dprevot/evocheck
1
0
Fork 0
forked from evolix/evocheck
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

merge into: dprevot:master
Branches Tags
dprevot:master
dprevot:openbsd
dprevot:check_compressed_mongodump
dprevot:check_all_files_in_backup_dir
dprevot:IS_NETWORKING_SERVICE
dprevot:bullseye
dprevot:fix-129
dprevot:IS_LXC_CONTAINER_RESOLV_CONF
dprevot:is_mysql_upgrade
dprevot:buster-support
dprevot:no-check-valid-until
dprevot:release-19.06
dprevot:fix-mysqlnrpe
dprevot:apachesymlink-verbose
dprevot:debian
dprevot:VERBOSE-ALERT5MINIFW
dprevot:11-Check-for-sysadmins-home-size
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
dprevot:22.03
dprevot:22.03.1
dprevot:21.10.4
dprevot:21.10.1
dprevot:21.09
dprevot:20.12
dprevot:20.04.4
dprevot:20.04.3
dprevot:20.04.2
dprevot:20.04.1
dprevot:20.02.1
dprevot:19.11.1
dprevot:v19.11
dprevot:19.10
dprevot:19.09
dprevot:v19.06
dprevot:v19.04
dprevot:debian/0.13.1-1
dprevot:v0.13.1
dprevot:debian/0.13-1
dprevot:v0.13
dprevot:debian/0.12-1
dprevot:v0.12
dprevot:debian/0.11-1
dprevot:v0.11
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.1
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:debian/0.11-1
evolix:19.09
evolix:19.10
evolix:19.11.1
evolix:20.02.1
evolix:20.04.1
evolix:20.04.2
evolix:20.04.3
evolix:20.04.4
evolix:20.12
evolix:21.09
evolix:21.10.4
evolix:v0.11
evolix:v0.12
evolix:v19.06
evolix:v19.11
...
pull from: dprevot:openbsd
Branches Tags
dprevot:master
dprevot:openbsd
dprevot:check_compressed_mongodump
dprevot:check_all_files_in_backup_dir
dprevot:IS_NETWORKING_SERVICE
dprevot:bullseye
dprevot:fix-129
dprevot:IS_LXC_CONTAINER_RESOLV_CONF
dprevot:is_mysql_upgrade
dprevot:buster-support
dprevot:no-check-valid-until
dprevot:release-19.06
dprevot:fix-mysqlnrpe
dprevot:apachesymlink-verbose
dprevot:debian
dprevot:VERBOSE-ALERT5MINIFW
dprevot:11-Check-for-sysadmins-home-size
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
dprevot:22.03
dprevot:22.03.1
dprevot:21.10.4
dprevot:21.10.1
dprevot:21.09
dprevot:20.12
dprevot:20.04.4
dprevot:20.04.3
dprevot:20.04.2
dprevot:20.04.1
dprevot:20.02.1
dprevot:19.11.1
dprevot:v19.11
dprevot:19.10
dprevot:19.09
dprevot:v19.06
dprevot:v19.04
dprevot:debian/0.13.1-1
dprevot:v0.13.1
dprevot:debian/0.13-1
dprevot:v0.13
dprevot:debian/0.12-1
dprevot:v0.12
dprevot:debian/0.11-1
dprevot:v0.11
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.1
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:debian/0.11-1
evolix:19.09
evolix:19.10
evolix:19.11.1
evolix:20.02.1
evolix:20.04.1
evolix:20.04.2
evolix:20.04.3
evolix:20.04.4
evolix:20.12
evolix:21.09
evolix:21.10.4
evolix:v0.11
evolix:v0.12
evolix:v19.06
evolix:v19.11

88 commits
master ... openbsd

Author SHA1 Message Date
Jérémy Dubois 8d460b039d check_versions: renamed "IS_VERSIONS_CHECK" to "IS_CHECK_VERSIONS" to match function name logic, and do not run check in cron mode 2022-04-14 09:52:32 +02:00
Jérémy Dubois 1281891363 Added check_root_user: make sure that root user does not have a password 2022-04-13 15:57:10 +02:00
Jérémy Dubois 3fcab1eeb3 Many improvements and bump to version 22.03. See CHANGELOG 2022-03-10 16:46:31 +01:00
Jérémy Dubois 11d77659a0 Fixed check_tmoutprofile : syntax error on if/else/fi test 2021-10-07 15:01:48 +02:00
Jérémy Dubois f1c63f827f Fixed check_tmoutprofile and changed version numbering 2021-09-17 17:15:19 +02:00
Jérémy Dubois e0202f28ff Fix IS_PREEMPT remaining 2021-07-23 16:21:32 +02:00
Jérémy Dubois 8a735ca4ca Renamed multiple CARP checks 
Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
 2021-07-23 16:01:12 +02:00
Jérémy Dubois af259252be Add check_advskew and boot version 2021-07-16 14:52:49 +02:00
Jérémy Dubois 5bf2959aac Update changelog and boost version number 2020-10-23 18:13:35 +02:00
Jérémy Dubois e21628fea7 Fix check_noatime : do not take into account commented entry in fstab 2020-10-23 17:32:15 +02:00
Jérémy Dubois 04139f3d60 Add check_openvpncronlog and update CHANGELOG 
A cron is needed to rotate logs, because a restart of OpenVPN would be needed
with the use of newsyslog to rotate logs
 2020-10-22 18:16:52 +02:00
Jérémy Dubois b6f4889ac5 Fix check_raidok : the same device could be displayed multiple times 2020-10-22 14:16:56 +02:00
Jérémy Dubois b49a1fbea5 Fix check_uptodate : properly check that syspatch exists 2020-10-22 12:12:42 +02:00
Jérémy Dubois 682cd3afaa Add check_noatime and fix check_softdep 
Add check_noatime - Check that all ffs partitions are mounted with the noatime
option

Fix check_softdep - We now check the number of ffs partitions and we compare it
to the number of softdep options currently there
 2020-10-15 10:19:31 +02:00
Jérémy Dubois 7cb6055af5 Fix check_cronpath 
Do not check PATH=XXX but only XXX
because XXX can also be in quotes
(PATH="XXX" would not be matched)
 2020-10-09 14:09:21 +02:00
Jérémy Dubois 4798873ace Add check_backupuptodate - Check that /home/backup is not older than 2 days 2020-08-04 15:08:21 +02:00
Jérémy Dubois 8eb2c5f9bc Update changelog 2020-07-27 17:01:15 +02:00
Jérémy Dubois 5bad0301d9 Add check_ntp() - Check the ntpd configuration 2020-07-27 16:59:54 +02:00
Jérémy Dubois 57d44cbf91 Removed check_postgresql - Deprecated since we now use an API 2020-07-23 11:00:34 +02:00
Jérémy Dubois 3d86996f5d Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it - version 6.7.3 2020-07-23 10:28:34 +02:00
Jérémy Dubois 04994ecebc Add check_defaultroute function and update CHANGELOG file to 6.7.2 2020-07-22 14:27:27 +02:00
Tristan PILAT c688b0d524 Bump to version 6.7.1 2020-07-15 11:31:38 +02:00
Tristan PILAT b58ad51307 Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD for evomaintenance 2020-07-15 11:21:10 +02:00
Tristan PILAT 5eedf3ad4d Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file 2020-07-15 11:19:30 +02:00
Tristan PILAT 239c5896df We want evocheck advbase output to be uniq 2020-07-15 11:08:32 +02:00
Tristan PILAT 8d80e5bfc8 Update CHANGELOG to 6.6.2 2020-04-27 15:45:41 +02:00
Tristan PILAT 4fead89240 Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not 2020-04-27 15:38:27 +02:00
Tristan PILAT e0716d3197 Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins 2020-04-27 15:35:28 +02:00
Tristan PILAT c436480014 Add check_pfenabled function 2020-04-27 15:30:42 +02:00
Tristan PILAT a5a034e611 Add check_uptodate function 2020-04-27 15:30:00 +02:00
