forked from evolix/evocheck
Compare commits
88 commits
Author | SHA1 | Date | |
---|---|---|---|
Jérémy Dubois | 8d460b039d | ||
Jérémy Dubois | 1281891363 | ||
Jérémy Dubois | 3fcab1eeb3 | ||
Jérémy Dubois | 11d77659a0 | ||
Jérémy Dubois | f1c63f827f | ||
Jérémy Dubois | e0202f28ff | ||
Jérémy Dubois | 8a735ca4ca | ||
Jérémy Dubois | af259252be | ||
Jérémy Dubois | 5bf2959aac | ||
Jérémy Dubois | e21628fea7 | ||
Jérémy Dubois | 04139f3d60 | ||
Jérémy Dubois | b6f4889ac5 | ||
Jérémy Dubois | b49a1fbea5 | ||
Jérémy Dubois | 682cd3afaa | ||
Jérémy Dubois | 7cb6055af5 | ||
Jérémy Dubois | 4798873ace | ||
Jérémy Dubois | 8eb2c5f9bc | ||
Jérémy Dubois | 5bad0301d9 | ||
Jérémy Dubois | 57d44cbf91 | ||
Jérémy Dubois | 3d86996f5d | ||
Jérémy Dubois | 04994ecebc | ||
c688b0d524 | |||
b58ad51307 | |||
5eedf3ad4d | |||
239c5896df | |||
8d80e5bfc8 | |||
4fead89240 | |||
e0716d3197 | |||
c436480014 | |||
a5a034e611 | |||
1d47e0f8d8 | |||
82a9050e00 | |||
0b6ad08b5b | |||
b1868829aa | |||
cf975ee14b | |||
f019e82255 | |||
c72a779f6c | |||
68823b7c91 | |||
6f5b5d78d8 | |||
e69e08160d | |||
425b08552a | |||
fe76e40b35 | |||
9164fe2459 | |||
5ee0d20fe9 | |||
82af0db8b2 | |||
ef2b234d49 | |||
53015152b3 | |||
12ccfa914b | |||
477c15df8a | |||
1add27c67d | |||
71436c2f44 | |||
53c7c42324 | |||
3a18ec50a7 | |||
ec7de84aa7 | |||
6f55586f6b | |||
f8f0effa94 | |||
ba43de597e | |||
94cbf9e589 | |||
7eba87917f | |||
ed93ba9f5d | |||
3948702561 | |||
4f1ee5a982 | |||
e509ea879e | |||
5d5291f08d | |||
e3f0b45724 | |||
6a9ba37c30 | |||
d6ef05803e | |||
950ea6fca6 | |||
8ae3707044 | |||
08edb86da6 | |||
e4269d793c | |||
37f3c1faee | |||
823a4f9ee0 | |||
954eaf5e28 | |||
de487e964c | |||
53cd10f4a8 | |||
4c43e1b21a | |||
4dc94a19b0 | |||
9832da8b03 | |||
d52aa4915b | |||
9a52beedbe | |||
6f4f299006 | |||
f10df11143 | |||
5be38dc4f5 | |||
2815c211f4 | |||
4c83cf1a28 | |||
c90de6ec1f | |||
f379f6210a |
|
@ -1,8 +0,0 @@
|
|||
kind: pipeline
|
||||
name: default
|
||||
|
||||
steps:
|
||||
- name: run shellcheck on evocheck.sh
|
||||
image: vlaborie/shellcheck
|
||||
commands:
|
||||
- LC_ALL=C.UTF-8 shellcheck evocheck.sh
|
197
CHANGELOG
197
CHANGELOG
|
@ -1,76 +1,161 @@
|
|||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
||||
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
||||
# Changelog
|
||||
|
||||
All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [0.13] - 2018-04-10
|
||||
## [22.04] - 2022-04-13
|
||||
|
||||
### Added
|
||||
|
||||
* New checks:
|
||||
IS_EVOLIX_USER
|
||||
- Added check_root_user: make sure that root user does not have a password
|
||||
|
||||
### Changed
|
||||
|
||||
* Fixing IS_DUPLICATE_FS_LEVEL check
|
||||
* Custom limit for IS_NOTUPGRADED
|
||||
* IS_SSHALLOWUSERS now check also for AllowGroups
|
||||
|
||||
## [0.12] - 2018-03-19
|
||||
## [22.03] - 2022-03-10
|
||||
|
||||
### Added
|
||||
|
||||
* New checks:
|
||||
IS_DUPLICATE_FS_LEVEL
|
||||
- check_evomaintenanceconf: check existence and rights of evomaintenance conf file
|
||||
- Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
|
||||
- Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
|
||||
- Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
|
||||
- Added check_etcgit to ensure that /etc is a git repository
|
||||
- Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
|
||||
- Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
|
||||
- Added check_evolix_user to ensure that evolix user does not exist
|
||||
- Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
|
||||
|
||||
### Changed
|
||||
|
||||
* Enabling IS_EVOBACKUP by default
|
||||
* Better output for IS_MYSQLMUNIN
|
||||
- Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
|
||||
- Improved check_umasksudoers to have a more complete grep
|
||||
- Updated check_history to reflect the new HISTSIZE value
|
||||
- Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
|
||||
- Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
|
||||
|
||||
## [0.11] - 2018-02-07
|
||||
### Fixed
|
||||
|
||||
- Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
|
||||
- Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
|
||||
|
||||
### Removed
|
||||
|
||||
- Removed empty check_pfcustom
|
||||
|
||||
## [21.10] - 2021-10-07
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fixed check_tmoutprofile: syntax error on if/else/fi test
|
||||
|
||||
## [21.09] - 2021-09-17
|
||||
|
||||
### Changed
|
||||
|
||||
- Changed version numbering to use year.month and be capable to know the age of the script
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fixed check_tmoutprofile: Add "if" to check if file exists
|
||||
|
||||
## [6.9.1] - 2021-07-23
|
||||
|
||||
### Changed
|
||||
|
||||
- Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
|
||||
|
||||
## [6.9.0] - 2021-07-16
|
||||
|
||||
### Added
|
||||
|
||||
* Bunch of new checks:
|
||||
IS_PRIVKEYWOLRDREADABLE
|
||||
IS_EVOLINUXSUDOGROUP
|
||||
IS_USERINADMGROUP
|
||||
IS_APACHE2EVOLINUXCONF
|
||||
IS_BACKPORTSCONF
|
||||
IS_BIND9MUNIN
|
||||
IS_BIND9LOGROTATE
|
||||
IS_BROADCOMFIRMWARE
|
||||
IS_HARDWARERAIDTOOL
|
||||
IS_LOG2MAILSYSTEMDUNIT
|
||||
IS_LISTUPGRADE
|
||||
IS_MARIADBEVOLINUXCONF
|
||||
IS_MARIADBSYSTEMDUNIT
|
||||
IS_MYSQLMUNIN
|
||||
IS_PHPEVOLINUXCONF
|
||||
IS_SQUIDLOGROTATE
|
||||
IS_SQUIDEVOLINUXCONF
|
||||
IS_SQL_BACKUP
|
||||
IS_POSTGRES_BACKUP
|
||||
IS_LDAP_BACKUP
|
||||
IS_REDIS_BACKUP
|
||||
IS_ELASTIC_BACKUP
|
||||
IS_MONGO_BACKUP
|
||||
IS_MOUNT_FSTAB
|
||||
IS_NETWORK_INTERFACES
|
||||
- Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
|
||||
|
||||
## [6.8.0] - 2020-10-23
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_noatime: do not take into account commented entry in fstab
|
||||
|
||||
## [6.7.7] - 2020-10-22
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_uptodate: properly check that syspatch exists
|
||||
- Fix check_raidok: the same device could be displayed multiple times
|
||||
|
||||
## [6.7.6] - 2020-10-15
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_noatime - Check that all ffs partitions are mounted with the noatime option
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
|
||||
|
||||
## [6.7.5] - 2020-10-09
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
|
||||
|
||||
## [6.7.4] - 2020-08-04
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_backupuptodate - Check that /home/backup is not older than 2 days
|
||||
|
||||
## [6.7.3] - 2020-07-23
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_ntp - Check the ntpd configuration
