forked from evolix/evocheck
Merge branch 'master' into debian
This commit is contained in:
commit
a5eac93bbd
64
CHANGELOG
Normal file
64
CHANGELOG
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||||
|
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
|
||||||
|
## [0.12] - 2018-03-19
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* New checks:
|
||||||
|
IS_DUPLICATE_FS_LEVEL
|
||||||
|
IS_EVOMAINTENANCE_FW
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* Enabling IS_EVOBACKUP by default
|
||||||
|
* Better output for IS_MYSQLMUNIN
|
||||||
|
|
||||||
|
## [0.11] - 2018-02-07
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* Bunch of new checks:
|
||||||
|
IS_PRIVKEYWOLRDREADABLE
|
||||||
|
IS_EVOLINUXSUDOGROUP
|
||||||
|
IS_USERINADMGROUP
|
||||||
|
IS_APACHE2EVOLINUXCONF
|
||||||
|
IS_BACKPORTSCONF
|
||||||
|
IS_BIND9MUNIN
|
||||||
|
IS_BIND9LOGROTATE
|
||||||
|
IS_BROADCOMFIRMWARE
|
||||||
|
IS_HARDWARERAIDTOOL
|
||||||
|
IS_LOG2MAILSYSTEMDUNIT
|
||||||
|
IS_LISTUPGRADE
|
||||||
|
IS_MARIADBEVOLINUXCONF
|
||||||
|
IS_MARIADBSYSTEMDUNIT
|
||||||
|
IS_MYSQLMUNIN
|
||||||
|
IS_PHPEVOLINUXCONF
|
||||||
|
IS_SQUIDLOGROTATE
|
||||||
|
IS_SQUIDEVOLINUXCONF
|
||||||
|
IS_SQL_BACKUP
|
||||||
|
IS_POSTGRES_BACKUP
|
||||||
|
IS_LDAP_BACKUP
|
||||||
|
IS_REDIS_BACKUP
|
||||||
|
IS_ELASTIC_BACKUP
|
||||||
|
IS_MONGO_BACKUP
|
||||||
|
IS_MOUNT_FSTAB
|
||||||
|
IS_NETWORK_INTERFACES
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* IS_UPTIME added in --cron mode
|
||||||
|
* is_pack_web() for Stretch
|
||||||
|
* IS_DPKGWARNING for Stretch
|
||||||
|
* IS_MOUNT_FSTAB is disabled if lsblk not available
|
||||||
|
* IS_MINIFWPERMS for Stretch
|
||||||
|
* IS_SQUID for Stretch
|
||||||
|
* IS_LOG2MAILAPACHE for Stretch
|
||||||
|
* IS_AUTOIF for Stretch
|
||||||
|
* IS_UPTIME warn if uptime is more thant 2y, was 1y
|
||||||
|
* IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d
|
||||||
|
* IS_TUNE2FS_M5 use python in place of bc for calculation
|
||||||
|
* IS_EVOMAINTENANCEUSERS for Stretch
|
||||||
|
* IS_EVOMAINTENANCECONF check also the mode of the file (600)
|
|
@ -13,12 +13,12 @@ Checkout the branch debian, merge the master branch.
|
||||||
git checkout debian
|
git checkout debian
|
||||||
git merge master --no-ff
|
git merge master --no-ff
|
||||||
dch -v <VERSION>-1
|
dch -v <VERSION>-1
|
||||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-ignore-new
|
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new
|
||||||
```
|
```
|
||||||
|
|
||||||
If the build is OK, you can now build the final package.
|
If the build is OK, you can now build the final package.
|
||||||
|
|
||||||
```
|
```
|
||||||
dch -D stretch -r
|
dch -D stretch -r
|
||||||
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-tag --git-sign --git-keyid=<KEY>
|
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>
|
||||||
```
|
```
|
||||||
|
|
73
evocheck.sh
73
evocheck.sh
|
@ -98,6 +98,9 @@ IS_ELASTIC_BACKUP=1
|
||||||
IS_MONGO_BACKUP=1
|
IS_MONGO_BACKUP=1
|
||||||
IS_MOUNT_FSTAB=1
|
IS_MOUNT_FSTAB=1
|
||||||
IS_NETWORK_INTERFACES=1
|
IS_NETWORK_INTERFACES=1
|
||||||
|
IS_EVOBACKUP=1
|
||||||
|
IS_DUPLICATE_FS_LABEL=1
|
||||||
|
IS_EVOMAINTENANCE_FW=1
|
||||||
|
|
||||||
#Proper to OpenBSD
|
#Proper to OpenBSD
|
||||||
IS_SOFTDEP=1
|
IS_SOFTDEP=1
|
||||||
|
@ -144,6 +147,11 @@ is_debianversion(){
|
||||||
[ $(lsb_release -c -s) = $1 ] && return 0
|
[ $(lsb_release -c -s) = $1 ] && return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
|
||||||
|
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
|
||||||
|
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
|
||||||
|
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
|
||||||
|
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
#Vérifie si c'est une debian et fait les tests appropriés.
|
#Vérifie si c'est une debian et fait les tests appropriés.