Tristan PILAT 1d47e0f8d8 Raname kerneluptodate function to uptodate 2020-04-27 15:28:59 +02:00
Tristan PILAT 82a9050e00 Now use a version-naming scheme based on OpenBSD's one 2020-04-27 15:27:31 +02:00
Tristan PILAT 0b6ad08b5b Add RAID check 2020-04-22 17:53:26 +02:00
Tristan PILAT b1868829aa It might be useful to have /usr/share/scripts in the crontab PATH 2020-04-21 18:21:03 +02:00
Tristan PILAT cf975ee14b We have no use of Vagrant here 2020-04-21 18:19:33 +02:00
Tristan PILAT f019e82255 Update main contributors of this branch 2020-04-21 18:18:39 +02:00
Tristan PILAT c72a779f6c Let's create a new changelog file for this version of evocheck 2020-04-21 18:17:51 +02:00
Tristan PILAT 68823b7c91 We can't run the OpenBSD version of evocheck in DroneCI 2020-04-21 18:16:53 +02:00
Tristan PILAT 6f5b5d78d8 Create the main function and add calls to all checks 2020-04-21 17:44:37 +02:00
Tristan PILAT e69e08160d We now use functions instead of if statements as in the linux version of the script 2020-04-21 17:41:32 +02:00
Tristan PILAT 425b08552a Merge --version flag to --help. Both are now showing the help message 2020-04-21 17:37:07 +02:00
Tristan PILAT fe76e40b35 Delete show_version since it is now included in show_help function 2020-04-21 17:34:19 +02:00
Tristan PILAT 9164fe2459 Amend show_help function for a more complete 2020-04-21 17:32:48 +02:00
Tristan PILAT 5ee0d20fe9 Add VERSION variable from linux version 2020-04-21 17:30:39 +02:00
Tristan PILAT 82af0db8b2 Delete default configuration values since they are now included in the main function 2020-04-21 16:59:58 +02:00
Tristan PILAT ef2b234d49 Fix a mistake in the description 2020-04-21 16:59:08 +02:00
Tristan PILAT 53015152b3 We now use is_installed function to test whether a package is installed 2019-03-25 17:50:10 +01:00
Tristan PILAT 12ccfa914b Fix is_installed function to work on OpenBSD 2019-03-25 17:49:22 +01:00
Tristan PILAT 477c15df8a Fix the stat command for OpenBSD 2019-03-25 17:10:22 +01:00
Tristan PILAT 1add27c67d We don't have to test whether the system is Debian or OpenBSD anymore 2019-03-25 17:09:49 +01:00
Tristan PILAT 71436c2f44 Amend all the checks to use the new logging function 2019-03-25 17:08:08 +01:00
Tristan PILAT 53c7c42324 Import some functions from the cleanup branch 2019-03-25 17:06:09 +01:00
Tristan PILAT 3a18ec50a7 Since the script is compatible with sh, let's switch to /bin/sh 2019-03-25 17:02:51 +01:00
Tristan PILAT ec7de84aa7 Update default variables 2019-03-22 17:51:56 +01:00
Tristan PILAT 6f55586f6b That check is not required in our use case for OpenBSD 2019-03-22 17:51:06 +01:00
Tristan PILAT f8f0effa94 Check IS_PFCUSTOM is left to be done 2019-03-22 17:36:23 +01:00
Tristan PILAT ba43de597e Check IS_PFENABLED is left to be done 2019-03-22 17:36:01 +01:00
Tristan PILAT 94cbf9e589 Fix IS_SSHPERMITROOTNO for OpenBSD 2019-03-22 17:34:05 +01:00
Tristan PILAT 7eba87917f Add VERBOSE message for the IS_RSYNC check 2019-03-22 17:32:48 +01:00
Tristan PILAT ed93ba9f5d This is not required anymore 2019-03-22 17:32:20 +01:00
Tristan PILAT 3948702561 IS_ALERTBOOT is redondant with IS_REBOOTMAIL 2019-03-22 17:30:42 +01:00
Tristan PILAT 4f1ee5a982 Update the IS_NRPE check 2019-03-22 17:24:45 +01:00
Tristan PILAT e509ea879e inetd is now disabled by default 2019-03-22 17:22:24 +01:00
Tristan PILAT 5d5291f08d Add VERBOSE message for the IS_TTYC0SECURE check 2019-03-22 17:21:43 +01:00
Tristan PILAT e3f0b45724 Let's use the proper tools to check if a package is present 2019-03-22 17:21:08 +01:00
Tristan PILAT 6a9ba37c30 Check IS_OLD_HOME_DIR is left to be done 2019-03-22 17:18:25 +01:00
Tristan PILAT d6ef05803e Update IS_HISTORY check for OpenBSD 2019-03-22 17:17:55 +01:00
Tristan PILAT 950ea6fca6 Check if /etc/.git has the proper rights 2019-03-22 15:00:40 +01:00
Tristan PILAT 8ae3707044 Check IS_BACKUPUPTODATE is left to be done 2019-03-22 14:57:58 +01:00
Tristan PILAT 08edb86da6 Update IS_UPTIME check for OpenBSD 2019-03-22 14:57:18 +01:00
Tristan PILAT e4269d793c Check whether the system should be restarted after an update is left to be done 2019-03-22 14:56:46 +01:00
Tristan PILAT 37f3c1faee Update evobackup installation check for OpenBSD 2019-03-22 14:55:57 +01:00
Tristan PILAT 823a4f9ee0 RAID check with bioctl is left to be done 2019-03-22 14:55:09 +01:00
Tristan PILAT 954eaf5e28 Add VERBOSE message for the IS_TMOUTPROFILE check 2019-03-22 14:53:59 +01:00
Tristan PILAT de487e964c Add VERBOSE message for the IS_TMPNOEXEC check 2019-03-22 14:53:32 +01:00
Tristan PILAT 53cd10f4a8 Remove incompatible or useless checks under OpenBSD 2019-03-22 14:52:25 +01:00
Tristan PILAT 4c43e1b21a Remove Linux/OpenBSD condition test and clean up some useless evocheck tests under OpenBSD 2019-03-20 09:43:50 +01:00
Tristan 4dc94a19b0 Some characters have to be escaped 2019-03-13 14:43:03 +01:00
Tristan 9832da8b03 Check whether the send of a mail after every reboot is present in the rc.local file 2019-03-13 14:37:49 +01:00
Tristan d52aa4915b Now using 'command -v' instead of 'which' 2019-03-12 17:42:44 +01:00
Tristan 9a52beedbe It's more readable when using that syntax with test 2019-03-12 17:38:41 +01:00
Tristan 6f4f299006 Fix a condition mistake 2019-03-12 17:34:40 +01:00
Tristan f10df11143 Add PREEMPT detection 2019-03-12 17:33:01 +01:00
Tristan 5be38dc4f5 Update OpenBSD IS_PKGMIRROR check 2019-03-11 16:32:58 +01:00
Tristan 2815c211f4 We don't need that part anymore 2019-03-11 16:04:30 +01:00
Tristan 4c83cf1a28 Under OpenBSD, for 'wheel' group activation detection in sudoers file check if /etc/sudoers exists first 2019-03-11 16:03:16 +01:00
Tristan c90de6ec1f Under OpenBSD, fix if statement for hostname.carp file detection 2019-03-11 15:53:04 +01:00
Tristan f379f6210a Under OpenBSD, add advbase value detection 2019-03-11 15:17:23 +01:00
5 changed files with 727 additions and 1184 deletions
Show stats Expand all files Collapse all files

8
.drone.yml
View file

@ -1,8 +0,0 @@
kind: pipeline
name: default
steps:
- name: run shellcheck on evocheck.sh
image: vlaborie/shellcheck
commands:
- LC_ALL=C.UTF-8 shellcheck evocheck.sh

197
CHANGELOG
View file

@ -1,76 +1,161 @@
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
## [0.13] - 2018-04-10
## [22.04] - 2022-04-13
### Added
* New checks:
IS_EVOLIX_USER
- Added check_root_user: make sure that root user does not have a password
### Changed
* Fixing IS_DUPLICATE_FS_LEVEL check
* Custom limit for IS_NOTUPGRADED
* IS_SSHALLOWUSERS now check also for AllowGroups
## [0.12] - 2018-03-19
## [22.03] - 2022-03-10
### Added
* New checks:
IS_DUPLICATE_FS_LEVEL
- check_evomaintenanceconf: check existence and rights of evomaintenance conf file
- Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
- Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
- Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
- Added check_etcgit to ensure that /etc is a git repository
- Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
- Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
- Added check_evolix_user to ensure that evolix user does not exist
- Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
### Changed
* Enabling IS_EVOBACKUP by default
* Better output for IS_MYSQLMUNIN
- Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
- Improved check_umasksudoers to have a more complete grep
- Updated check_history to reflect the new HISTSIZE value
- Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
- Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
## [0.11] - 2018-02-07
### Fixed
- Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
- Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
### Removed
- Removed empty check_pfcustom
## [21.10] - 2021-10-07
### Fixed
- Fixed check_tmoutprofile: syntax error on if/else/fi test
## [21.09] - 2021-09-17
### Changed
- Changed version numbering to use year.month and be capable to know the age of the script
### Fixed
- Fixed check_tmoutprofile: Add "if" to check if file exists
## [6.9.1] - 2021-07-23
### Changed
- Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
## [6.9.0] - 2021-07-16
### Added
* Bunch of new checks:
IS_PRIVKEYWOLRDREADABLE
IS_EVOLINUXSUDOGROUP
IS_USERINADMGROUP
IS_APACHE2EVOLINUXCONF
IS_BACKPORTSCONF
IS_BIND9MUNIN
IS_BIND9LOGROTATE
IS_BROADCOMFIRMWARE
IS_HARDWARERAIDTOOL
IS_LOG2MAILSYSTEMDUNIT
IS_LISTUPGRADE
IS_MARIADBEVOLINUXCONF
IS_MARIADBSYSTEMDUNIT
IS_MYSQLMUNIN
IS_PHPEVOLINUXCONF
IS_SQUIDLOGROTATE
IS_SQUIDEVOLINUXCONF
IS_SQL_BACKUP
IS_POSTGRES_BACKUP
IS_LDAP_BACKUP
IS_REDIS_BACKUP
IS_ELASTIC_BACKUP
IS_MONGO_BACKUP
IS_MOUNT_FSTAB
IS_NETWORK_INTERFACES
- Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
## [6.8.0] - 2020-10-23
### Fixed
- Fix check_noatime: do not take into account commented entry in fstab
## [6.7.7] - 2020-10-22
### Added
- Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
### Fixed
- Fix check_uptodate: properly check that syspatch exists
- Fix check_raidok: the same device could be displayed multiple times
## [6.7.6] - 2020-10-15
### Added
- Add check_noatime - Check that all ffs partitions are mounted with the noatime option
### Fixed
- Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
## [6.7.5] - 2020-10-09
### Fixed
- Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
## [6.7.4] - 2020-08-04
### Added
- Add check_backupuptodate - Check that /home/backup is not older than 2 days
## [6.7.3] - 2020-07-23
### Added
- Add check_ntp - Check the ntpd configuration
### Fixed
- Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
### Removed
- Removed check_postgresql - Deprecated since we now use an API
## [6.7.2] - 2020-07-22
### Added
- Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
## [6.7.1] - 2020-07-15
### Fixed
- Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
- Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
- Fix check_advbase - We want the evocheck advbase function output to be uniq
## [6.6.2] - 2020-04-27
### Added
- Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
- Add check_pfenabled function - We make sure PF is enabled
- Add check_uptodate function - Use syspatch(8) to check if security updates are available
### Changed
* IS_UPTIME added in --cron mode
* is_pack_web() for Stretch
* IS_DPKGWARNING for Stretch
* IS_MOUNT_FSTAB is disabled if lsblk not available
* IS_MINIFWPERMS for Stretch
* IS_SQUID for Stretch
* IS_LOG2MAILAPACHE for Stretch
* IS_AUTOIF for Stretch
* IS_UPTIME warn if uptime is more thant 2y, was 1y
* IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d
* IS_TUNE2FS_M5 use python in place of bc for calculation
* IS_EVOMAINTENANCEUSERS for Stretch
* IS_EVOMAINTENANCECONF check also the mode of the file (600)
- Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
- Now use a version-naming scheme based on OpenBSD's one
## [6.6.1] - 2020-04-21
### Changed
- Rewrite if statements to functions
- Add a main function
- New help message

4
CONTRIBUTING.md
View file

@ -1,4 +1,4 @@
Current project leader: Benoît
Current project leader: Jérémy D and Tristan
- Use English
- Always do a Merge Request
- Always do a Merge Request

43
Vagrantfile vendored
View file

@ -1,43 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant::DEFAULT_SERVER_URL.replace('https://vagrantcloud.com')
# Load ~/.VagrantFile if exist, permit local config provider
vagrantfile = File.join("#{Dir.home}", '.VagrantFile')
load File.expand_path(vagrantfile) if File.exists?(vagrantfile)
Vagrant.configure('2') do |config|
config.vm.synced_folder "./", "/vagrant", type: "rsync", rsync__exclude: [ '.vagrant', '.git' ]
config.ssh.shell="/bin/sh"
$deps = <<SCRIPT
rm -f /usr/share/scripts/evocheck.sh
ln -s /vagrant/evocheck.sh /usr/share/scripts/evocheck.sh
cat >/etc/evocheck.cf <<EOF
IS_CUSTOMSUDOERS=0
IS_VARTMPFS=0
IS_USRRO=0
IS_TMPNOEXEC=0
IS_SSHALLOWUSERS=0
IS_ALERT5MINIFW=0
IS_MINIFW=0
IS_MINIFWPERMS=0
IS_EVOBACKUP=0
IS_MUNINRUNNING=0
IS_EVOLINUXSUDOGROUP=0
IS_LOG2MAILSYSTEMDUNIT=0
IS_LISTUPGRADE=0
IS_EVOMAINTENANCECONF=0
EOF
SCRIPT
config.vm.define :evocheck do |node|
node.vm.hostname = "evocheck.example.com"
node.vm.box = "evolix/evolinux"
node.vm.provision "deps", type: "shell", :inline => $deps
end
end

1659
evocheck.sh
View file

@ -1,1086 +1,595 @@
#!/bin/bash
#!/bin/sh
# EvoCheck
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
# Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="22.04"
# base functions
show_version() {
cat <<END
evocheck version ${VERSION}
Copyright 2009-2021 Evolix <info@evolix.fr>,
Romain Dessort <rdessort@evolix.fr>,
Benoit Série <bserie@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Tristan Pilat <tpilat@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Jérémy Dubois <jdubois@evolix.fr>
and others.
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
evocheck is a script that verifies Evolix conventions on OpenBSD servers.
Usage: evocheck
or evocheck --cron
or evocheck --quiet
or evocheck --verbose
Options
--cron disable a few checks
-v, --verbose increase verbosity of checks
-q, --quiet nothing is printed on stdout nor stderr
-h, --help print this message and exit
--version print version and exit
END
}
is_installed(){
for pkg in "$@"; do
pkg_info | grep -q $pkg || return 1
done
}
# logging
failed() {
check_name=$1
shift
check_comments=$*
RC=1
if [ "${QUIET}" != 1 ]; then
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
else
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
fi
}
# check functions
check_umasksudoers(){
grep -Rq "^Defaults.*umask=0077" /etc/sudoers* || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
}
check_tmpnoexec(){
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
}
check_softdep(){
if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then
failed "IS_SOFTDEP" "All partitions should have the softdep option"
fi
}
check_noatime(){
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
fi
}
check_tmoutprofile(){
if [ -f /etc/skel/.profile ]; then
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "Add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
else
failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
fi
}
check_raidok(){
egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
RESULT=$?
if [ $RESULT -eq 0 ]; then
raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1)
raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }')
if [ $raid_status != "Online" ]; then
failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations"
fi
fi
}
check_evobackup(){
if [ -f /etc/daily.local ]; then
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
else
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
fi
}
check_uptodate(){
if [ $(command -v syspatch) ]; then
if syspatch -c | egrep "." 1> /dev/null 2>&1; then
failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!"
fi
fi
}
check_uptime(){
let "uptime = $(date +"%s") - $(sysctl -n kern.boottime)"
if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
fi
}
check_backupuptodate(){
backup_dir="/home/backup"
if [ -d "${backup_dir}" ]; then
if [ -n "$(ls -A ${backup_dir})" ]; then
for file in ${backup_dir}/*; do
let "limit = $(date +"%s") - 172800"
updated_at=$(stat -f "%m" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty"
fi
else
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing"
fi
}
check_gitperms() {
GIT_DIR="/etc/.git"
if test -d $GIT_DIR; then
expected="40700"
actual=$(stat -f "%p" $GIT_DIR)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be 700"
fi
}
check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
if [[ "$advbase" -gt 5 ]]; then
bad_advbase=1
fi
done
if [[ "$bad_advbase" -eq 1 ]]; then
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
fi
fi
}
check_carppreempt(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
if [[ "$preempt" -ne 1 ]]; then
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
fi
if [ -f /etc/sysctl.conf ]; then
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
else
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
fi
fi
}
check_rebootmail(){
if [ -f /etc/rc.local ]; then
grep -qE '^date \| mail -s "boot/reboot of' /etc/rc.local || failed "IS_REBOOTMAIL" "Make sure the line 'date | mail -s \"boot/reboot of \$hostname' is present in the /etc/rc.local file!"
else
failed "IS_REBOOTMAIL" "Make sure /etc/rc.local exist and 'date | mail -s \"boot/reboot of \$hostname' is present!"
fi
}
check_pfenabled(){
if pfctl -si | grep Disabled 1> /dev/null 2>&1; then
failed "IS_PFENABLED" "PF is disabled! Make sure pf=NO is absent from /etc/rc.conf.local and carefully run pfctl -e"
fi
}
check_wheel(){
if [ -f /etc/sudoers ]; then
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" ""
fi
}
check_pkgmirror(){
grep -qE "^https://cdn\.openbsd\.org/pub/OpenBSD" /etc/installurl || failed "IS_PKGMIRROR" "Check whether the right repo is present in the /etc/installurl file"
}
check_history(){
file=/root/.profile
grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
}
check_vim(){
if ! is_installed vim; then
failed "IS_VIM" "vim is not installed! Please add with pkg_add vim"
fi
}
check_ttyc0secure(){
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" "First tty should be secured"
}
check_customsyslog(){
grep -q EvoBSD /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" ""
}
check_sudomaint(){
file=/etc/sudoers
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
&& grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
|| failed "IS_SUDOMAINT" ""
}
check_nrpe(){
if ! is_installed monitoring-plugins || ! is_installed nrpe; then
failed "IS_NRPE" "nrpe and/or monitoring-plugins are not installed! Please add with pkg_add nrpe monitoring-plugins"
fi
}
check_rsync(){
if ! is_installed rsync; then
failed "IS_RSYNC" "rsync is not installed! Please add with pkg_add rsync"
fi
}
check_cronpath(){
grep -q "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" ""
}
check_tmp_1777(){
actual=$(stat -f "%p" /tmp)
expected="41777"
test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be 1777"
}
check_root_0700(){
actual=$(stat -f "%p" /root)
expected="40700"
test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be 700"
}
check_usrsharescripts(){
actual=$(stat -f "%p" /usr/share/scripts)
expected="40700"
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
}
check_sshpermitrootno() {
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
fi
}
check_evomaintenanceusers(){
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
for user in $users; do
user_home=$(getent passwd "$user" | cut -d: -f6)
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
if ! grep -qs "^trap.*doas.*evomaintenance.sh" "${user_home}"/.*profile; then
echo "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
test "${VERBOSE}" = 1 || break
fi
fi
done
}
check_evomaintenanceconf(){
f=/etc/evomaintenance.cf
if [ -e "$f" ]; then
perms=$(stat -f "%p" $f)
test "$perms" = "100600" || echo "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 100600)"
{ grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
&& grep "^PGDB" $f | grep -qv "your-db" \
&& grep "^PGTABLE" $f | grep -qv "your-table" \
&& grep "^PGHOST" $f | grep -qv "your-pg-host" \
&& grep "^FROM" $f | grep -qv "jdoe@example.com" \
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f | grep -qv "example.com"
} || echo "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
else
echo "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
fi
}
check_sync(){
if ifconfig carp | grep carp 1> /dev/null 2>&1; then
sync_script=/usr/share/scripts/sync.sh
if [ ! -f $sync_script ]; then
failed "IS_SYNC" "The sync.sh script is absent! As a carp member, a sync.sh script should be present in /usr/share/scripts"
fi
fi
}
check_defaultroute(){
if [ -f /etc/mygate ]; then
file_route=$(cat /etc/mygate)
used_route=$(route -n show -priority 8 | grep default | awk '{print $2}')
if [ "$file_route" != "$used_route" ]; then
failed "IS_DEFAULTROUTE" "The default route in /etc/mygate is different from the one currently used"
fi
else
failed "IS_DEFAULTROUTE" "The file /etc/mygate does not exist. Make sure you have the same default route in this file as the one currently in use."
fi
}
check_ntp(){
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
fi
else
failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"."
fi
}
check_openvpncronlog(){
if /etc/rc.d/openvpn check > /dev/null 2>&1; then
grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
fi
}
check_carpadvskew(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
ifconfig $carp | grep -q master
master=$?
ifconfig $carp | grep -q backup
backup=$?
