From a432972104bceaeba0f13a66d18b92c2fb8d2582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 7 Feb 2018 22:48:21 +0100 Subject: [PATCH 01/14] Added --git-export-dir=/tmp/build-area for build instructions --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 033c736..a17f01e 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,12 @@ Checkout the branch debian, merge the master branch. git checkout debian git merge master --no-ff dch -v -1 -gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-ignore-new +gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new ``` If the build is OK, you can now build the final package. ``` dch -D stretch -r -gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-tag --git-sign --git-keyid= +gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid= ``` From 5e761eef62fb8c667608109da2222f9ee5f2f0c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Mon, 19 Feb 2018 14:29:03 +0100 Subject: [PATCH 02/14] Add changelog --- CHANGELOG | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 CHANGELOG diff --git a/CHANGELOG b/CHANGELOG new file mode 100644 index 0000000..e0e759a --- /dev/null +++ b/CHANGELOG @@ -0,0 +1,51 @@ +The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) +and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). + +## [Unreleased] + +## [0.11] - 2018-02-07 + +### Added + + * Bunch of new checks: + IS_PRIVKEYWOLRDREADABLE + IS_EVOLINUXSUDOGROUP + IS_USERINADMGROUP + IS_APACHE2EVOLINUXCONF + IS_BACKPORTSCONF + IS_BIND9MUNIN + IS_BIND9LOGROTATE + IS_BROADCOMFIRMWARE + IS_HARDWARERAIDTOOL + IS_LOG2MAILSYSTEMDUNIT + IS_LISTUPGRADE + IS_MARIADBEVOLINUXCONF + IS_MARIADBSYSTEMDUNIT + IS_MYSQLMUNIN + IS_PHPEVOLINUXCONF + IS_SQUIDLOGROTATE + IS_SQUIDEVOLINUXCONF + IS_SQL_BACKUP + IS_POSTGRES_BACKUP + IS_LDAP_BACKUP + IS_REDIS_BACKUP + IS_ELASTIC_BACKUP + IS_MONGO_BACKUP + IS_MOUNT_FSTAB + IS_NETWORK_INTERFACES + +### Changed + + * IS_UPTIME added in --cron mode + * is_pack_web() for Stretch + * IS_DPKGWARNING for Stretch + * IS_MOUNT_FSTAB is disabled if lsblk not available + * IS_MINIFWPERMS for Stretch + * IS_SQUID for Stretch + * IS_LOG2MAILAPACHE for Stretch + * IS_AUTOIF for Stretch + * IS_UPTIME warn if uptime is more thant 2y, was 1y + * IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d + * IS_TUNE2FS_M5 use python in place of bc for calculation + * IS_EVOMAINTENANCEUSERS for Stretch + * IS_EVOMAINTENANCECONF check also the mode of the file (600) From 7d7e289817aaf2dbc572afe4beae16847b28021a Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 19 Feb 2018 22:23:53 +0100 Subject: [PATCH 03/14] suppress stderr output in any case --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index c8e3da1..91da52b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -564,7 +564,7 @@ if [ -e /etc/debian_version ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debianversion stretch; then grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!' - grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') + grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!') fi fi From 0d68452dcc603ef2d2bdab993ff1055dff381761 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Mon, 19 Feb 2018 23:26:53 +0100 Subject: [PATCH 04/14] avoid too much FAILED for IS_MYSQLMUNIN --- evocheck.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/evocheck.sh b/evocheck.sh index 91da52b..756b267 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -678,6 +678,7 @@ if [ -e /etc/debian_version ]; then if is_debianversion stretch && is_installed mariadb-server; then for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!' + test -L /etc/munin/plugins/$file || break done fi fi From 39ac9e8d241e8f58717917e432f4af9660469581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 22 Feb 2018 10:21:12 +0100 Subject: [PATCH 05/14] IS_MYSQLMUNIN: Break lines and add a break --- evocheck.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 756b267..f6ad04b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -676,9 +676,19 @@ if [ -e /etc/debian_version ]; then if [ "$IS_MYSQLMUNIN" = 1 ]; then if is_debianversion stretch && is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do - test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!' - test -L /etc/munin/plugins/$file || break + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do + + failed=false + if [[ ! -L /etc/munin/plugins/$file ]]; then + echo 'IS_MYSQLMUNIN FAILED!' + failed=true + fi + ($failed) && break done fi fi From 7d1082d5857767ed53c7a172e4d42ee9d5191a9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 23 Feb 2018 11:13:01 +0100 Subject: [PATCH 06/14] Well... Don't need for failed variable after all. --- evocheck.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index f6ad04b..6ee42f7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -683,12 +683,10 @@ if [ -e /etc/debian_version ]; then mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ mysql_sorts mysql_tmp_tables; do - failed=false if [[ ! -L /etc/munin/plugins/$file ]]; then echo 'IS_MYSQLMUNIN FAILED!' - failed=true + break fi - ($failed) && break done fi fi From 0dec7c654520cff2acc36b9f80a4175ce0024c04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 9 Mar 2018 15:22:08 +0100 Subject: [PATCH 07/14] Fix #21. IS_EVOBACKUP was disabled and using bad grep pattern --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 6ee42f7..24f919d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -98,6 +98,7 @@ IS_ELASTIC_BACKUP=1 IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 IS_NETWORK_INTERFACES=1 +IS_EVOBACKUP=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -426,7 +427,7 @@ if [ -e /etc/debian_version ]; then # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!' + ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!' fi # Verification de la presence du userlogrotate From 36822bf383f4e8ff1d3fb9116f8401dd7f0465b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 9 Mar 2018 18:05:09 +0100 Subject: [PATCH 08/14] WIP #19: Detect duplicate LABEL entries --- evocheck.