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
|
@ -283,10 +291,7 @@ if [ -e /etc/debian_version ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$IS_MINIFWPERMS" = 1 ]; then
|
if [ "$IS_MINIFWPERMS" = 1 ]; then
|
||||||
is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
|
||||||
is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
|
||||||
is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
|
||||||
is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' )
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$IS_NRPEDISKS" = 1 ]; then
|
if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||||
|
@ -339,17 +344,23 @@ if [ -e /etc/debian_version ]; then
|
||||||
# Verification de l'activation de Squid dans le cas d'un pack mail
|
# Verification de l'activation de Squid dans le cas d'un pack mail
|
||||||
if [ "$IS_SQUID" = 1 ]; then
|
if [ "$IS_SQUID" = 1 ]; then
|
||||||
squidconffile=/etc/squid*/squid.conf
|
squidconffile=/etc/squid*/squid.conf
|
||||||
is_debianversion squeeze && f=/etc/firewall.rc
|
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
|
||||||
is_debianversion wheezy && f=/etc/firewall.rc
|
|
||||||
is_debianversion jessie && f=/etc/default/minifirewall
|
|
||||||
is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf
|
|
||||||
is_pack_web && ( is_installed squid || is_installed squid3 \
|
is_pack_web && ( is_installed squid || is_installed squid3 \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
|
||||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' )
|
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||||
|
if [ -f "$MINIFW_FILE" ]; then
|
||||||
|
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||||
|
if [ "$rulesNumber" -lt 4 ]; then
|
||||||
|
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Verification de la conf et de l'activation de mod-deflate
|
# Verification de la conf et de l'activation de mod-deflate
|
||||||
if [ "$IS_MODDEFLATE" = 1 ]; then
|
if [ "$IS_MODDEFLATE" = 1 ]; then
|
||||||
f=/etc/apache2/mods-enabled/deflate.conf
|
f=/etc/apache2/mods-enabled/deflate.conf
|
||||||
|
@ -426,7 +437,7 @@ if [ -e /etc/debian_version ]; then
|
||||||
|
|
||||||
# Verification de la mise en place d'evobackup
|
# Verification de la mise en place d'evobackup
|
||||||
if [ "$IS_EVOBACKUP" = 1 ]; then
|
if [ "$IS_EVOBACKUP" = 1 ]; then
|
||||||
ls /etc/cron* |grep -q "zz.backup$" || echo 'IS_EVOBACKUP FAILED!'
|
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Verification de la presence du userlogrotate
|
# Verification de la presence du userlogrotate
|
||||||
|
@ -564,7 +575,7 @@ if [ -e /etc/debian_version ]; then
|
||||||
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
||||||
if is_debianversion stretch; then
|
if is_debianversion stretch; then
|
||||||
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
grep -q backports /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
|
||||||
grep -q backports /etc/apt/sources.list.d/*.list && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
grep -q backports /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -q backports /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -676,8 +687,17 @@ if [ -e /etc/debian_version ]; then
|
||||||
|
|
||||||
if [ "$IS_MYSQLMUNIN" = 1 ]; then
|
if [ "$IS_MYSQLMUNIN" = 1 ]; then
|
||||||
if is_debianversion stretch && is_installed mariadb-server; then
|
if is_debianversion stretch && is_installed mariadb-server; then
|
||||||
for file in mysql_bytes mysql_queries mysql_slowqueries mysql_threads mysql_connections mysql_files_tables mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores mysql_myisam_indexes mysql_qcache mysql_qcache_mem mysql_sorts mysql_tmp_tables; do
|
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
||||||
test -L /etc/munin/plugins/$file || echo 'IS_MYSQLMUNIN FAILED!'
|
mysql_threads mysql_connections mysql_files_tables \
|
||||||
|
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
|
||||||
|
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
|
||||||
|
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
|
||||||
|
mysql_sorts mysql_tmp_tables; do
|
||||||
|
|
||||||
|
if [[ ! -L /etc/munin/plugins/$file ]]; then
|
||||||
|
echo 'IS_MYSQLMUNIN FAILED!'
|
||||||
|
break
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -715,6 +735,25 @@ if [ -e /etc/debian_version ]; then
|
||||||
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
|
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
|
||||||
|
# Only on systems which have lsblk
|
||||||
|
if [ -x "$(which lsblk)" ]; then
|
||||||
|
tmpFile=$(mktemp -p /tmp)
|
||||||
|
for part in $(lsblk -n -o LABEL); do
|
||||||
|
echo "$part" >> "$tmpFile"
|
||||||
|
done
|
||||||
|
tmpOutput=$(sort < "$tmpFile" | uniq -d)
|
||||||
|
# If there is no duplicate, uniq will have no output
|
||||||
|
# So, if $tmpOutput is not null, there is a duplicate
|
||||||
|
if [ -n "$tmpOutput" ]; then
|
||||||
|
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
|
||||||
|
# For debug, you may echo the contents of $tmpOutput
|
||||||
|
# echo $tmpOutput
|
||||||
|
fi
|
||||||
|
rm $tmpFile
|
||||||
|
fi
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue