dprevot/evocheck
1
0
Fork 0
forked from evolix/evocheck
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: dprevot:master
Branches Tags
dprevot:master
dprevot:openbsd
dprevot:check_compressed_mongodump
dprevot:check_all_files_in_backup_dir
dprevot:IS_NETWORKING_SERVICE
dprevot:bullseye
dprevot:fix-129
dprevot:IS_LXC_CONTAINER_RESOLV_CONF
dprevot:is_mysql_upgrade
dprevot:buster-support
dprevot:no-check-valid-until
dprevot:release-19.06
dprevot:fix-mysqlnrpe
dprevot:apachesymlink-verbose
dprevot:debian
dprevot:VERBOSE-ALERT5MINIFW
dprevot:11-Check-for-sysadmins-home-size
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
dprevot:22.03
dprevot:22.03.1
dprevot:21.10.4
dprevot:21.10.1
dprevot:21.09
dprevot:20.12
dprevot:20.04.4
dprevot:20.04.3
dprevot:20.04.2
dprevot:20.04.1
dprevot:20.02.1
dprevot:19.11.1
dprevot:v19.11
dprevot:19.10
dprevot:19.09
dprevot:v19.06
dprevot:v19.04
dprevot:debian/0.13.1-1
dprevot:v0.13.1
dprevot:debian/0.13-1
dprevot:v0.13
dprevot:debian/0.12-1
dprevot:v0.12
dprevot:debian/0.11-1
dprevot:v0.11
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.1
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:debian/0.11-1
evolix:19.09
evolix:19.10
evolix:19.11.1
evolix:20.02.1
evolix:20.04.1
evolix:20.04.2
evolix:20.04.3
evolix:20.04.4
evolix:20.12
evolix:21.09
evolix:21.10.4
evolix:v0.11
evolix:v0.12
evolix:v19.06
evolix:v19.11
..
compare: dprevot:11-Check-for-sysadmins-home-size
Branches Tags
dprevot:master
dprevot:openbsd
dprevot:check_compressed_mongodump
dprevot:check_all_files_in_backup_dir
dprevot:IS_NETWORKING_SERVICE
dprevot:bullseye
dprevot:fix-129
dprevot:IS_LXC_CONTAINER_RESOLV_CONF
dprevot:is_mysql_upgrade
dprevot:buster-support
dprevot:no-check-valid-until
dprevot:release-19.06
dprevot:fix-mysqlnrpe
dprevot:apachesymlink-verbose
dprevot:debian
dprevot:VERBOSE-ALERT5MINIFW
dprevot:11-Check-for-sysadmins-home-size
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
dprevot:22.03
dprevot:22.03.1
dprevot:21.10.4
dprevot:21.10.1
dprevot:21.09
dprevot:20.12
dprevot:20.04.4
dprevot:20.04.3
dprevot:20.04.2
dprevot:20.04.1
dprevot:20.02.1
dprevot:19.11.1
dprevot:v19.11
dprevot:19.10
dprevot:19.09
dprevot:v19.06
dprevot:v19.04
dprevot:debian/0.13.1-1
dprevot:v0.13.1
dprevot:debian/0.13-1
dprevot:v0.13
dprevot:debian/0.12-1
dprevot:v0.12
dprevot:debian/0.11-1
dprevot:v0.11
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.1
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:debian/0.11-1
evolix:19.09
evolix:19.10
evolix:19.11.1
evolix:20.02.1
evolix:20.04.1
evolix:20.04.2
evolix:20.04.3
evolix:20.04.4
evolix:20.12
evolix:21.09
evolix:21.10.4
evolix:v0.11
evolix:v0.12
evolix:v19.06
evolix:v19.11

2 commits
master ... 11-Check-f

Author SHA1 Message Date
Benoît S. 0c41b7a0fd IS_HOME_SIZE: Added space when breaking line 2019-02-19 14:59:25 +01:00
Benoît S. eeef449f55 Closes #11 Added IS_HOME_SIZE 
We loop for all sysadmins home dir (using evomaintenance trap) and calculate
their home size.  By default warn if more than 1G.