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
if [ "$master" -eq 0 ]; then
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
fi
elif [ "$backup" -eq 0 ]; then
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
fi
else
failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
fi
done
fi
}
check_nrpeopensmtpd() {
grep -Rq "^command.*check_mailq.pl -M opensmtpd" /etc/nrpe.* || failed "IS_NRPE_OPENSMTPD" "NRPE \"check_mailq\" is not configured for opensmtpd."
}
check_sshallowusers() {
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS" "Missing AllowUsers or AllowGroups directive in sshd_config"
}
check_evobackup_exclude_mount() {
excludes_file=$(mktemp)
trap "rm -f ${excludes_file}" 0
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
done
done
rm -rf "${excludes_file}"
}
check_etcgit() {
export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc"
git rev-parse --is-inside-work-tree > /dev/null 2>&1 || failed "IS_ETCGIT" "/etc is not a git repository"
}
check_evolinuxsudogroup() {
if grep -q "^evolinux-sudo:" /etc/group; then
grep -qE "^%evolinux-sudo ALL ?= ?\(ALL\) SETENV: ALL" /etc/sudoers || failed "IS_EVOLINUXSUDOGROUP" "Missing evolinux-sudo directive in sudoers file"
fi
}
check_bind9munin() {
if is_installed isc-bind; then
{ test -L /etc/munin/plugins/bind9 \
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN" "missing bind plugin for munin"
fi
}
check_evolix_user() {
grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
}
download_versions() {
local file
file=${1:-}
## The file is supposed to list programs : each on a line, then its latest version number
## Examples:
# evoacme 21.06
# evomaintenance 0.6.4
versions_url="https://upgrades.evolix.org/versions-openbsd"
# fetch timeout, in seconds
timeout=10
if command -v curl > /dev/null; then
curl -k --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
# "-k" required until OpenBSD 6.8
elif command -v wget > /dev/null; then
wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
elif command -v GET; then
GET -t ${timeout}s "${versions_url}" > "${versions_file}"
else
failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET"
fi
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
}
get_command() {
local program
program=${1:-}
case "${program}" in
## Special cases where the program name is different than the command name
evocheck) echo "${0}" ;;
evomaintenance) command -v "evomaintenance.sh" ;;
motd-carp-state) command -v "motd-carp-state.sh" ;;
## General case, where the program name is the same as the command name
*) command -v "${program}" ;;
esac
}
get_version() {
local program
local command
program=${1:-}
command=${2:-}
case "${program}" in
## Special case if `command --version => 'command` is not the standard way to get the version
# my_command)
# /path/to/my_command --get-version
# ;;
motd-carp-state)
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
;;
## General case to get the version
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
esac
}
check_version() {
local program
local expected_version
program=${1:-}
expected_version=${2:-}
command=$(get_command "${program}")
if [ -n "${command}" ]; then
actual_version=$(get_version "${program}" "${command}")
# printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
if [ -z "${actual_version}" ]; then
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
elif [ "${actual_version}" = "${expected_version}" ]; then
: # Version check OK ; to check first because of the way the check works
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${actual_version}" ]; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${expected_version}" ]; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
fi
fi
}
add_to_path() {
local new_path
new_path=${1:-}
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
}
check_versions() {
versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
trap "rm -f ${versions_file}" 0
download_versions "${versions_file}"
add_to_path "/usr/share/scripts"
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
local program
local version
program=$(echo "${line}" | cut -d ' ' -f 1)
version=$(echo "${line}" | cut -d ' ' -f 2)
if [ -n "${program}" ]; then
if [ -n "${version}" ]; then
check_version "${program}" "${version}"
else
failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}"
fi
fi
done
rm -f "${versions_file}"
}
check_root_user() {
if [ "$(grep "^root:" /etc/master.passwd | awk -F":" '{print $2}')" != "*************" ]; then
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
fi
}
main() {
# Default return code : 0 = no error
RC=0
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
test "${IS_SOFTDEP:=1}" = 1 && check_softdep
test "${IS_NOATIME:=1}" = 1 && check_noatime
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_RAIDOK:=1}" = 1 && check_raidok
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_UPTODATE:=1}" = 1 && check_uptodate
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
test "${IS_WHEEL:=1}" = 1 && check_wheel
test "${IS_PKGMIRROR:=1}" = 1 && check_pkgmirror
test "${IS_HISTORY:=1}" = 1 && check_history
test "${IS_VIM:=1}" = 1 && check_vim
test "${IS_TTYC0SECURE:=1}" = 1 && check_ttyc0secure
test "${IS_CUSTOMSYSLOG:=1}" = 1 && check_customsyslog
test "${IS_SUDOMAINT:=1}" = 1 && check_sudomaint
test "${IS_NRPE:=1}" = 1 && check_nrpe
test "${IS_RSYNC:=1}" = 1 && check_rsync
test "${IS_CRONPATH:=1}" = 1 && check_cronpath
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno
test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers
test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
test "${IS_SYNC:=1}" = 1 && check_sync
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
test "${IS_NTP:=1}" = 1 && check_ntp
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
test "${IS_NRPE_OPENSMTPD:=1}" = 1 && check_nrpeopensmtpd
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
exit ${RC}
}
# Disable LANG*
export LANG=C
export LANGUAGE=C
# Default configuration values
IS_TMP_1777=1
IS_ROOT_0700=1
IS_VARTMPFS=1
IS_USRSHARESCRIPTS=1
IS_SERVEURBASE=1
IS_LOGROTATECONF=1
IS_SYSLOGCONF=1
IS_DEBIANSECURITY=1
IS_APTITUDEONLY=1
IS_APTITUDE=1
IS_APTGETBAK=1
IS_APTICRON=0
IS_USRRO=1
IS_TMPNOEXEC=1
IS_LISTCHANGESCONF=1
IS_DPKGWARNING=1
IS_CUSTOMCRONTAB=1
IS_CUSTOMSUDOERS=1
IS_SSHPERMITROOTNO=1
IS_SSHALLOWUSERS=1
IS_TMOUTPROFILE=1
IS_ALERT5BOOT=1
IS_ALERT5MINIFW=1
IS_MINIFW=1
IS_NRPEPERMS=1
IS_MINIFWPERMS=1
IS_NRPEDISKS=0
IS_NRPEPOSTFIX=1
IS_NRPEPID=1
IS_GRSECPROCS=1
IS_UMASKSUDOERS=1