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
|
||||
|
||||
### Removed
|
||||
|
||||
- Removed check_postgresql - Deprecated since we now use an API
|
||||
|
||||
## [6.7.2] - 2020-07-22
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
|
||||
|
||||
## [6.7.1] - 2020-07-15
|
||||
|
||||
### Fixed
|
||||
|
||||
- Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
|
||||
- Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
|
||||
- Fix check_advbase - We want the evocheck advbase function output to be uniq
|
||||
|
||||
## [6.6.2] - 2020-04-27
|
||||
|
||||
### Added
|
||||
|
||||
- Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
|
||||
- Add check_pfenabled function - We make sure PF is enabled
|
||||
- Add check_uptodate function - Use syspatch(8) to check if security updates are available
|
||||
|
||||
### Changed
|
||||
|
||||
* IS_UPTIME added in --cron mode
|
||||
* is_pack_web() for Stretch
|
||||
* IS_DPKGWARNING for Stretch
|
||||
* IS_MOUNT_FSTAB is disabled if lsblk not available
|
||||
* IS_MINIFWPERMS for Stretch
|
||||
* IS_SQUID for Stretch
|
||||
* IS_LOG2MAILAPACHE for Stretch
|
||||
* IS_AUTOIF for Stretch
|
||||
* IS_UPTIME warn if uptime is more thant 2y, was 1y
|
||||
* IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d
|
||||
* IS_TUNE2FS_M5 use python in place of bc for calculation
|
||||
* IS_EVOMAINTENANCEUSERS for Stretch
|
||||
* IS_EVOMAINTENANCECONF check also the mode of the file (600)
|
||||
- Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
|
||||
- Now use a version-naming scheme based on OpenBSD's one
|
||||
|
||||
## [6.6.1] - 2020-04-21
|
||||
|
||||
### Changed
|
||||
|
||||
- Rewrite if statements to functions
|
||||
- Add a main function
|
||||
- New help message
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
Current project leader: Benoît
|
||||
Current project leader: Jérémy D and Tristan
|
||||
|
||||
- Use English
|
||||
- Always do a Merge Request
|
43
Vagrantfile
vendored
43
Vagrantfile
vendored
|
@ -1,43 +0,0 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
Vagrant::DEFAULT_SERVER_URL.replace('https://vagrantcloud.com')
|
||||
|
||||
# Load ~/.VagrantFile if exist, permit local config provider
|
||||
vagrantfile = File.join("#{Dir.home}", '.VagrantFile')
|
||||
load File.expand_path(vagrantfile) if File.exists?(vagrantfile)
|
||||
|
||||
Vagrant.configure('2') do |config|
|
||||
config.vm.synced_folder "./", "/vagrant", type: "rsync", rsync__exclude: [ '.vagrant', '.git' ]
|
||||
config.ssh.shell="/bin/sh"
|
||||
|
||||
$deps = <<SCRIPT
|
||||
rm -f /usr/share/scripts/evocheck.sh
|
||||
ln -s /vagrant/evocheck.sh /usr/share/scripts/evocheck.sh
|
||||
cat >/etc/evocheck.cf <<EOF
|
||||
IS_CUSTOMSUDOERS=0
|
||||
IS_VARTMPFS=0
|
||||
IS_USRRO=0
|
||||
IS_TMPNOEXEC=0
|
||||
IS_SSHALLOWUSERS=0
|
||||
IS_ALERT5MINIFW=0
|
||||
IS_MINIFW=0
|
||||
IS_MINIFWPERMS=0
|
||||
IS_EVOBACKUP=0
|
||||
IS_MUNINRUNNING=0
|
||||
IS_EVOLINUXSUDOGROUP=0
|
||||
IS_LOG2MAILSYSTEMDUNIT=0
|
||||
IS_LISTUPGRADE=0
|
||||
IS_EVOMAINTENANCECONF=0
|
||||
EOF
|
||||
SCRIPT
|
||||
|
||||
config.vm.define :evocheck do |node|
|
||||
node.vm.hostname = "evocheck.example.com"
|
||||
node.vm.box = "evolix/evolinux"
|
||||
|
||||
node.vm.provision "deps", type: "shell", :inline => $deps
|
||||
|
||||
end
|
||||
|
||||
end
|
1589
evocheck.sh
1589
evocheck.sh
|
@ -1,1070 +1,275 @@
|
|||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
|
||||
# EvoCheck
|
||||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
# Script to verify compliance of an OpenBSD server powered by Evolix
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
export LANGUAGE=C
|
||||
readonly VERSION="22.04"
|
||||
|
||||
# Default configuration values
|
||||
IS_TMP_1777=1
|
||||
IS_ROOT_0700=1
|
||||
IS_VARTMPFS=1
|
||||
IS_USRSHARESCRIPTS=1
|
||||
IS_SERVEURBASE=1
|
||||
IS_LOGROTATECONF=1
|
||||
IS_SYSLOGCONF=1
|
||||
IS_DEBIANSECURITY=1
|
||||
IS_APTITUDEONLY=1
|
||||
IS_APTITUDE=1
|
||||
IS_APTGETBAK=1
|
||||
IS_APTICRON=0
|
||||
IS_USRRO=1
|
||||
IS_TMPNOEXEC=1
|
||||
IS_LISTCHANGESCONF=1
|
||||
IS_DPKGWARNING=1
|
||||
IS_CUSTOMCRONTAB=1
|
||||
IS_CUSTOMSUDOERS=1
|
||||
IS_SSHPERMITROOTNO=1
|
||||
IS_SSHALLOWUSERS=1
|
||||
IS_TMOUTPROFILE=1
|
||||
IS_ALERT5BOOT=1
|
||||
IS_ALERT5MINIFW=1
|
||||
IS_MINIFW=1
|
||||
IS_NRPEPERMS=1
|
||||
IS_MINIFWPERMS=1
|
||||
IS_NRPEDISKS=0
|
||||
IS_NRPEPOSTFIX=1
|
||||
IS_NRPEPID=1
|
||||
IS_GRSECPROCS=1
|
||||
IS_UMASKSUDOERS=1
|
||||
IS_EVOMAINTENANCEUSERS=1
|
||||
IS_APACHEMUNIN=1
|
||||
IS_MYSQLUTILS=1
|
||||
IS_RAIDSOFT=1
|
||||
IS_AWSTATSLOGFORMAT=1
|
||||
IS_MUNINLOGROTATE=1
|
||||
IS_EVOMAINTENANCECONF=1
|
||||
#IS_METCHE=1
|
||||
IS_SQUID=1
|
||||
IS_MODDEFLATE=1
|
||||
IS_LOG2MAILRUNNING=1
|
||||
IS_LOG2MAILAPACHE=1
|
||||
IS_LOG2MAILMYSQL=1
|
||||
IS_LOG2MAILSQUID=1
|
||||
IS_BINDCHROOT=1
|
||||
IS_REPVOLATILE=1
|
||||
IS_AUTOIF=1
|
||||
IS_INTERFACESGW=1
|
||||
IS_TOOMUCHDEBIANSYSMAINT=1
|
||||
IS_USERLOGROTATE=1
|
||||
IS_MODSECURITY=1
|
||||
IS_APACHECTL=1
|
||||
IS_APACHESYMLINK=1
|
||||
IS_APACHEIPINALLOW=1
|
||||
IS_MUNINAPACHECONF=1
|
||||
IS_SAMBAPINPRIORITY=1
|
||||
IS_KERNELUPTODATE=1
|
||||
IS_UPTIME=1
|
||||
IS_MUNINRUNNING=1
|
||||
IS_BACKUPUPTODATE=1
|
||||
IS_GITPERMS=1
|
||||
IS_NOTUPGRADED=1
|
||||
IS_TUNE2FS_M5=1
|
||||
IS_PRIVKEYWOLRDREADABLE=1
|
||||
IS_EVOLINUXSUDOGROUP=1
|
||||
IS_USERINADMGROUP=1
|
||||
IS_APACHE2EVOLINUXCONF=1
|
||||
IS_BACKPORTSCONF=1
|
||||
IS_BIND9MUNIN=1
|
||||
IS_BIND9LOGROTATE=1
|
||||
IS_BROADCOMFIRMWARE=1
|
||||
IS_HARDWARERAIDTOOL=1
|
||||
IS_LOG2MAILSYSTEMDUNIT=1
|
||||
IS_LISTUPGRADE=1
|
||||
IS_MARIADBEVOLINUXCONF=1
|
||||
IS_MARIADBSYSTEMDUNIT=1
|
||||
IS_MYSQLMUNIN=1
|
||||
IS_PHPEVOLINUXCONF=1
|
||||
IS_SQUIDLOGROTATE=1
|
||||
IS_SQUIDEVOLINUXCONF=1
|
||||
IS_SQL_BACKUP=1
|
||||
IS_POSTGRES_BACKUP=1
|
||||
IS_LDAP_BACKUP=1
|
||||
IS_REDIS_BACKUP=1
|
||||
IS_ELASTIC_BACKUP=1
|
||||
IS_MONGO_BACKUP=1
|
||||
IS_MOUNT_FSTAB=1
|
||||
IS_NETWORK_INTERFACES=1
|
||||
IS_EVOBACKUP=1
|
||||
IS_DUPLICATE_FS_LABEL=1
|
||||
IS_EVOMAINTENANCE_FW=1
|
||||
IS_EVOLIX_USER=1
|
||||
IS_EVOACME_CRON=1
|
||||
IS_EVOACME_LIVELINKS=1
|
||||
IS_APACHE_CONFENABLED=1
|
||||
IS_MELTDOWN_SPECTRE=1
|
||||
IS_OLD_HOME_DIR=1
|
||||
# base functions
|
||||
|
||||
#Proper to OpenBSD
|
||||
IS_SOFTDEP=1
|
||||
IS_WHEEL=1
|
||||
IS_SUDOADMIN=1
|
||||
IS_PKGMIRROR=1
|
||||
IS_HISTORY=1
|
||||
IS_VIM=1
|
||||
IS_TTYC0SECURE=1
|
||||
IS_CUSTOMSYSLOG=1
|
||||
IS_NOINETD=1
|
||||
IS_SUDOMAINT=1
|
||||
IS_POSTGRESQL=1
|
||||