 2019-02-19 12:02:47 +01:00
5 changed files with 986 additions and 2056 deletions
Show stats Expand all files Collapse all files

8
.drone.yml
View file

@ -1,8 +0,0 @@
kind: pipeline
name: default
steps:
- name: run shellcheck on evocheck.sh
image: evolix/shellcheck
commands:
- LC_ALL=C.UTF-8 shellcheck evocheck.sh

3
.gitignore vendored
View file

@ -1,4 +1 @@
.vagrant .vagrant
*.swp
.DS_Store

239
CHANGELOG
View file

@ -1,243 +1,8 @@
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project **does not adhere to [Semantic Versioning](http://semver.org/spec/v2.0.0.html)**. and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
## [Unreleased] ## [Unreleased]
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security
## [22.06] 2022-06-03
### Added
* IS_AUTOIF: Ignore WireGuard interfaces
* IS_NETWORKING_SERVICE: check if networking service is enabled
### Changed
* IS_DEBIANSECURITY: Fix Debian security repo for Bullseye, cf https://www.debian.org/releases/stable/errata
## [22.05] 2022-05-12
### Changed
* IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
## [22.04.1] 2022-04-25
### Changed
* fix various shellcheck violations
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: fix one-file-system restriction
## [22.04] 2022-04-25
### Changed
* IS_EVOBACKUP_EXCLUDE_MOUNT : skip if --one-file-system is used
### Fixed
* check_versions: "IS_CHECK_VERSIONS" was checked but "IS_VERSIONS_CHECK" was echoed, now "IS_CHECK_VERSIONS" everywhere
### Security
* check_debiansecurity: Consider both https://deb\.debian\.org/debian-security/ and https://security\.debian\.org/debian-security/ as valid since both are documented as such.
## [22.03.1] 2022-03-22
### Changed
* check_autoif : Ignore lxcbr interfaces, new since bullseye
## [22.03] 2022-03-15
### Added
* check_mysqlmunin : Complain if munin plugin mysql_commands returns an error
* check_versions : track minifirewall version
## [21.10.4] 2021-10-25
### Changed
* IS_CHECK_VERSIONS disabled in cron mode
## [21.10.3] 2021-10-22
### Added
* Check for newer versions
* don't use "add-vm --version" yet
## [21.10.2] 2021-10-22
### Changed
* Let's try the --version flag before falling back to grep for the constant
## [21.10.1] 2021-10-01
### Added
* IS_SSHALLOWUSERS: also scan /etc/ssh/sshd_config.d
* IS_CHECK_VERSIONS: check installed versions of Evolix programs
## [21.10] 2021-10-01
### Fixed
* IS_DEBIANSECURITY: optional trailing slash
## [21.09] 2021-09-30
### Added
* Check for bullseye security repository
* Checks for new minifirewall configuration
* Improve MySQL utils configuration checks
## [21.07] 2021-07-07
### Added
* Preliminary Debian 11 « Bullseye » support
### Fixed
* IS_HARDWARERAIDTOOL: match more RAID PCI cards
### Security
## [20.12] 2021-01-18
### Fixed
* IS_EVOLIX_USER: Match on if account name begin by evolix, don't match account name testevolix for example
## [20.12] 2020-04-28
### Added
* support multiple values for SQL_BACKUP_PATH and POSTGRES_BACKUP_PATH
### Changed
* IS_EVOBACKUP_EXCLUDE_MOUNT: exclude disabled backup scripts
* IS_DUPLICATE_FS_LABEL: disable blkid cache
* IS_POSTGRES_BACKUP: look for compressed backup too
* IS_VARTMPFS: use findmnt if available
### Removed
* Remove unused PROGDIR variable
## [20.04.4] 2020-04-28
### Added
* IS_NGINX_LETSENCRYPT_UPTODATE: verify that the letsencrypt snippet is compatible with the current version of Nginx
## [20.04.3] 2020-04-24
### Fixed
* IS_EVOBACKUP_INCS: also look for the new command
## [20.04.2] 2020-04-15
### Added
* IS_CHROOTED_BINARY_NOT_UPTODATE: verify that chrooted processes run up-to-date binaries
## [20.04.1] 2020-04-12
### Added
* IS_EVOBACKUP_EXCLUDE_MOUNT : verify that mount points are excluded in evobackup scripts
## [20.02.1] - 2020-02-27
### Changed
* IS_EVOLINUXSUDOGROUP : improve sudoer directive detection