IS_EVOMAINTENANCEUSERS=1
IS_APACHEMUNIN=1
IS_MYSQLUTILS=1
IS_RAIDSOFT=1
IS_AWSTATSLOGFORMAT=1
IS_MUNINLOGROTATE=1
IS_EVOMAINTENANCECONF=1
#IS_METCHE=1
IS_SQUID=1
IS_MODDEFLATE=1
IS_LOG2MAILRUNNING=1
IS_LOG2MAILAPACHE=1
IS_LOG2MAILMYSQL=1
IS_LOG2MAILSQUID=1
IS_BINDCHROOT=1
IS_REPVOLATILE=1
IS_AUTOIF=1
IS_INTERFACESGW=1
IS_TOOMUCHDEBIANSYSMAINT=1
IS_USERLOGROTATE=1
IS_MODSECURITY=1
IS_APACHECTL=1
IS_APACHESYMLINK=1
IS_APACHEIPINALLOW=1
IS_MUNINAPACHECONF=1
IS_SAMBAPINPRIORITY=1
IS_KERNELUPTODATE=1
IS_UPTIME=1
IS_MUNINRUNNING=1
IS_BACKUPUPTODATE=1
IS_GITPERMS=1
IS_NOTUPGRADED=1
IS_TUNE2FS_M5=1
IS_PRIVKEYWOLRDREADABLE=1
IS_EVOLINUXSUDOGROUP=1
IS_USERINADMGROUP=1
IS_APACHE2EVOLINUXCONF=1
IS_BACKPORTSCONF=1
IS_BIND9MUNIN=1
IS_BIND9LOGROTATE=1
IS_BROADCOMFIRMWARE=1
IS_HARDWARERAIDTOOL=1
IS_LOG2MAILSYSTEMDUNIT=1
IS_LISTUPGRADE=1
IS_MARIADBEVOLINUXCONF=1
IS_MARIADBSYSTEMDUNIT=1
IS_MYSQLMUNIN=1
IS_PHPEVOLINUXCONF=1
IS_SQUIDLOGROTATE=1
IS_SQUIDEVOLINUXCONF=1
IS_SQL_BACKUP=1
IS_POSTGRES_BACKUP=1
IS_LDAP_BACKUP=1
IS_REDIS_BACKUP=1
IS_ELASTIC_BACKUP=1
IS_MONGO_BACKUP=1
IS_MOUNT_FSTAB=1
IS_NETWORK_INTERFACES=1
IS_EVOBACKUP=1
IS_DUPLICATE_FS_LABEL=1
IS_EVOMAINTENANCE_FW=1
IS_EVOLIX_USER=1
IS_EVOACME_CRON=1
IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1
IS_OLD_HOME_DIR=1
#Proper to OpenBSD
IS_SOFTDEP=1
IS_WHEEL=1
IS_SUDOADMIN=1
IS_PKGMIRROR=1
IS_HISTORY=1
IS_VIM=1
IS_TTYC0SECURE=1
IS_CUSTOMSYSLOG=1
IS_NOINETD=1
IS_SUDOMAINT=1
IS_POSTGRESQL=1
IS_NRPE=1
IS_NRPEDAEMON=1
IS_ALERTBOOT=1
IS_RSYNC=1
# Verbose function
verbose() {
msg="${1:-$(cat /dev/stdin)}"
[ "${VERBOSE}" -eq 1 ] && [ -n "${msg}" ] && echo "${msg}"
}
# Source configuration file
test -f /etc/evocheck.cf && . /etc/evocheck.cf
VERBOSE="${VERBOSE:-0}"
# If --cron is passed, ignore some checks.
if [ "$1" = "--cron" ]; then
IS_KERNELUPTODATE=0
IS_UPTIME=0
fi
# Functions
is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
}
is_pack_samba(){
test -e /usr/share/scripts/add.pl
}
is_installed(){
for pkg in $*; do
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
done
}
is_debianversion(){
[ $(lsb_release -c -s) = $1 ] && return 0
}
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
#-----------------------------------------------------------
#Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
if [ -e /etc/debian_version ]; then
if [ "$IS_DPKGWARNING" = 1 ]; then
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
test -e /etc/apt/apt.conf && echo 'IS_DPKGWARNING FAILED!' )
is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || echo 'IS_DPKGWARNING FAILED!')
fi
if [ "$IS_UMASKSUDOERS" = 1 ]; then
is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || echo 'IS_UMASKSUDOERS FAILED!' )
fi
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
if [ "$IS_NRPEPOSTFIX" = 1 ]; then
is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPOSTFIX FAILED!' )
is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || echo 'IS_NRPEPOSTFIX FAILED!' ) )
fi
# Check if mod-security config file is present
if [ "$IS_MODSECURITY" = 1 ]; then
is_debianversion squeeze && is_installed libapache-mod-security && \
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
is_debianversion wheezy && is_installed libapache2-modsecurity && \
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
fi
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
fi
if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
fi
if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
fi
if [ "$IS_LOGROTATECONF" = 1 ]; then
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
fi
if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
fi
if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
fi
if [ "$IS_APTITUDEONLY" = 1 ]; then
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
fi
if [ "$IS_APTITUDE" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
is_debianversion stretch && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
fi
if [ "$IS_APTGETBAK" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
is_debianversion stretch && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
fi
if [ "$IS_APTICRON" = 1 ]; then
status="OK"
test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
fi
if [ "$IS_USRRO" = 1 ]; then
grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
fi
if [ "$IS_TMPNOEXEC" = 1 ]; then
mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
fi
if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test...
if test -x "$(command -v lsblk)"; then
for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || echo 'IS_MOUNT_FSTAB FAILED!'
done
fi
fi
if [ "$IS_LISTCHANGESCONF" = 1 ]; then
if is_debianversion stretch; then
if is_installed apt-listchanges; then
echo 'IS_LISTCHANGESCONF FAILED!'
verbose "apt-listchanges must not be installed on Stretch"
fi
else
if [ -e "/etc/apt/listchanges.conf" ]; then
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
if [ $lines != 2 ]; then
echo 'IS_LISTCHANGESCONF FAILED!'
verbose "apt-listchanges config is incorrect"
fi
else
echo 'IS_LISTCHANGESCONF FAILED!'
verbose "apt-listchanges config is missing"
fi
fi
fi
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
fi
if [ "$IS_SSHALLOWUSERS" = 1 ]; then
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
fi
if [ "$IS_DISKPERF" = 1 ]; then
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
fi
if [ "$IS_TMOUTPROFILE" = 1 ]; then
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
fi
if [ "$IS_ALERT5BOOT" = 1 ]; then
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
fi
if [ "$IS_ALERT5MINIFW" = 1 ]; then
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
fi
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
fi
if [ "$IS_NRPEPERMS" = 1 ]; then
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
fi
if [ "$IS_MINIFWPERMS" = 1 ]; then
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
fi
if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
[ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
fi
if [ "$IS_NRPEPID" = 1 ]; then
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
fi
if [ "$IS_GRSECPROCS" = 1 ]; then
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
fi
if [ "$IS_APACHEMUNIN" = 1 ]; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
fi
# Verification mytop + Munin si MySQL
if [ "$IS_MYSQLUTILS" = 1 ]; then
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
if is_installed mysql-server; then
# You can configure MYSQL_ADMIN in evocheck.cf
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
echo 'IS_MYSQLUTILS FAILED!'