IS_NRPE=1
|
||||
IS_NRPEDAEMON=1
|
||||
IS_ALERTBOOT=1
|
||||
IS_RSYNC=1
|
||||
show_version() {
|
||||
cat <<END
|
||||
evocheck version ${VERSION}
|
||||
|
||||
# Verbose function
|
||||
verbose() {
|
||||
msg="${1:-$(cat /dev/stdin)}"
|
||||
[ "${VERBOSE}" -eq 1 ] && [ -n "${msg}" ] && echo "${msg}"
|
||||
Copyright 2009-2021 Evolix <info@evolix.fr>,
|
||||
Romain Dessort <rdessort@evolix.fr>,
|
||||
Benoit Série <bserie@evolix.fr>,
|
||||
Gregory Colpart <reg@evolix.fr>,
|
||||
Jérémy Lecour <jlecour@evolix.fr>,
|
||||
Tristan Pilat <tpilat@evolix.fr>,
|
||||
Victor Laborie <vlaborie@evolix.fr>,
|
||||
Jérémy Dubois <jdubois@evolix.fr>
|
||||
and others.
|
||||
|
||||
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||
and you are welcome to redistribute it under certain conditions.
|
||||
See the GNU General Public License v3.0 for details.
|
||||
END
|
||||
}
|
||||
show_help() {
|
||||
cat <<END
|
||||
evocheck is a script that verifies Evolix conventions on OpenBSD servers.
|
||||
|
||||
# Source configuration file
|
||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
||||
Usage: evocheck
|
||||
or evocheck --cron
|
||||
or evocheck --quiet
|
||||
or evocheck --verbose
|
||||
|
||||
VERBOSE="${VERBOSE:-0}"
|
||||
|
||||
# If --cron is passed, ignore some checks.
|
||||
if [ "$1" = "--cron" ]; then
|
||||
IS_KERNELUPTODATE=0
|
||||
IS_UPTIME=0
|
||||
fi
|
||||
|
||||
# Functions
|
||||
is_pack_web(){
|
||||
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
|
||||
Options
|
||||
--cron disable a few checks
|
||||
-v, --verbose increase verbosity of checks
|
||||
-q, --quiet nothing is printed on stdout nor stderr
|
||||
-h, --help print this message and exit
|
||||
--version print version and exit
|
||||
END
|
||||
}
|
||||
|
||||
is_pack_samba(){
|
||||
test -e /usr/share/scripts/add.pl
|
||||
}
|
||||
|
||||
is_installed(){
|
||||
for pkg in $*; do
|
||||
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
|
||||
for pkg in "$@"; do
|
||||
pkg_info | grep -q $pkg || return 1
|
||||
done
|
||||
}
|
||||
|
||||
is_debianversion(){
|
||||
[ $(lsb_release -c -s) = $1 ] && return 0
|
||||
# logging
|
||||
|
||||
failed() {
|
||||
check_name=$1
|
||||
shift
|
||||
check_comments=$*
|
||||
|
||||
RC=1
|
||||
if [ "${QUIET}" != 1 ]; then
|
||||
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
|
||||
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
|
||||
else
|
||||
printf "%s FAILED!\n" "${check_name}" 2>&1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
|
||||
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
|
||||
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
|
||||
# check functions
|
||||
|
||||
#-----------------------------------------------------------
|
||||
#Vérifie si c'est une debian et fait les tests appropriés.
|
||||
#-----------------------------------------------------------
|
||||
|
||||
if [ -e /etc/debian_version ]; then
|
||||
|
||||
if [ "$IS_DPKGWARNING" = 1 ]; then
|
||||
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
|
||||
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
|
||||
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
|
||||
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
|
||||
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
|
||||
test -e /etc/apt/apt.conf && echo 'IS_DPKGWARNING FAILED!' )
|
||||
is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || echo 'IS_DPKGWARNING FAILED!')
|
||||
check_umasksudoers(){
|
||||
grep -Rq "^Defaults.*umask=0077" /etc/sudoers* || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
|
||||
}
|
||||
check_tmpnoexec(){
|
||||
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
|
||||
}
|
||||
check_softdep(){
|
||||
if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then
|
||||
failed "IS_SOFTDEP" "All partitions should have the softdep option"
|
||||
fi
|
||||
|
||||
if [ "$IS_UMASKSUDOERS" = 1 ]; then
|
||||
is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || echo 'IS_UMASKSUDOERS FAILED!' )
|
||||
fi
|
||||
|
||||
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
|
||||
if [ "$IS_NRPEPOSTFIX" = 1 ]; then
|
||||
is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPOSTFIX FAILED!' )
|
||||
is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || echo 'IS_NRPEPOSTFIX FAILED!' ) )
|
||||
fi
|
||||
|
||||
# Check if mod-security config file is present
|
||||
if [ "$IS_MODSECURITY" = 1 ]; then
|
||||
is_debianversion squeeze && is_installed libapache-mod-security && \
|
||||
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
|
||||
is_debianversion wheezy && is_installed libapache2-modsecurity && \
|
||||
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
|
||||
fi
|
||||
|
||||
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
|
||||
grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_VARTMPFS" = 1 ]; then
|
||||
df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SERVEURBASE" = 1 ]; then
|
||||
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_LOGROTATECONF" = 1 ]; then
|
||||
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SYSLOGCONF" = 1 ]; then
|
||||
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_DEBIANSECURITY" = 1 ]; then
|
||||
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_APTITUDEONLY" = 1 ]; then
|
||||
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
|
||||
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_APTITUDE" = 1 ]; then
|
||||
is_debianversion jessie && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
|
||||
is_debianversion stretch && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_APTGETBAK" = 1 ]; then
|
||||
is_debianversion jessie && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
|
||||
is_debianversion stretch && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_APTICRON" = 1 ]; then
|
||||
status="OK"
|
||||
test -e /etc/cron.d/apticron || status="fail"
|
||||
test -e /etc/cron.daily/apticron && status="fail"
|
||||
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
|
||||
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_USRRO" = 1 ]; then
|
||||
grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_TMPNOEXEC" = 1 ]; then
|
||||
mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_MOUNT_FSTAB" = 1 ]; then
|
||||
# Test if lsblk available, if not skip this test...
|
||||
if test -x "$(command -v lsblk)"; then
|
||||
for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do
|
||||
grep -Eq "$mountPoint\W" /etc/fstab || echo 'IS_MOUNT_FSTAB FAILED!'