## [19.11.2] - 2019-11-07
### Changed
* IS_EVOMAINTENANCE_FW : warn only if HOOK_DB is enabled
* IS_BACKUPUPTODATE : check backup dates in the correct directory
## [19.11.1] - 2019-11-06
### Fixed
* IS_TMPUSRRO : improve grep for options detection
* IS_TMPNOEXEC : fix grep for options detection
## [19.11] - 2019-11-05
### Changed
* IS_TUNE2FS_M5 displays the name of the partition
* IS_MARIADBEVOLINUXCONF is disabled by default in cron mode
* IS_PHPEVOLINUXCONF is disabled by default in cron mode
* IS_OLD_HOME_DIR is disabled by default in cron mode
* IS_TMPNOEXEC : better "noexec" detection for /tmp
### Fixed
* squid: better http port detection
## [19.08] - 2019-08-30
### Changed
* better error messages for missing commands
## [19.06] - 2019-06-21
### Added
* new check: IS_OSPROBER
### Changed
* IS_DISKPERF is disabled by default
* verbose mode added for IS_APACHESYMLINK
### Fixed
* fix 5 apache checks (wrong package name was used)
* fix IS_MYSQLNRPE (wrong test on a tilde expansion variable)
## [19.04] - 2019-04-25
### Added
* IS_EVOBACKUP_INCS
### Changed
* change versioning scheme : year.month.patch
* extracts tests into functions
* add verbose and quiet modes
* add usage output on error
* add braces and quotes
## [0.13] - 2018-04-10 ## [0.13] - 2018-04-10
### Added ### Added
@ -304,7 +69,7 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
* IS_SQUID for Stretch * IS_SQUID for Stretch
* IS_LOG2MAILAPACHE for Stretch * IS_LOG2MAILAPACHE for Stretch
* IS_AUTOIF for Stretch * IS_AUTOIF for Stretch
* IS_UPTIME warn if uptime is more than 2y, was 1y * IS_UPTIME warn if uptime is more thant 2y, was 1y
* IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d * IS_NOTUPGRADED warn if last upgrade is older than 90d, was 30d
* IS_TUNE2FS_M5 use python in place of bc for calculation * IS_TUNE2FS_M5 use python in place of bc for calculation
* IS_EVOMAINTENANCEUSERS for Stretch * IS_EVOMAINTENANCEUSERS for Stretch

75
README.md
View file

@ -1,76 +1,13 @@
# Evocheck # Evocheck
It runs many compliance checks of the server with Evolix conventions. This program scans the machine it is run on and verifies if it
Non-compliance warnings are printed on standard output. adheres to the Evolix standard, non-compliance warnings are outputted
on standard out.
It supports Debian and OpenBSD systems. It is currently adapted for Debian and OpenBSD systems.
Some checks can be disabled in the `/etc/evocheck.cf` config file. Configure by modifying evocheck.cf and use the VagrantFile to test
it.
Tests can be run with Vagrant and the provided `VagrantFile`.
## How to contribute
Read the CONTRIBUTING.md file.
Try to respect the following conventions.
### Use the verbose mode to explain errors
The `failed` function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :
```shell
test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"
```
If the test is in a loop and might yield multiple errors, It's better to print a single error in normal mode and every error in verbose mode.
```shell
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
```
In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :
```shell
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
```
### Use existing predicates
There are a few predicate functions that help making conditionals.
For Debian versions : `is_debian`, `is_debian_stretch`, `is_debian_jessie`
For packs : `is_pack_web`, `is_pack_samba`.
For installed packages : `is_installed <package> [<package>]`.
### Extact variables
It's better not to inline function calls inside tests. Instead of this :
```shell
test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"
```
… prefer that :
```shell
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
```
### Verify assumptions
It's better to verify that a file, a directory or a command is present before using it, even if it's true in more than 99% of situations.
## How to build the package for a new Debian release ## How to build the package for a new Debian release

2207
evocheck.sh
View file

@ -4,791 +4,553 @@
# Script to verify compliance of a Debian/OpenBSD server # Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix # powered by Evolix
VERSION="22.06" # Disable LANG*
readonly VERSION export LANG=C
export LANGUAGE=C
# base functions # Default configuration values
IS_TMP_1777=1
IS_ROOT_0700=1
IS_VARTMPFS=1
IS_USRSHARESCRIPTS=1
IS_SERVEURBASE=1
IS_LOGROTATECONF=1
IS_SYSLOGCONF=1
IS_DEBIANSECURITY=1
IS_APTITUDEONLY=1
IS_APTITUDE=1
IS_APTGETBAK=1
IS_APTICRON=0
IS_USRRO=1
IS_TMPNOEXEC=1
IS_LISTCHANGESCONF=1
IS_DPKGWARNING=1
IS_CUSTOMCRONTAB=1
IS_CUSTOMSUDOERS=1
IS_SSHPERMITROOTNO=1
IS_SSHALLOWUSERS=1
IS_TMOUTPROFILE=1
IS_ALERT5BOOT=1
IS_ALERT5MINIFW=1
IS_MINIFW=1
IS_NRPEPERMS=1
IS_MINIFWPERMS=1
IS_NRPEDISKS=0
IS_NRPEPOSTFIX=1
IS_NRPEPID=1
IS_GRSECPROCS=1
IS_UMASKSUDOERS=1
IS_EVOMAINTENANCEUSERS=1
IS_APACHEMUNIN=1
IS_MYSQLUTILS=1
IS_RAIDSOFT=1
IS_AWSTATSLOGFORMAT=1
IS_MUNINLOGROTATE=1
IS_EVOMAINTENANCECONF=1
#IS_METCHE=1
IS_SQUID=1
IS_MODDEFLATE=1
IS_LOG2MAILRUNNING=1
IS_LOG2MAILAPACHE=1
IS_LOG2MAILMYSQL=1
IS_LOG2MAILSQUID=1
IS_BINDCHROOT=1
IS_REPVOLATILE=1
IS_AUTOIF=1
IS_INTERFACESGW=1
IS_TOOMUCHDEBIANSYSMAINT=1
IS_USERLOGROTATE=1
IS_MODSECURITY=1
IS_APACHECTL=1
IS_APACHESYMLINK=1
IS_APACHEIPINALLOW=1
IS_MUNINAPACHECONF=1
IS_SAMBAPINPRIORITY=1
IS_KERNELUPTODATE=1
IS_UPTIME=1
IS_MUNINRUNNING=1
IS_BACKUPUPTODATE=1
IS_GITPERMS=1
IS_NOTUPGRADED=1
IS_TUNE2FS_M5=1
IS_PRIVKEYWOLRDREADABLE=1
IS_EVOLINUXSUDOGROUP=1
IS_USERINADMGROUP=1
IS_APACHE2EVOLINUXCONF=1
IS_BACKPORTSCONF=1
IS_BIND9MUNIN=1
IS_BIND9LOGROTATE=1
IS_BROADCOMFIRMWARE=1
IS_HARDWARERAIDTOOL=1
IS_LOG2MAILSYSTEMDUNIT=1
IS_LISTUPGRADE=1
IS_MARIADBEVOLINUXCONF=1
IS_MARIADBSYSTEMDUNIT=1
IS_MYSQLMUNIN=1
IS_PHPEVOLINUXCONF=1
IS_SQUIDLOGROTATE=1
IS_SQUIDEVOLINUXCONF=1
IS_SQL_BACKUP=1
IS_POSTGRES_BACKUP=1
IS_LDAP_BACKUP=1
IS_REDIS_BACKUP=1
IS_ELASTIC_BACKUP=1
IS_MONGO_BACKUP=1
IS_MOUNT_FSTAB=1
IS_NETWORK_INTERFACES=1
IS_EVOBACKUP=1
IS_DUPLICATE_FS_LABEL=1
IS_EVOMAINTENANCE_FW=1
IS_EVOLIX_USER=1
IS_EVOACME_CRON=1
IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1
IS_OLD_HOME_DIR=1
IS_HOME_SIZE=1
show_version() { #Proper to OpenBSD
cat <<END IS_SOFTDEP=1
evocheck version ${VERSION} IS_WHEEL=1
IS_SUDOADMIN=1
IS_PKGMIRROR=1
IS_HISTORY=1
IS_VIM=1
IS_TTYC0SECURE=1
IS_CUSTOMSYSLOG=1
IS_NOINETD=1
IS_SUDOMAINT=1
IS_POSTGRESQL=1
IS_NRPE=1
IS_NRPEDAEMON=1
IS_ALERTBOOT=1
IS_RSYNC=1
Copyright 2009-2022 Evolix <info@evolix.fr>, # Verbose function
Romain Dessort <rdessort@evolix.fr>, verbose() {
Benoit Série <bserie@evolix.fr>, msg="${1:-$(cat /dev/stdin)}"
Gregory Colpart <reg@evolix.fr>, [ "${VERBOSE}" -eq 1 ] && [ -n "${msg}" ] && echo "${msg}"
Jérémy Lecour <jlecour@evolix.fr>,
Tristan Pilat <tpilat@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>,
Alexis Ben Miloud--Josselin <abenmiloud@evolix.fr>,
and others.
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
evocheck is a script that verifies Evolix conventions on Debian/OpenBSD servers.
Usage: evocheck
or evocheck --cron
or evocheck --quiet
or evocheck --verbose
Options
--cron disable a few checks
-v, --verbose increase verbosity of checks
-q, --quiet nothing is printed on stdout nor stderr
-h, --help print this message and exit
--version print version and exit
END
} }
detect_os() { # Source configuration file
# OS detection test -f /etc/evocheck.cf && . /etc/evocheck.cf
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""
if [ -e /etc/debian_version ]; then VERBOSE="${VERBOSE:-0}"
DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ -x "${LSB_RELEASE_BIN}" ]; then # If --cron is passed, ignore some checks.
DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) if [ "$1" = "--cron" ]; then
else IS_KERNELUPTODATE=0
case ${DEBIAN_VERSION} in IS_UPTIME=0
5) DEBIAN_RELEASE="lenny";;
6) DEBIAN_RELEASE="squeeze";;
7) DEBIAN_RELEASE="wheezy";;
8) DEBIAN_RELEASE="jessie";;
9) DEBIAN_RELEASE="stretch";;
10) DEBIAN_RELEASE="buster";;
11) DEBIAN_RELEASE="bullseye";;
12) DEBIAN_RELEASE="bookworm";;
esac
fi fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi
}
is_debian() {
test -n "${DEBIAN_RELEASE}"
}
is_debian_lenny() {
test "${DEBIAN_RELEASE}" = "lenny"
}
is_debian_squeeze() {
test "${DEBIAN_RELEASE}" = "squeeze"
}
is_debian_wheezy() {
test "${DEBIAN_RELEASE}" = "wheezy"
}
is_debian_jessie() {
test "${DEBIAN_RELEASE}" = "jessie"
}
is_debian_stretch() {
test "${DEBIAN_RELEASE}" = "stretch"
}
is_debian_buster() {
test "${DEBIAN_RELEASE}" = "buster"
}
is_debian_bullseye() {
test "${DEBIAN_RELEASE}" = "bullseye"
}
is_debian_bookworm() {
test "${DEBIAN_RELEASE}" = "bookworm"
}
debian_release() {
printf "%s" "${DEBIAN_RELEASE}"
}
debian_version() {
printf "%s" "${DEBIAN_VERSION}"
}
is_openbsd() {
test -n "${OPENBSD_RELEASE}"
}
# Functions
is_pack_web(){ is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
} }
is_pack_samba(){ is_pack_samba(){
test -e /usr/share/scripts/add.pl test -e /usr/share/scripts/add.pl
} }
is_installed(){ is_installed(){
for pkg in "$@"; do for pkg in $*; do
dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
done done
} }
minifirewall_file() {
case ${DEBIAN_RELEASE} in is_debianversion(){
lenny) echo "/etc/firewall.rc" ;; [ $(lsb_release -c -s) = $1 ] && return 0
squeeze) echo "/etc/firewall.rc" ;;
wheezy) echo "/etc/firewall.rc" ;;
jessie) echo "/etc/default/minifirewall" ;;
stretch) echo "/etc/default/minifirewall" ;;
*) echo "/etc/default/minifirewall" ;;
esac
} }
# logging is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
failed() { #-----------------------------------------------------------
check_name=$1 #Vérifie si c'est une debian et fait les tests appropriés.