verbose 'mysqladmin missing in /root/.my.cnf'
fi
if ! test -x /usr/bin/mytop; then
if ! test -x /usr/local/bin/mytop; then
echo 'IS_MYSQLUTILS FAILED!'
verbose 'mytop binary missing'
fi
fi
if ! grep -qs debian-sys-maint /root/.mytop; then
echo 'IS_MYSQLUTILS FAILED!'
verbose 'debian-sys-maint missing in /root/.mytop'
fi
fi
fi
# Verification de la configuration du raid soft (mdadm)
if [ "$IS_RAIDSOFT" = 1 ]; then
test -e /proc/mdstat && grep -q md /proc/mdstat && \
( grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
fi
# Verification du LogFormat de AWStats
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
fi
# Verification de la présence de la config logrotate pour Munin
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
fi
# Verification de la présence de metche
#if [ "$IS_METCHE" = 1 ]; then
# is_installed metche || echo 'IS_METCHE FAILED!'
#fi
# Verification de l'activation de Squid dans le cas d'un pack mail
if [ "$IS_SQUID" = 1 ]; then
squidconffile=/etc/squid*/squid.conf
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
is_pack_web && ( is_installed squid || is_installed squid3 \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
fi
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 2 ]; then
echo 'IS_EVOMAINTENANCE_FW FAILED!'
fi
fi
fi
# Verification de la conf et de l'activation de mod-deflate
if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf
is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
fi
# Verification de la conf log2mail
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
fi
if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
if is_debianversion stretch; then
conf=/etc/log2mail/config/apache
else
conf=/etc/log2mail/config/default
fi
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || echo 'IS_LOG2MAILAPACHE FAILED!' )
fi
if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || echo 'IS_LOG2MAILMYSQL FAILED!' )
fi
if [ "$IS_LOG2MAILSQUID" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
/etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
fi
# Verification si bind est chroote
if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then
echo 'IS_BINDCHROOT FAILED!'
fi
else
echo 'IS_BINDCHROOT FAILED!'
fi
fi
fi
# Verification de la présence du depot volatile
if [ "$IS_REPVOLATILE" = 1 ]; then
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
fi
# /etc/network/interfaces should be present, we don't manage systemd-network yet
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then
echo "IS_NETWORK_INTERFACES FAILED!"
IS_AUTOIF=0
IS_INTERFACESGW=0
fi
fi
# Verify if all if are in auto
if [ "$IS_AUTOIF" = 1 ]; then
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
fi
# Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
fi
# Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
fi
# Verification de la presence du userlogrotate
if [ "$IS_USERLOGROTATE" = 1 ]; then
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
fi
# Verification de la syntaxe de la conf d'Apache
if [ "$IS_APACHECTL" = 1 ]; then
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
fi
# Check if there is regular files in Apache sites-enabled.
if [ "$IS_APACHESYMLINK" = 1 ]; then
is_installed apache2.2-common && \
(stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && echo 'IS_APACHESYMLINK FAILED!')
fi
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
if [ "$IS_APACHEIPINALLOW" = 1 ]; then
# Note: Replace "exit 1" by "print" in Perl code to debug it.
is_installed apache2.2-common && \
(grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || echo 'IS_APACHEIPINALLOW FAILED!')
fi
# Check if default Apache configuration file for munin is absent (or empty or commented).
if [ "$IS_MUNINAPACHECONF" = 1 ]; then
if is_debianversion squeeze || is_debianversion wheezy; then
muninconf="/etc/apache2/conf.d/munin"
else
muninconf="/etc/apache2/conf-available/munin.conf"
fi
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
fi
# Verification de la priorité du package samba si les backports sont utilisés
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
fi
# Verification si le système doit redémarrer suite màj kernel.
if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_KERNELUPTODATE FAILED!'
fi
fi
# Check if the server is running for more than a year.
if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_UPTIME FAILED!'
fi
fi
# Check if munin-node running and RRD files are up to date.
if [ "$IS_MUNINRUNNING" = 1 ]; then
pgrep munin-node >/dev/null || echo 'IS_MUNINRUNNING FAILED!'
[ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && echo 'IS_MUNINRUNNING FAILED!'
grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && echo 'IS_MUNINRUNNING FAILED!'
fi
# Check if files in /home/backup/ are up-to-date
if [ "$IS_BACKUPUPTODATE" = 1 ]; then
[ -d /home/backup/ ] && for file in /home/backup/*; do
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
echo 'IS_BACKUPUPTODATE FAILED!'
break;
fi
done
fi
# Check if /etc/.git/ has read/write permissions for root only.
if [ "$IS_GITPERMS" = 1 ]; then
test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || echo 'IS_GITPERMS FAILED!'
fi
# Check if no package has been upgraded since $limit.
if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=0
upgraded=false
for log in /var/log/dpkg.log*; do
zgrep -qsm1 upgrade "$log"
if [ $? -eq 0 ]; then
# There is at least one upgrade
upgraded=true
break
fi
done
if $upgraded; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
limit=$(date +%s -d "now - 180 days")
else
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
install_date=0
if [ -d /var/log/installer ]; then
install_date=$(stat -c %Z /var/log/installer)
fi
# Check install_date if the system never received an upgrade
if [ $last_upgrade -eq 0 ]; then
[ $install_date -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
else
[ $last_upgrade -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
fi
fi
# Check if reserved blocks for root is at least 5% on every mounted partitions.
if [ "$IS_TUNE2FS_M5" = 1 ]; then
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it.
if [ -z $blockCount ]; then
continue
fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))")
if [ "$percentage" -lt 5 ]; then
echo 'IS_TUNE2FS_M5 FAILED!'
verbose "Partition $part has less than 5% reserved blocks!"
fi
done
fi
if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if is_debianversion stretch; then
(grep -q ^evolinux-sudo: /etc/group \
&& grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || echo 'IS_EVOLINUXSUDOGROUP FAILED!'
fi
fi
if [ "$IS_USERINADMGROUP" = 1 ]; then
if is_debianversion stretch; then
for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do
groups $user |grep -q adm || echo 'IS_USERINADMGROUP FAILED!'
done
fi
fi
if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
if (test -d /etc/apache2 && is_debianversion stretch); then
(test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf) || echo 'IS_APACHE2EVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debianversion stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& echo 'IS_BACKPORTSCONF FAILED!'