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_LISTCHANGESCONF" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
if is_installed apt-listchanges; then
|
||||
echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
verbose "apt-listchanges must not be installed on Stretch"
|
||||
}
|
||||
check_noatime(){
|
||||
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
|
||||
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
||||
fi
|
||||
}
|
||||
check_tmoutprofile(){
|
||||
if [ -f /etc/skel/.profile ]; then
|
||||
grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "Add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
|
||||
else
|
||||
if [ -e "/etc/apt/listchanges.conf" ]; then
|
||||
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
|
||||
if [ $lines != 2 ]; then
|
||||
echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
verbose "apt-listchanges config is incorrect"
|
||||
failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
|
||||
fi
|
||||
}
|
||||
check_raidok(){
|
||||
egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
|
||||
RESULT=$?
|
||||
if [ $RESULT -eq 0 ]; then
|
||||
raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1)
|
||||
raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }')
|
||||
if [ $raid_status != "Online" ]; then
|
||||
failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_evobackup(){
|
||||
if [ -f /etc/daily.local ]; then
|
||||
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
||||
else
|
||||
echo 'IS_LISTCHANGESCONF FAILED!'
|
||||
verbose "apt-listchanges config is missing"
|
||||
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
||||
fi
|
||||
}
|
||||
check_uptodate(){
|
||||
if [ $(command -v syspatch) ]; then
|
||||
if syspatch -c | egrep "." 1> /dev/null 2>&1; then
|
||||
failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_uptime(){
|
||||
let "uptime = $(date +"%s") - $(sysctl -n kern.boottime)"
|
||||
if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
|
||||
failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
|
||||
fi
|
||||
}
|
||||
check_backupuptodate(){
|
||||
backup_dir="/home/backup"
|
||||
if [ -d "${backup_dir}" ]; then
|
||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||
for file in ${backup_dir}/*; do
|
||||
let "limit = $(date +"%s") - 172800"
|
||||
updated_at=$(stat -f "%m" "$file")
|
||||
|
||||
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
|
||||
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SSHALLOWUSERS" = 1 ]; then
|
||||
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_DISKPERF" = 1 ]; then
|
||||
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_TMOUTPROFILE" = 1 ]; then
|
||||
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_ALERT5BOOT" = 1 ]; then
|
||||
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_ALERT5MINIFW" = 1 ]; then
|
||||
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPEPERMS" = 1 ]; then
|
||||
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_MINIFWPERMS" = 1 ]; then
|
||||
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
|
||||
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
[ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPEPID" = 1 ]; then
|
||||
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
|
||||
fi
|
||||
|
||||
if [ "$IS_GRSECPROCS" = 1 ]; then
|
||||
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
|
||||
fi
|
||||
|
||||
if [ "$IS_APACHEMUNIN" = 1 ]; then
|
||||
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
|
||||
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
|
||||
fi
|
||||
|
||||
# Verification mytop + Munin si MySQL
|
||||
if [ "$IS_MYSQLUTILS" = 1 ]; then
|
||||
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
|
||||
if is_installed mysql-server; then
|
||||
# You can configure MYSQL_ADMIN in evocheck.cf
|
||||
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
|
||||
echo 'IS_MYSQLUTILS FAILED!'
|
||||
verbose 'mysqladmin missing in /root/.my.cnf'
|
||||
fi
|
||||
if ! test -x /usr/bin/mytop; then
|
||||
if ! test -x /usr/local/bin/mytop; then
|
||||
echo 'IS_MYSQLUTILS FAILED!'
|
||||
verbose 'mytop binary missing'
|
||||
fi
|
||||
fi
|
||||
if ! grep -qs debian-sys-maint /root/.mytop; then
|
||||
echo 'IS_MYSQLUTILS FAILED!'
|
||||
verbose 'debian-sys-maint missing in /root/.mytop'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la configuration du raid soft (mdadm)
|
||||
if [ "$IS_RAIDSOFT" = 1 ]; then
|
||||
test -e /proc/mdstat && grep -q md /proc/mdstat && \
|
||||
( grep -q "^AUTOCHECK=true" /etc/default/mdadm \
|
||||
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
|
||||
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
|
||||
fi
|
||||
|
||||
# Verification du LogFormat de AWStats
|
||||
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
|
||||
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
|
||||
fi
|
||||
|
||||
# Verification de la présence de la config logrotate pour Munin
|
||||
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
|
||||
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
|
||||
fi
|
||||
|
||||
# Verification de la présence de metche
|
||||
#if [ "$IS_METCHE" = 1 ]; then
|
||||
# is_installed metche || echo 'IS_METCHE FAILED!'
|
||||
#fi
|
||||
|
||||
# Verification de l'activation de Squid dans le cas d'un pack mail
|
||||
if [ "$IS_SQUID" = 1 ]; then
|
||||
squidconffile=/etc/squid*/squid.conf
|
||||
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
|
||||
is_pack_web && ( is_installed squid || is_installed squid3 \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
|
||||
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
|
||||
if [ -f "$MINIFW_FILE" ]; then
|
||||
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
|
||||
if [ "$rulesNumber" -lt 2 ]; then
|
||||
echo 'IS_EVOMAINTENANCE_FW FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la conf et de l'activation de mod-deflate
|
||||
if [ "$IS_MODDEFLATE" = 1 ]; then
|
||||
f=/etc/apache2/mods-enabled/deflate.conf
|
||||
is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
|
||||
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
|
||||
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
|
||||
fi
|
||||
|
||||
# Verification de la conf log2mail
|
||||
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
|
||||
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
|
||||
fi
|
||||
if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
conf=/etc/log2mail/config/apache
|
||||
else
|
||||
conf=/etc/log2mail/config/default
|
||||
fi
|
||||
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || echo 'IS_LOG2MAILAPACHE FAILED!' )
|
||||
fi
|
||||
if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
|
||||
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || echo 'IS_LOG2MAILMYSQL FAILED!' )
|
||||
fi
|
||||
if [ "$IS_LOG2MAILSQUID" = 1 ]; then
|
||||
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
|
||||
/etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
|
||||
fi
|
||||
|
||||
# Verification si bind est chroote
|
||||
if [ "$IS_BINDCHROOT" = 1 ]; then
|
||||
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
|
||||
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
|
||||
if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then
|
||||
echo 'IS_BINDCHROOT FAILED!'
|
||||
fi
|
||||
else
|
||||
echo 'IS_BINDCHROOT FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la présence du depot volatile
|
||||
if [ "$IS_REPVOLATILE" = 1 ]; then
|
||||
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
|
||||
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
|
||||
fi
|
||||
|
||||
# /etc/network/interfaces should be present, we don't manage systemd-network yet
|
||||
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
|
||||
if ! test -f /etc/network/interfaces; then
|
||||
echo "IS_NETWORK_INTERFACES FAILED!"
|
||||
IS_AUTOIF=0
|
||||
IS_INTERFACESGW=0
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verify if all if are in auto
|
||||
if [ "$IS_AUTOIF" = 1 ]; then
|
||||
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
|
||||
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
|
||||
done
|
||||
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
|
||||
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
|
||||
done
|
||||
fi
|
||||
|
||||
# Network conf verification
|
||||
if [ "$IS_INTERFACESGW" = 1 ]; then
|
||||
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
|
||||
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
|
||||
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
|
||||
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
|
||||
fi
|
||||
|
||||
# Verification de la mise en place d'evobackup
|
||||
if [ "$IS_EVOBACKUP" = 1 ]; then
|
||||
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
|
||||
fi
|
||||
|
||||
# Verification de la presence du userlogrotate
|
||||
if [ "$IS_USERLOGROTATE" = 1 ]; then
|
||||
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
|
||||
fi
|
||||
|
||||
|
||||
# Verification de la syntaxe de la conf d'Apache
|
||||
if [ "$IS_APACHECTL" = 1 ]; then
|
||||
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
|
||||
fi
|
||||
|
||||
# Check if there is regular files in Apache sites-enabled.
|
||||
if [ "$IS_APACHESYMLINK" = 1 ]; then
|
||||
is_installed apache2.2-common && \
|
||||
(stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && echo 'IS_APACHESYMLINK FAILED!')
|
||||
fi
|
||||
|
||||
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
|
||||
if [ "$IS_APACHEIPINALLOW" = 1 ]; then
|
||||
# Note: Replace "exit 1" by "print" in Perl code to debug it.
|
||||
is_installed apache2.2-common && \
|
||||
(grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || echo 'IS_APACHEIPINALLOW FAILED!')
|
||||
fi
|
||||
|
||||
# Check if default Apache configuration file for munin is absent (or empty or commented).
|
||||
if [ "$IS_MUNINAPACHECONF" = 1 ]; then
|
||||
if is_debianversion squeeze || is_debianversion wheezy; then
|
||||
muninconf="/etc/apache2/conf.d/munin"
|
||||
else
|
||||
muninconf="/etc/apache2/conf-available/munin.conf"
|
||||
fi
|
||||
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
|
||||
fi
|
||||
|
||||
# Verification de la priorité du package samba si les backports sont utilisés
|
||||
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
|
||||
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
|
||||
fi
|
||||
|
||||
# Verification si le système doit redémarrer suite màj kernel.
|
||||
if [ "$IS_KERNELUPTODATE" = 1 ]; then
|
||||
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
|
||||
echo 'IS_KERNELUPTODATE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if the server is running for more than a year.
|
||||
if [ "$IS_UPTIME" = 1 ]; then
|
||||
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
|
||||
echo 'IS_UPTIME FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if munin-node running and RRD files are up to date.
|
||||
if [ "$IS_MUNINRUNNING" = 1 ]; then
|
||||
pgrep munin-node >/dev/null || echo 'IS_MUNINRUNNING FAILED!'
|
||||
[ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && echo 'IS_MUNINRUNNING FAILED!'
|
||||
grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && echo 'IS_MUNINRUNNING FAILED!'
|
||||
fi
|
||||
|
||||
# Check if files in /home/backup/ are up-to-date
|
||||
if [ "$IS_BACKUPUPTODATE" = 1 ]; then
|
||||
[ -d /home/backup/ ] && for file in /home/backup/*; do
|
||||
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
|
||||
echo 'IS_BACKUPUPTODATE FAILED!'
|
||||
break;
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
# Check if /etc/.git/ has read/write permissions for root only.
|
||||
if [ "$IS_GITPERMS" = 1 ]; then
|
||||
test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || echo 'IS_GITPERMS FAILED!'
|
||||
fi
|
||||
|
||||
# Check if no package has been upgraded since $limit.
|
||||
if [ "$IS_NOTUPGRADED" = 1 ]; then
|
||||
last_upgrade=0
|
||||
upgraded=false
|
||||
for log in /var/log/dpkg.log*; do
|
||||
zgrep -qsm1 upgrade "$log"
|
||||
if [ $? -eq 0 ]; then
|
||||
# There is at least one upgrade
|
||||
upgraded=true
|
||||
break
|
||||
fi
|
||||
done
|
||||
if $upgraded; then
|
||||
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
|
||||
fi
|
||||
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|
||||
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
|
||||
# Manual upgrade process
|
||||
limit=$(date +%s -d "now - 180 days")
|
||||
else
|
||||
# Regular process
|
||||
limit=$(date +%s -d "now - 90 days")
|
||||
fi
|
||||
install_date=0
|
||||
if [ -d /var/log/installer ]; then
|
||||
install_date=$(stat -c %Z /var/log/installer)
|
||||
fi
|
||||
# Check install_date if the system never received an upgrade
|
||||
if [ $last_upgrade -eq 0 ]; then
|
||||
[ $install_date -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
|
||||
else
|
||||
[ $last_upgrade -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
# Check if reserved blocks for root is at least 5% on every mounted partitions.
|
||||
if [ "$IS_TUNE2FS_M5" = 1 ]; then
|
||||
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
|
||||
for part in $parts; do
|
||||
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
|
||||
# If buggy partition, skip it.
|
||||
if [ -z $blockCount ]; then
|
||||
continue
|
||||
fi
|
||||
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
|
||||
percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))")
|
||||
if [ "$percentage" -lt 5 ]; then
|
||||
echo 'IS_TUNE2FS_M5 FAILED!'
|
||||
verbose "Partition $part has less than 5% reserved blocks!"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
(grep -q ^evolinux-sudo: /etc/group \
|
||||
&& grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || echo 'IS_EVOLINUXSUDOGROUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_USERINADMGROUP" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do
|
||||
groups $user |grep -q adm || echo 'IS_USERINADMGROUP FAILED!'
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
|
||||
if (test -d /etc/apache2 && is_debianversion stretch); then
|
||||
(test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
|
||||
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
|
||||
&& test -f /etc/apache2/ipaddr_whitelist.conf) || echo 'IS_APACHE2EVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_BACKPORTSCONF" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
|
||||
&& echo 'IS_BACKPORTSCONF FAILED!'
|
||||
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
|
||||
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|
||||
|| echo 'IS_BACKPORTSCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_BIND9MUNIN" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed bind9; then
|
||||
(test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || echo 'IS_BIND9MUNIN FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_BIND9LOGROTATE" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed bind9; then
|
||||
test -e /etc/logrotate.d/bind9 || echo 'IS_BIND9LOGROTATE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
|
||||
if lspci | grep -q 'NetXtreme II'; then
|
||||
(is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || echo 'IS_BROADCOMFIRMWARE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
|
||||
lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || echo 'IS_HARDWARERAIDTOOL FAILED!')
|
||||
lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || echo 'IS_HARDWARERAIDTOOL FAILED!')
|
||||
fi
|
||||
|
||||
if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
|
||||
if is_debianversion stretch; then
|
||||
(systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || echo 'IS_LOG2MAILSYSTEMDUNIT FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_LISTUPGRADE" = 1 ]; then
|
||||
(test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || echo 'IS_LISTUPGRADE FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
(test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
|
||||
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || echo 'IS_MARIADBEVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_SQL_BACKUP" = 1 ]; then
|
||||
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
|
||||
test -f "$SQL_BACKUP_PATH" || echo 'IS_SQL_BACKUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
|
||||
if is_installed "postgresql-9*"; then
|
||||
# If you use something like barman, you should deactivate this check
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
|
||||
test -f "$POSTGRES_BACKUP_PATH" || echo 'IS_POSTGRES_BACKUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MONGO_BACKUP" = 1 ]; then
|
||||
if is_installed "mongodb-org-server"; then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
|
||||
if [ -d "$MONGO_BACKUP_PATH" ]; then
|
||||
for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do
|
||||
# Skip indexes file.
|
||||
if ! [[ "$file" =~ indexes ]]; then
|
||||
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
|
||||
echo 'IS_MONGO_BACKUP FAILED!'
|
||||
break
|
||||
fi
|
||||
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
|
||||
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
|
||||
test "${VERBOSE}" = 1 || break;
|
||||
fi
|
||||
done
|
||||
else
|
||||
echo 'IS_MONGO_BACKUP FAILED!'