shift #-----------------------------------------------------------
check_comments=$*
RC=1 if [ -e /etc/debian_version ]; then
if [ "${QUIET}" != 1 ]; then
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}"
else
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
fi
fi
}
# check functions if [ "$IS_DPKGWARNING" = 1 ]; then
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
test -e /etc/apt/apt.conf && echo 'IS_DPKGWARNING FAILED!' )
is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || echo 'IS_DPKGWARNING FAILED!')
fi
check_lsbrelease(){ if [ "$IS_UMASKSUDOERS" = 1 ]; then
if [ -x "${LSB_RELEASE_BIN}" ]; then is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || echo 'IS_UMASKSUDOERS FAILED!' )
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cut -d "." -f 1 < /etc/debian_version)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release (${lhs}) and /etc/debian_version (${rhs})"
else
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
fi fi
}
check_dpkgwarning() {
if is_debian_squeeze; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
fi
elif is_debian_wheezy; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch || is_debian_buster || is_debian_bullseye; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
}
check_umasksudoers(){
if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
}
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
check_nrpepostfix() { if [ "$IS_NRPEPOSTFIX" = 1 ]; then
if is_installed postfix; then is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPOSTFIX FAILED!' )
if is_debian_squeeze; then is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || echo 'IS_NRPEPOSTFIX FAILED!' ) )
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*;
} || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
}
# Check if mod-security config file is present
check_modsecurity() {
if is_debian_squeeze; then
if is_installed libapache-mod-security; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
}
check_customsudoers() {
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS" "missing umask=0077 in sudoers file"
}
check_vartmpfs() {
FINDMNT_BIN=$(command -v findmnt)
if [ -x "${FINDMNT_BIN}" ]; then
${FINDMNT_BIN} /var/tmp --type tmpfs --noheadings > /dev/null || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
else
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi
}
check_serveurbase() {
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
}
check_logrotateconf() {
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d"
}
check_syslogconf() {
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
}
check_debiansecurity() {
if is_debian_bullseye; then
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
# https://www.debian.org/security/
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
elif is_debian_buster; then
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
elif is_debian_stretch; then
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
else
pattern="^deb.*security"
fi fi
source_file="/etc/apt/sources.list" # Check if mod-security config file is present
grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository" if [ "$IS_MODSECURITY" = 1 ]; then
} is_debianversion squeeze && is_installed libapache-mod-security && \
check_aptitudeonly() { (test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
if is_debian_squeeze || is_debian_wheezy; then is_debianversion wheezy && is_installed libapache2-modsecurity && \
test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" \ (test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
"only aptitude may be enabled on Debian <=7, apt-get should be disabled"
fi fi
}
check_aptitude() { if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
fi fi
}
check_aptgetbak() { if [ "$IS_VARTMPFS" = 1 ]; then
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" "prohibit the installation of apt-get.bak with dpkg-divert(1)"
fi fi
}
check_apticron() { if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
fi
if [ "$IS_LOGROTATECONF" = 1 ]; then
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
fi
if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
fi
if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
fi
if [ "$IS_APTITUDEONLY" = 1 ]; then
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
fi
if [ "$IS_APTITUDE" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
is_debianversion stretch && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
fi
if [ "$IS_APTGETBAK" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
is_debianversion stretch && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
fi
if [ "$IS_APTICRON" = 1 ]; then
status="OK" status="OK"
test -e /etc/cron.d/apticron || status="fail" test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail" test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'
fi
if is_debian_squeeze || is_debian_wheezy; then if [ "$IS_USRRO" = 1 ]; then
test "$status" = "fail" && failed "IS_APTICRON" "apticron must be in cron.d not cron.daily" grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
fi fi
}
check_usrro() { if [ "$IS_TMPNOEXEC" = 1 ]; then
grep /usr /etc/fstab | grep -qE "\bro\b" || failed "IS_USRRO" "missing ro directive on fstab for /usr" mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
}
check_tmpnoexec() {
FINDMNT_BIN=$(command -v findmnt)
if [ -x "${FINDMNT_BIN}" ]; then
options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp)
echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'"
else
mount | grep "on /tmp" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)"
fi fi
}
check_mountfstab() { if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test... # Test if lsblk available, if not skip this test...
