIND9LOGROTATE + IS_BROADCOMFIRMWARE + IS_HARDWARERAIDTOOL + IS_LOG2MAILSYSTEMDUNIT + IS_LISTUPGRADE + IS_MARIADBEVOLINUXCONF + IS_MARIADBSYSTEMDUNIT + IS_MYSQLMUNIN + IS_PHPEVOLINUXCONF + IS_SQUIDLOGROTATE + IS_SQUIDEVOLINUXCONF + IS_SQL_BACKUP + IS_POSTGRES_BACKUP + IS_LDAP_BACKUP + IS_REDIS_BACKUP + IS_ELASTIC_BACKUP + IS_MONGO_BACKUP + IS_MOUNT_FSTAB + IS_NETWORK_INTERFACES + +### Changed + + * IS_UPTIME added in --cron mode + * is_pack_web() for Stretch + * IS_DPKGWARNING for Stretch + * IS_MOUNT_FSTAB is disabled if lsblk not available + * IS_MINIFWPERMS for Stretch + * IS_SQUID for Stretch + * IS_LOG2MAILAPACHE for Stretch + * IS_AUTOIF for Stretch + * IS_UPTIME warn if uptime is more thant 2y, was 1y + * IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d + * IS_TUNE2FS_M5 use python in place of bc for calculation + * IS_EVOMAINTENANCEUSERS for Stretch + * IS_EVOMAINTENANCECONF check also the mode of the file (600) diff --git a/README.md b/README.md index 033c736..a17f01e 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,12 @@ Checkout the branch debian, merge the master branch. git checkout debian git merge master --no-ff dch -v -1 -gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-ignore-new +gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new ``` If the build is OK, you can now build the final package. ``` dch -D stretch -r -gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-tag --git-sign --git-keyid= +gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid= ``` diff --git a/evocheck.sh b/evocheck.sh index c8e3da1..fd170ed 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -98,6 +98,9 @@ IS_ELASTIC_BACKUP=1 IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 IS_NETWORK_INTERFACES=1 +IS_EVOBACKUP=1 +IS_DUPLICATE_FS_LABEL=1 +IS_EVOMAINTENANCE_FW=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -144,6 +147,11 @@ is_debianversion(){ [ $(lsb_release -c -s) = $1 ] && return 0 } +is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc +is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc +is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall +is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall + #----------------------------------------------------------- #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- @@ -283,10 +291,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MINIFWPERMS" = 1 ]; then - is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) + ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' fi if [ "$IS_NRPEDISKS" = 1 ]; then @@ -339,17 +344,23 @@ if [ -e /etc/debian_version ]; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then squidconffile=/etc/squid*/squid.conf - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf + is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' ) fi - + + if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then + if [ -f "$MINIFW_FILE" ]; then + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") + if [ "$rulesNumber" -lt 4 ]; then + echo 'IS_EVOMAINTENANCE_FW FAILED!' + fi + fi + fi + # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf @@ -426,7 +437,7 @@ if [ -e /etc/debian_version ]; then # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!' + ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!' fi # Verification de la presence du userlogrotate @@ -564,7 +575,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debianversion stretch; then grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') fi fi @@ -676,8 +687,17 @@ if [ -e /etc/debian_version ]; then if [ "$IS_MYSQLMUNIN" = 1 ]; then if is_debianversion stretch && is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do - test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!' + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do + + if [[ ! -L /etc/munin/plugins/$file ]]; then + echo 'IS_MYSQLMUNIN FAILED!' + break + fi done fi fi @@ -715,6 +735,25 @@ if [ -e /etc/debian_version ]; then && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!' fi fi + + if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then + # Only on systems which have lsblk + if [ -x "$(which lsblk)" ]; then + tmpFile=$(mktemp -p /tmp) + for part in $(lsblk -n -o LABEL); do + echo "$part" >> "$tmpFile" + done + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + echo 'IS_DUPLICATE_FS_LABEL FAILED!' + # For debug, you may echo the contents of $tmpOutput + # echo $tmpOutput + fi + rm $tmpFile + fi + fi fi