|
||||
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_LDAP_BACKUP" = 1 ]; then
|
||||
if is_installed slapd; then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
|
||||
test -f "$LDAP_BACKUP_PATH" || echo 'IS_LDAP_BACKUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_REDIS_BACKUP" = 1 ]; then
|
||||
if is_installed redis-server; then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
|
||||
test -f "$REDIS_BACKUP_PATH" || echo 'IS_REDIS_BACKUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_ELASTIC_BACKUP" = 1 ]; then
|
||||
if is_installed elasticsearch; then
|
||||
# You could change the default path in /etc/evocheck.cf
|
||||
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
|
||||
test -d "$ELASTIC_BACKUP_PATH" || echo 'IS_ELASTIC_BACKUP FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
(systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || echo 'IS_MARIADBSYSTEMDUNIT FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MYSQLMUNIN" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
for file in mysql_bytes mysql_queries mysql_slowqueries \
|
||||
mysql_threads mysql_connections mysql_files_tables \
|
||||
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
|
||||
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
|
||||
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
|
||||
mysql_sorts mysql_tmp_tables; do
|
||||
|
||||
if [[ ! -L /etc/munin/plugins/$file ]]; then
|
||||
echo 'IS_MYSQLMUNIN FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MYSQLNRPE" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed mariadb-server; then
|
||||
(test -f ~nagios/.my.cnf \
|
||||
&& [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \
|
||||
&& [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \
|
||||
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || echo 'IS_MYSQLNRPE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed php; then
|
||||
(test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
|
||||
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || echo 'IS_PHPEVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed squid; then
|
||||
grep -q monthly /etc/logrotate.d/squid || echo 'IS_SQUIDLOGROTATE FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
|
||||
if is_debianversion stretch && is_installed squid; then
|
||||
(grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
|
||||
&& test -f /etc/squid/evolinux-defaults.conf \
|
||||
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \
|
||||
&& test -f /etc/squid/evolinux-whitelist-custom.conf \
|
||||
&& test -f /etc/squid/evolinux-acl.conf \
|
||||
&& test -f /etc/squid/evolinux-httpaccess.conf \
|
||||
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
|
||||
# Do it only if thereis blkid binary
|
||||
if [ -x "$(which blkid)" ]; then
|
||||
tmpFile=$(mktemp -p /tmp)
|
||||
parts=$(blkid | grep -ve raid_member -e EFI_SYSPART \
|
||||
| grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
|
||||
for part in $parts; do
|
||||
echo "$part" >> "$tmpFile"
|
||||
done
|
||||
tmpOutput=$(sort < "$tmpFile" | uniq -d)
|
||||
# If there is no duplicate, uniq will have no output
|
||||
# So, if $tmpOutput is not null, there is a duplicate
|
||||
if [ -n "$tmpOutput" ]; then
|
||||
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
|
||||
if [ "$VERBOSE" = 1 ]; then
|
||||
echo "Duplicate labels:"
|
||||
echo -e "$tmpOutput\n"
|
||||
fi
|
||||
fi
|
||||
rm $tmpFile
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOLIX_USER" = 1 ]; then
|
||||
grep -q "evolix:" /etc/passwd && echo 'IS_EVOLIX_USER FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOACME_CRON" = 1 ]; then
|
||||
if [ -f "/usr/local/sbin/evoacme" ]; then
|
||||
# Old cron file, should be deleted
|
||||
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
|
||||
# evoacme cron file should be present
|
||||
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
|
||||
if [ -x "$(which evoacme)" ]; then
|
||||
# Sometimes evoacme is installed but no certificates has been generated
|
||||
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
|
||||
if [ $numberOfLinks -gt 0 ]; then
|
||||
for live in /etc/letsencrypt/*/live; do
|
||||
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
|
||||
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
|
||||
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
|
||||
certDir=${liveDir%%/live}
|
||||
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
|
||||
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
|
||||
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
|
||||
echo 'IS_EVOACME_LIVELINKS FAILED!'
|
||||
break
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
|
||||
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
|
||||
# must be replaced by conf-available/ and config files symlinked
|
||||
# to conf-enabled/
|
||||
if is_debianversion jessie || is_debianversion stretch; then
|
||||
if [ -f /etc/apache2/apache2.conf ]; then
|
||||
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
|
||||
echo 'IS_APACHE_CONFENABLED FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
|
||||
# For Stretch, detection is easy as the kernel use
|
||||
# /sys/devices/system/cpu/vulnerabilities/
|
||||
if is_debianversion stretch; then
|
||||
for vuln in meltdown spectre_v1 spectre_v2; do
|
||||
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
done
|
||||
# For Jessie this is quite complicated to verify and we need to use kernel config file
|
||||
elif is_debianversion jessie; then
|
||||
if grep -q BOOT_IMAGE= /proc/cmdline; then
|
||||
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
|
||||
kernelVer=${kernelPath##*/vmlinuz-}
|
||||
kernelConfig="config-${kernelVer}"
|
||||
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
|
||||
if [ -f /boot/$kernelConfig ]; then
|
||||
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$IS_OLD_HOME_DIR" = 1 ]; then
|
||||
for dir in /home/*; do
|
||||
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
|
||||
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
|
||||
| grep UNKNOWN)
|
||||
# There is at least one dir matching
|
||||
if [[ -n "$statResult" ]]; then
|
||||
echo 'IS_OLD_HOME_DIR FAILED!'
|
||||
if [[ "$VERBOSE" == 1 ]]; then
|
||||
echo "$statResult"
|
||||
else
|
||||
break
|
||||
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing"
|
||||
fi
|
||||
}
|
||||
check_gitperms() {
|
||||
GIT_DIR="/etc/.git"
|
||||
if test -d $GIT_DIR; then
|
||||
expected="40700"
|
||||
actual=$(stat -f "%p" $GIT_DIR)
|
||||
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be 700"
|
||||
fi
|
||||
}
|
||||
check_carpadvbase(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
bad_advbase=0
|
||||
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
||||
if [[ "$advbase" -gt 5 ]]; then
|
||||
bad_advbase=1
|
||||
fi
|
||||
done
|
||||
if [[ "$bad_advbase" -eq 1 ]]; then
|
||||
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_carppreempt(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
||||
if [[ "$preempt" -ne 1 ]]; then
|
||||
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
||||
fi
|
||||
if [ -f /etc/sysctl.conf ]; then
|
||||
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
||||
else
|
||||
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_rebootmail(){
|
||||
if [ -f /etc/rc.local ]; then
|
||||
grep -qE '^date \| mail -s "boot/reboot of' /etc/rc.local || failed "IS_REBOOTMAIL" "Make sure the line 'date | mail -s \"boot/reboot of \$hostname' is present in the /etc/rc.local file!"
|
||||
else
|
||||
failed "IS_REBOOTMAIL" "Make sure /etc/rc.local exist and 'date | mail -s \"boot/reboot of \$hostname' is present!"
|
||||
fi
|
||||
}
|
||||
check_pfenabled(){
|
||||
if pfctl -si | grep Disabled 1> /dev/null 2>&1; then
|
||||
failed "IS_PFENABLED" "PF is disabled! Make sure pf=NO is absent from /etc/rc.conf.local and carefully run pfctl -e"
|
||||
fi
|
||||
}
|
||||
check_wheel(){
|
||||
if [ -f /etc/sudoers ]; then
|
||||
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" ""
|
||||
fi
|
||||
}
|
||||
check_pkgmirror(){
|
||||
grep -qE "^https://cdn\.openbsd\.org/pub/OpenBSD" /etc/installurl || failed "IS_PKGMIRROR" "Check whether the right repo is present in the /etc/installurl file"
|
||||
}
|
||||
check_history(){
|
||||
file=/root/.profile
|
||||
grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
|
||||
}
|
||||
check_vim(){
|
||||
if ! is_installed vim; then
|
||||
failed "IS_VIM" "vim is not installed! Please add with pkg_add vim"
|
||||
fi
|
||||
}
|
||||
check_ttyc0secure(){
|
||||
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" "First tty should be secured"
|
||||
}
|
||||
check_customsyslog(){
|
||||
grep -q EvoBSD /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" ""
|
||||
}
|
||||
check_sudomaint(){
|
||||
file=/etc/sudoers
|
||||
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
|
||||
&& grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
|
||||
|| failed "IS_SUDOMAINT" ""
|
||||
}
|
||||
check_nrpe(){