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 24f919d..b34d42f 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -99,6 +99,7 @@ IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 IS_NETWORK_INTERFACES=1 IS_EVOBACKUP=1 +IS_DUPLICATE_FS_LABEL=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -725,6 +726,17 @@ if [ -e /etc/debian_version ]; then && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!' fi fi + + if [ "IS_DUPLICATE_FS_LABEL" = 1 ]; then + # Only on systems that have lsblk + if [ -x "$(which lsblk)" ]; then + tmpFile=$(mktemp -p /tmp) + for part in $(lsblk -n -o LABEL); do + echo $part >> $tmpFile + done + sort < $tmpFile | uniq -d + fi + fi fi From d0975f771974ff637f8b4ec617b1fa4128c4f6fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 16:13:20 +0100 Subject: [PATCH 09/14] First implementatio for IS_EVOMAINTENANCE_FW We check if there is at least the 4 evomaintenance rules. --- evocheck.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 24f919d..5e0659d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -99,6 +99,7 @@ IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 IS_NETWORK_INTERFACES=1 IS_EVOBACKUP=1 +IS_EVOMAINTENANCE_FW=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -350,7 +351,20 @@ if [ -e /etc/debian_version ]; then && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) fi - + + if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then + is_debianversion squeeze && f=/etc/firewall.rc + is_debianversion wheezy && f=/etc/firewall.rc + is_debianversion jessie && f=/etc/default/minifirewall + is_debianversion stretch && f=/etc/default/minifirewall + if [ -f "$f" ]; then + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$f") + if [ "$rulesNumber" -lt 4 ]; then + echo 'IS_EVOMAINTENANCE_FW FAILED!' + fi + fi + fi + # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf From 75fbba7644a232cbe02ce2b214b704f42fd34a0e Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Thu, 15 Mar 2018 11:29:15 -0400 Subject: [PATCH 10/14] Set at the beginning $MINIFW_FILE and use it --- evocheck.sh | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 5e0659d..0ba252b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -150,6 +150,11 @@ is_debianversion(){ #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- +is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc +is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc +is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall +is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall + if [ -e /etc/debian_version ]; then if [ "$IS_DPKGWARNING" = 1 ]; then @@ -285,10 +290,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MINIFWPERMS" = 1 ]; then - is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) + ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' fi if [ "$IS_NRPEDISKS" = 1 ]; then @@ -341,24 +343,17 @@ if [ -e /etc/debian_version ]; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then squidconffile=/etc/squid*/squid.conf - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf + is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' ) fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall if [ -f "$f" ]; then - rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$f") + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") if [ "$rulesNumber" -lt 4 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' fi From e5594f3f1b84633ef573e805d9a6564398473c65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 17:51:12 +0100 Subject: [PATCH 11/14] IS_EVOMAINTENANCE_FW: Fix wrong variable --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 0ba252b..5480464 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -352,7 +352,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then - if [ -f "$f" ]; then + if [ -f "$MINIFW_FILE" ]; then rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") if [ "$rulesNumber" -lt 4 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' From 8963a85269070c64da9b6d2d2477f941aa54c64d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 17:53:58 +0100 Subject: [PATCH 12/14] Move the detection of minifirewall config --- evocheck.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 5480464..466ec7a 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -146,15 +146,15 @@ is_debianversion(){ [ $(lsb_release -c -s) = $1 ] && return 0 } -#----------------------------------------------------------- -#Vérifie si c'est une debian et fait les tests appropriés. -#----------------------------------------------------------- - is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall +#----------------------------------------------------------- +#Vérifie si c'est une debian et fait les tests appropriés. +#----------------------------------------------------------- + if [ -e /etc/debian_version ]; then if [ "$IS_DPKGWARNING" = 1 ]; then From 12d520548534d34049021b2dec4d22f85cc2fb3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Mon, 19 Mar 2018 14:51:18 +0100 Subject: [PATCH 13/14] Added the test to found duplicate --- evocheck.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index b34d42f..3f65521 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -727,14 +727,22 @@ if [ -e /etc/debian_version ]; then fi fi - if [ "IS_DUPLICATE_FS_LABEL" = 1 ]; then - # Only on systems that have lsblk + if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then + # Only on systems which have lsblk if [ -x "$(which lsblk)" ]; then tmpFile=$(mktemp -p /tmp) for part in $(lsblk -n -o LABEL); do - echo $part >> $tmpFile + echo "$part" >> "$tmpFile" done - sort < $tmpFile | uniq -d + tmpOutput=$(sort < "$tmpFile" | uniq -d) + # If there is no duplicate, uniq will have no output + # So, if $tmpOutput is not null, there is a duplicate + if [ -n "$tmpOutput" ]; then + echo 'IS_DUPLICATE_FS_LABEL FAILED!' + # For debug, you may echo the contents of $tmpOutput + # echo $tmpOutput + fi + rm $tmpFile fi fi fi From 31f45cbd6e7d0726e8e42aefe7800b4bd8a965b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Mon, 19 Mar 2018 16:28:06 +0100 Subject: [PATCH 14/14] 0.12 release --- CHANGELOG | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index e0e759a..315d0e2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,19 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## [Unreleased] +## [0.12] - 2018-03-19 + +### Added + +* New checks: + IS_DUPLICATE_FS_LEVEL + IS_EVOMAINTENANCE_FW + +### Changed + +* Enabling IS_EVOBACKUP by default +* Better output for IS_MYSQLMUNIN + ## [0.11] - 2018-02-07 ### Added