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| echo 'IS_BACKPORTSCONF FAILED!'
fi
fi
fi
if [ "$IS_BIND9MUNIN" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then
(test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || echo 'IS_BIND9MUNIN FAILED!'
fi
fi
if [ "$IS_BIND9LOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || echo 'IS_BIND9LOGROTATE FAILED!'
fi
fi
if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
if lspci | grep -q 'NetXtreme II'; then
(is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || echo 'IS_BROADCOMFIRMWARE FAILED!'
fi
fi
if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || echo 'IS_HARDWARERAIDTOOL FAILED!')
lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || echo 'IS_HARDWARERAIDTOOL FAILED!')
fi
if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch; then
(systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || echo 'IS_LOG2MAILSYSTEMDUNIT FAILED!'
fi
fi
if [ "$IS_LISTUPGRADE" = 1 ]; then
(test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || echo 'IS_LISTUPGRADE FAILED!'
fi
if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || echo 'IS_MARIADBEVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_SQL_BACKUP" = 1 ]; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || echo 'IS_SQL_BACKUP FAILED!'
fi
fi
if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
if is_installed "postgresql-9*"; then
# If you use something like barman, you should deactivate this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || echo 'IS_POSTGRES_BACKUP FAILED!'
fi
fi
if [ "$IS_MONGO_BACKUP" = 1 ]; then
if is_installed "mongodb-org-server"; then
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
echo 'IS_MONGO_BACKUP FAILED!'
break
fi
fi
done
else
echo 'IS_MONGO_BACKUP FAILED!'
fi
fi
fi
if [ "$IS_LDAP_BACKUP" = 1 ]; then
if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || echo 'IS_LDAP_BACKUP FAILED!'
fi
fi
if [ "$IS_REDIS_BACKUP" = 1 ]; then
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || echo 'IS_REDIS_BACKUP FAILED!'
fi
fi
if [ "$IS_ELASTIC_BACKUP" = 1 ]; then
if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || echo 'IS_ELASTIC_BACKUP FAILED!'
fi
fi
if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || echo 'IS_MARIADBSYSTEMDUNIT FAILED!'
fi
fi
if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then
echo 'IS_MYSQLMUNIN FAILED!'
break
fi
done
fi
fi
if [ "$IS_MYSQLNRPE" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(test -f ~nagios/.my.cnf \
&& [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \
&& [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || echo 'IS_MYSQLNRPE FAILED!'
fi
fi
if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed php; then
(test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || echo 'IS_PHPEVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || echo 'IS_SQUIDLOGROTATE FAILED!'
fi
fi
if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed squid; then
(grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary
if [ -x "$(which blkid)" ]; then
tmpFile=$(mktemp -p /tmp)
parts=$(blkid | grep -ve raid_member -e EFI_SYSPART \
| grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
done
tmpOutput=$(sort < "$tmpFile" | uniq -d)
# If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
if [ "$VERBOSE" = 1 ]; then
echo "Duplicate labels:"
echo -e "$tmpOutput\n"
fi
fi
rm $tmpFile
fi
fi
if [ "$IS_EVOLIX_USER" = 1 ]; then
grep -q "evolix:" /etc/passwd && echo 'IS_EVOLIX_USER FAILED!'
fi
if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
fi
fi
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
if [ -x "$(which evoacme)" ]; then
# Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ $numberOfLinks -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
certDir=${liveDir%%/live}
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
echo 'IS_EVOACME_LIVELINKS FAILED!'
break
fi
done
fi
fi
fi
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked
# to conf-enabled/
if is_debianversion jessie || is_debianversion stretch; then
if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
echo 'IS_APACHE_CONFENABLED FAILED!'
fi
fi
fi
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/
if is_debianversion stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
done
# For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debianversion jessie; then
if grep -q BOOT_IMAGE= /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f /boot/$kernelConfig ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
fi
fi
fi
fi
if [ "$IS_OLD_HOME_DIR" = 1 ]; then
for dir in /home/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep UNKNOWN)
# There is at least one dir matching
if [[ -n "$statResult" ]]; then
echo 'IS_OLD_HOME_DIR FAILED!'
if [[ "$VERBOSE" == 1 ]]; then
echo "$statResult"
else
break
fi
fi
done
fi
fi
if [ `uname -s` == "OpenBSD" ]; then
if [ "$IS_SOFTDEP" = 1 ]; then
grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
fi
if [ "$IS_WHEEL" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
fi
if [ "$IS_SUDOADMIN" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
fi
if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
fi
if [ "$IS_HISTORY" = 1 ]; then
f=/root/.profile
grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f \
|| echo 'IS_HISTORY FAILED!'
fi
if [ "$IS_VIM" = 1 ]; then
which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
fi
if [ "$IS_TTYC0SECURE" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
fi
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
fi
if [ "$IS_NOINETD" = 1 ]; then
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
fi
if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
|| echo 'IS_SUDOMAINT FAILED!'
fi
if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
fi
if [ "$IS_NRPE" = 1 ]; then
( pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
fi
# if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
# fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
# fi
if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
fi
if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
fi
if [ "$IS_RSYNC" = 1 ]; then
pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
fi
if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
fi
#TODO
# - Check en profondeur de postfix
# - NRPEDISK et NRPEPOSTFIX
fi
if [ "$IS_TMP_1777" = 1 ]; then
ls -ld /tmp | grep -q drwxrwxrwt || echo 'IS_TMP_1777 FAILED!'
fi
if [ "$IS_ROOT_0700" = 1 ]; then
ls -ld /root | grep -q drwx------ || echo 'IS_ROOT_0700 FAILED!'
fi
if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
ls -ld /usr/share/scripts | grep -q drwx------ || echo 'IS_USRSHARESCRIPTS FAILED!'
fi
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
fi
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
# Can be changed in evocheck.cf
homeDir=${homeDir:-/home}
if ! is_debianversion stretch; then
if [ -f /etc/sudoers.d/evolinux ]; then
sudoers="/etc/sudoers.d/evolinux"
else
sudoers="/etc/sudoers"
fi
for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile
if [ $? != 0 ]; then
echo 'IS_EVOMAINTENANCEUSERS FAILED!'
if [ "$VERBOSE" = 1 ]; then
echo "$i doesn't have evomaintenance trap!"
else
break
fi
fi
done
else
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile
if [ $? != 0 ]; then
echo 'IS_EVOMAINTENANCEUSERS FAILED!'
if [ "$VERBOSE" = 1 ]; then
echo "$i doesn't have evomaintenance trap!"
else
break
fi
fi
done
fi
fi
# Verification de la configuration d'evomaintenance
if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
f=/etc/evomaintenance.cf
( test -e $f \
&& test $(stat -c "%a" $f) = "600" \
&& grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \
&& grep "^PGDB" $f |grep -qv "your-db" \
&& grep "^PGTABLE" $f |grep -qv "your-table" \
&& grep "^PGHOST" $f |grep -qv "your-pg-host" \
&& grep "^FROM" $f |grep -qv "jdoe@example.com" \
&& grep "^FULLFROM" $f |grep -qv "John Doe <jdoe@example.com>" \
&& grep "^URGENCYFROM" $f |grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f |grep -qv "example.com" ) || echo 'IS_EVOMAINTENANCECONF FAILED!'
fi
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" $f)
if [ ${perms: -1} != "0" ]; then
echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
--version)
show_version
exit 0
;;
--cron)
IS_KERNELUPTODATE=0
IS_UPTIME=0
IS_CHECK_VERSIONS=0
;;
-v|--verbose)
VERBOSE=1
;;
-q|--quiet)
QUIET=1
VERBOSE=0
;;
--)
# End of all options.
shift
break
fi
done
fi
;;
-?*|[[:alnum:]]*)
# ignore unknown options
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
main ${ARGS}