|
||||
if ! is_installed monitoring-plugins || ! is_installed nrpe; then
|
||||
failed "IS_NRPE" "nrpe and/or monitoring-plugins are not installed! Please add with pkg_add nrpe monitoring-plugins"
|
||||
fi
|
||||
}
|
||||
check_rsync(){
|
||||
if ! is_installed rsync; then
|
||||
failed "IS_RSYNC" "rsync is not installed! Please add with pkg_add rsync"
|
||||
fi
|
||||
}
|
||||
check_cronpath(){
|
||||
grep -q "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" ""
|
||||
}
|
||||
check_tmp_1777(){
|
||||
actual=$(stat -f "%p" /tmp)
|
||||
expected="41777"
|
||||
test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be 1777"
|
||||
}
|
||||
check_root_0700(){
|
||||
actual=$(stat -f "%p" /root)
|
||||
expected="40700"
|
||||
test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be 700"
|
||||
}
|
||||
check_usrsharescripts(){
|
||||
actual=$(stat -f "%p" /usr/share/scripts)
|
||||
expected="40700"
|
||||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
|
||||
}
|
||||
check_sshpermitrootno() {
|
||||
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
||||
fi
|
||||
}
|
||||
check_evomaintenanceusers(){
|
||||
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
|
||||
for user in $users; do
|
||||
user_home=$(getent passwd "$user" | cut -d: -f6)
|
||||
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
|
||||
if ! grep -qs "^trap.*doas.*evomaintenance.sh" "${user_home}"/.*profile; then
|
||||
echo "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
|
||||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ `uname -s` == "OpenBSD" ]; then
|
||||
|
||||
if [ "$IS_SOFTDEP" = 1 ]; then
|
||||
grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_WHEEL" = 1 ]; then
|
||||
grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SUDOADMIN" = 1 ]; then
|
||||
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_PKGMIRROR" = 1 ]; then
|
||||
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_HISTORY" = 1 ]; then
|
||||
f=/root/.profile
|
||||
grep -q "^HISTFILE=\$HOME/.histfile" $f \
|
||||
&& grep -q "^export HISTFILE" $f \
|
||||
&& grep -q "^HISTSIZE=1000" $f \
|
||||
&& grep -q "^export HISTSIZE" $f \
|
||||
|| echo 'IS_HISTORY FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_VIM" = 1 ]; then
|
||||
which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_TTYC0SECURE" = 1 ]; then
|
||||
grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
|
||||
grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NOINETD" = 1 ]; then
|
||||
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SUDOMAINT" = 1 ]; then
|
||||
f=/etc/sudoers
|
||||
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
|
||||
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
|
||||
|| echo 'IS_SUDOMAINT FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_POSTGRESQL" = 1 ]; then
|
||||
pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_NRPE" = 1 ]; then
|
||||
( pkg info | grep -qE "nagios-plugins-[0-9.]" \
|
||||
&& pkg info | grep -q nagios-plugins-ntp \
|
||||
&& pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
|
||||
fi
|
||||
|
||||
# if [ "$IS_NRPEDISKS" = 1 ]; then
|
||||
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
|
||||
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
|
||||
# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
|
||||
# fi
|
||||
|
||||
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
|
||||
#
|
||||
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
|
||||
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
|
||||
# fi
|
||||
|
||||
if [ "$IS_NRPEDAEMON" = 1 ]; then
|
||||
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_ALERTBOOT" = 1 ]; then
|
||||
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_RSYNC" = 1 ]; then
|
||||
pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_CRONPATH" = 1 ]; then
|
||||
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
|
||||
fi
|
||||
|
||||
#TODO
|
||||
# - Check en profondeur de postfix
|
||||
# - NRPEDISK et NRPEPOSTFIX
|
||||
fi
|
||||
|
||||
if [ "$IS_TMP_1777" = 1 ]; then
|
||||
ls -ld /tmp | grep -q drwxrwxrwt || echo 'IS_TMP_1777 FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_ROOT_0700" = 1 ]; then
|
||||
ls -ld /root | grep -q drwx------ || echo 'IS_ROOT_0700 FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
|
||||
ls -ld /usr/share/scripts | grep -q drwx------ || echo 'IS_USRSHARESCRIPTS FAILED!'
|
||||
fi
|
||||
|
||||
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
|
||||
is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
|
||||
fi
|
||||
|
||||
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
|
||||
# Can be changed in evocheck.cf
|
||||
homeDir=${homeDir:-/home}
|
||||
if ! is_debianversion stretch; then
|
||||
if [ -f /etc/sudoers.d/evolinux ]; then
|
||||
sudoers="/etc/sudoers.d/evolinux"
|
||||
else
|
||||
sudoers="/etc/sudoers"
|
||||
fi
|
||||
for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do
|
||||
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile
|
||||
if [ $? != 0 ]; then
|
||||
echo 'IS_EVOMAINTENANCEUSERS FAILED!'
|
||||
if [ "$VERBOSE" = 1 ]; then
|
||||
echo "$i doesn't have evomaintenance trap!"
|
||||
else
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
|
||||
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile
|
||||
if [ $? != 0 ]; then
|
||||
echo 'IS_EVOMAINTENANCEUSERS FAILED!'
|
||||
if [ "$VERBOSE" = 1 ]; then
|
||||
echo "$i doesn't have evomaintenance trap!"
|
||||
else
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verification de la configuration d'evomaintenance
|
||||
if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
|
||||
}
|
||||
check_evomaintenanceconf(){
|
||||
f=/etc/evomaintenance.cf
|
||||
( test -e $f \
|
||||
&& test $(stat -c "%a" $f) = "600" \
|
||||
&& grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \
|
||||
if [ -e "$f" ]; then
|
||||
perms=$(stat -f "%p" $f)
|
||||
test "$perms" = "100600" || echo "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 100600)"
|
||||
|
||||
{ grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
|
||||
&& grep "^PGDB" $f | grep -qv "your-db" \
|
||||
&& grep "^PGTABLE" $f | grep -qv "your-table" \
|
||||
&& grep "^PGHOST" $f | grep -qv "your-pg-host" \
|
||||
|
@ -1072,15 +277,319 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
|
|||
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
|
||||
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
|
||||
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
|
||||
&& grep "^REALM" $f |grep -qv "example.com" ) || echo 'IS_EVOMAINTENANCECONF FAILED!'
|
||||
&& grep "^REALM" $f | grep -qv "example.com"
|
||||
} || echo "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
|
||||
else
|
||||
echo "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
|
||||
fi
|
||||
|
||||
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
|
||||
for f in /etc/ssl/private/*; do
|
||||
perms=$(stat -L -c "%a" $f)
|
||||
if [ ${perms: -1} != "0" ]; then
|
||||
echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
|
||||
break
|
||||
}
|
||||
check_sync(){
|
||||
if ifconfig carp | grep carp 1> /dev/null 2>&1; then
|
||||
sync_script=/usr/share/scripts/sync.sh
|
||||
if [ ! -f $sync_script ]; then
|
||||
failed "IS_SYNC" "The sync.sh script is absent! As a carp member, a sync.sh script should be present in /usr/share/scripts"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
check_defaultroute(){
|
||||
if [ -f /etc/mygate ]; then
|
||||
file_route=$(cat /etc/mygate)
|
||||
used_route=$(route -n show -priority 8 | grep default | awk '{print $2}')
|
||||
if [ "$file_route" != "$used_route" ]; then
|
||||
failed "IS_DEFAULTROUTE" "The default route in /etc/mygate is different from the one currently used"
|
||||
fi
|
||||
else
|
||||
failed "IS_DEFAULTROUTE" "The file /etc/mygate does not exist. Make sure you have the same default route in this file as the one currently in use."
|
||||
fi
|
||||
}
|
||||
check_ntp(){
|
||||
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
|
||||
if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then
|
||||
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
|
||||
fi
|
||||
else
|
||||
failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"."
|
||||
fi
|
||||
}
|
||||
check_openvpncronlog(){
|
||||
if /etc/rc.d/openvpn check > /dev/null 2>&1; then
|
||||
grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
|
||||
fi
|
||||
}
|
||||
check_carpadvskew(){
|
||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
|
||||
ifconfig $carp | grep -q master
|
||||
master=$?
|
||||
ifconfig $carp | grep -q backup
|
||||
backup=$?
|
||||
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
|
||||
if [ "$master" -eq 0 ]; then
|
||||
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
|
||||
fi
|
||||
elif [ "$backup" -eq 0 ]; then
|
||||
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
|
||||
fi
|
||||
else
|
||||
failed "IS_CARPADVSKEW" "Interface $carp is neither master nor backup. Check interface state."
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
check_nrpeopensmtpd() {
|
||||
grep -Rq "^command.*check_mailq.pl -M opensmtpd" /etc/nrpe.* || failed "IS_NRPE_OPENSMTPD" "NRPE \"check_mailq\" is not configured for opensmtpd."
|
||||
}
|
||||
check_sshallowusers() {
|
||||
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS" "Missing AllowUsers or AllowGroups directive in sshd_config"
|
||||
}
|
||||
check_evobackup_exclude_mount() {
|
||||
excludes_file=$(mktemp)
|
||||
trap "rm -f ${excludes_file}" 0
|
||||
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
|
||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
|
||||
for mount in ${not_excluded}; do
|
||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||
done
|
||||
done
|
||||
rm -rf "${excludes_file}"
|
||||
}
|
||||
check_etcgit() {
|
||||
export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc"
|
||||
git rev-parse --is-inside-work-tree > /dev/null 2>&1 || failed "IS_ETCGIT" "/etc is not a git repository"
|
||||
}
|
||||
check_evolinuxsudogroup() {
|
||||
if grep -q "^evolinux-sudo:" /etc/group; then
|
||||
grep -qE "^%evolinux-sudo ALL ?= ?\(ALL\) SETENV: ALL" /etc/sudoers || failed "IS_EVOLINUXSUDOGROUP" "Missing evolinux-sudo directive in sudoers file"
|
||||
fi
|
||||
}
|
||||
check_bind9munin() {
|
||||
if is_installed isc-bind; then
|
||||
{ test -L /etc/munin/plugins/bind9 \
|
||||
&& test -e /etc/munin/plugin-conf.d/bind9;
|
||||
} || failed "IS_BIND9MUNIN" "missing bind plugin for munin"
|
||||
fi
|
||||
}
|
||||
check_evolix_user() {
|
||||
grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
|
||||
}
|
||||
download_versions() {
|
||||
local file
|
||||
file=${1:-}
|
||||
|
||||
## The file is supposed to list programs : each on a line, then its latest version number
|
||||
## Examples:
|
||||
# evoacme 21.06
|
||||
# evomaintenance 0.6.4
|
||||
|
||||
versions_url="https://upgrades.evolix.org/versions-openbsd"
|
||||
|
||||
# fetch timeout, in seconds
|
||||
timeout=10
|
||||
|
||||
if command -v curl > /dev/null; then
|
||||
curl -k --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
|
||||
# "-k" required until OpenBSD 6.8
|
||||
elif command -v wget > /dev/null; then
|
||||
wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
|
||||
elif command -v GET; then
|
||||
GET -t ${timeout}s "${versions_url}" > "${versions_file}"
|
||||
else
|
||||
failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET"
|
||||
fi
|
||||
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
|
||||
}
|
||||
get_command() {
|
||||
local program
|
||||
program=${1:-}
|
||||
|
||||
case "${program}" in
|
||||
## Special cases where the program name is different than the command name
|
||||
evocheck) echo "${0}" ;;
|
||||
evomaintenance) command -v "evomaintenance.sh" ;;
|
||||
motd-carp-state) command -v "motd-carp-state.sh" ;;
|
||||
|
||||
## General case, where the program name is the same as the command name
|
||||
*) command -v "${program}" ;;
|
||||
esac
|
||||
}
|
||||
get_version() {
|
||||
local program
|
||||
local command
|
||||
program=${1:-}
|
||||
command=${2:-}
|
||||
|
||||
case "${program}" in
|
||||
## Special case if `command --version => 'command` is not the standard way to get the version
|
||||
# my_command)
|
||||
# /path/to/my_command --get-version
|
||||
# ;;
|
||||
|
||||
motd-carp-state)
|
||||
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
|
||||
;;
|
||||
## General case to get the version
|
||||
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
|
||||
esac
|
||||
}
|
||||
check_version() {
|
||||
local program
|
||||
local expected_version
|
||||
program=${1:-}
|
||||
expected_version=${2:-}
|
||||
|
||||
command=$(get_command "${program}")
|
||||
if [ -n "${command}" ]; then
|
||||
actual_version=$(get_version "${program}" "${command}")
|
||||
# printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
|
||||
if [ -z "${actual_version}" ]; then
|
||||
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
|
||||
elif [ "${actual_version}" = "${expected_version}" ]; then
|
||||
: # Version check OK ; to check first because of the way the check works
|
||||
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${actual_version}" ]; then
|
||||
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
|
||||
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${expected_version}" ]; then
|
||||
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
add_to_path() {
|
||||
local new_path
|
||||
new_path=${1:-}
|
||||
|
||||
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
|
||||
}
|
||||
check_versions() {
|
||||
versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
|
||||
trap "rm -f ${versions_file}" 0
|
||||
download_versions "${versions_file}"
|
||||
add_to_path "/usr/share/scripts"
|
||||
|
||||
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
|
||||
local program
|
||||
local version
|
||||
program=$(echo "${line}" | cut -d ' ' -f 1)
|
||||
version=$(echo "${line}" | cut -d ' ' -f 2)
|
||||
|
||||
if [ -n "${program}" ]; then
|
||||
if [ -n "${version}" ]; then
|
||||
check_version "${program}" "${version}"
|
||||
else
|
||||
failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
rm -f "${versions_file}"
|
||||
}
|
||||
check_root_user() {
|
||||
if [ "$(grep "^root:" /etc/master.passwd | awk -F":" '{print $2}')" != "*************" ]; then
|
||||
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
# Default return code : 0 = no error
|
||||
RC=0
|
||||
|
||||
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
|
||||
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
|
||||
test "${IS_SOFTDEP:=1}" = 1 && check_softdep
|
||||
test "${IS_NOATIME:=1}" = 1 && check_noatime
|
||||
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
|
||||
test "${IS_RAIDOK:=1}" = 1 && check_raidok
|
||||
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
|
||||
test "${IS_UPTODATE:=1}" = 1 && check_uptodate
|
||||
test "${IS_UPTIME:=1}" = 1 && check_uptime
|
||||
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
||||
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
||||
test "${IS_CARPADVBASE:=1}" = 1 && check_carpadvbase
|
||||
test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
|
||||
test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
|
||||
test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
|
||||
test "${IS_WHEEL:=1}" = 1 && check_wheel
|
||||
test "${IS_PKGMIRROR:=1}" = 1 && check_pkgmirror
|
||||
test "${IS_HISTORY:=1}" = 1 && check_history
|
||||
test "${IS_VIM:=1}" = 1 && check_vim
|
||||
test "${IS_TTYC0SECURE:=1}" = 1 && check_ttyc0secure
|
||||
test "${IS_CUSTOMSYSLOG:=1}" = 1 && check_customsyslog
|
||||
test "${IS_SUDOMAINT:=1}" = 1 && check_sudomaint
|
||||
test "${IS_NRPE:=1}" = 1 && check_nrpe
|
||||
test "${IS_RSYNC:=1}" = 1 && check_rsync
|
||||
test "${IS_CRONPATH:=1}" = 1 && check_cronpath
|
||||
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
|
||||
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
|
||||
test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
|
||||
test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno
|
||||
test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers
|
||||
test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
|
||||
test "${IS_SYNC:=1}" = 1 && check_sync
|
||||
test "${IS_DEFAULTROUTE:=1}" = 1 && check_defaultroute
|
||||
test "${IS_NTP:=1}" = 1 && check_ntp
|
||||
test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
|
||||
test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
|
||||
test "${IS_NRPE_OPENSMTPD:=1}" = 1 && check_nrpeopensmtpd
|
||||
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
|
||||
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
|
||||
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
|
||||
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
|
||||
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
|
||||
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
|
||||
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
|
||||
|
||||
exit ${RC}
|
||||
}
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
export LANGUAGE=C
|
||||
|
||||
# Source configuration file
|
||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
||||
|
||||
# Parse options
|
||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||
while :; do
|
||||
case $1 in
|
||||
-h|-\?|--help)
|
||||
show_help
|
||||
exit 0
|
||||
;;
|
||||
--version)
|
||||
show_version
|
||||
exit 0
|
||||
;;
|
||||
--cron)
|
||||
IS_KERNELUPTODATE=0
|
||||
IS_UPTIME=0
|
||||
IS_CHECK_VERSIONS=0
|
||||
;;
|
||||
-v|--verbose)
|
||||
VERBOSE=1
|
||||
;;
|
||||
-q|--quiet)
|
||||
QUIET=1
|
||||
VERBOSE=0
|
||||
;;
|
||||
--)
|
||||
# End of all options.
|
||||
shift
|
||||
break
|
||||
;;
|
||||
-?*|[[:alnum:]]*)
|
||||
# ignore unknown options
|
||||
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
|
||||
;;
|
||||
*)
|
||||
# Default case: If no more options then break out of the loop.
|
||||
break
|
||||
;;
|
||||
esac
|
||||
|
||||
shift
|
||||
done
|
||||
|
||||
main ${ARGS}
|
||||
|
|
Loading…
Reference in a new issue