LSBLK_BIN=$(command -v lsblk) if test -x "$(command -v lsblk)"; then
if test -x "${LSBLK_BIN}"; then for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do
for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do grep -Eq "$mountPoint\W" /etc/fstab || echo 'IS_MOUNT_FSTAB FAILED!'
grep -Eq "$mountPoint\W" /etc/fstab \
|| failed "IS_MOUNT_FSTAB" "partition(s) detected mounted but no presence in fstab"
done done
fi fi
}
check_listchangesconf() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if is_installed apt-listchanges; then
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9"
fi fi
if [ "$IS_LISTCHANGESCONF" = 1 ]; then
if is_debianversion stretch; then
is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!' \
&& verbose "apt-listchanges must not be installed on Stretch"
else else
if [ -e "/etc/apt/listchanges.conf" ]; then test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!' \
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) && verbose "apt-listchanges config is incorrect"
if [ "$lines" != 2 ]; then
failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect"
fi
else
failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing"
fi fi
fi fi
}
check_customcrontab() { if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
check_sshallowusers() {
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
}
check_diskperf() {
perfFile="/root/disk-perf.txt"
test -e $perfFile || failed "IS_DISKPERF" "missing ${perfFile}"
}
check_tmoutprofile() {
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
}
check_alert5boot() {
if is_debian_buster || is_debian_bullseye; then
grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
if [ -f /etc/systemd/system/alert5.service ]; then
systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled"
else
failed "IS_ALERT5BOOT" "alert5 unit file is missing"
fi fi
else
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then if [ "$IS_SSHALLOWUSERS" = 1 ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi fi
if [ "$IS_DISKPERF" = 1 ]; then
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
fi fi
}
check_alert5minifw() { if [ "$IS_TMOUTPROFILE" = 1 ]; then
if is_debian_buster || is_debian_bullseye; then grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing"
else
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi fi
if [ "$IS_ALERT5BOOT" = 1 ]; then
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
fi fi
}
check_minifw() { if [ "$IS_ALERT5MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
|| failed "IS_MINIFW" "minifirewall seems not started"
}
check_minifw_includes() {
if is_debian_bullseye; then
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "${MINIFW_FILE}"; then
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in ${MINIFW_FILE} that should go in /etc/minifirewall.d/"
fi fi
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
fi fi
}
check_nrpeperms() { if [ "$IS_NRPEPERMS" = 1 ]; then
if [ -d /etc/nagios ]; then test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
nagiosDir="/etc/nagios"
actual=$(stat --format "%a" $nagiosDir)
expected="750"
test "$expected" = "$actual" || failed "IS_NRPEPERMS" "${nagiosDir} must be ${expected}"
fi fi
}
check_minifwperms() { if [ "$IS_MINIFWPERMS" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
actual=$(stat --format "%a" "$MINIFW_FILE")
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS" "${MINIFW_FILE} must be ${expected}"
fi fi
}
check_nrpedisks() { if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg" [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
}
check_nrpepid() {
if is_debian_bullseye; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
elif ! is_debian_squeeze; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
fi fi
}
check_grsecprocs() { if [ "$IS_NRPEPID" = 1 ]; then
if uname -a | grep -q grsec; then is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
{ grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \
&& grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root";
} || failed "IS_GRSECPROCS" "missing munin's plugin processes directive for grsec"
fi fi
}
check_apachemunin() { if [ "$IS_GRSECPROCS" = 1 ]; then
if test -e /etc/apache2/apache2.conf; then uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
{ test -h /etc/apache2/mods-enabled/status.load \
&& test -h /etc/munin/plugins/apache_accesses \
&& test -h /etc/munin/plugins/apache_processes \
&& test -h /etc/munin/plugins/apache_volume;
} || failed "IS_APACHEMUNIN" "missing munin plugins for Apache"
else
pattern="/server-status-[[:alnum:]]{4,}"
{ grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \
&& { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \
|| grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf;
};
} || failed "IS_APACHEMUNIN" "server status is not properly configured"
fi fi
if [ "$IS_APACHEMUNIN" = 1 ]; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
fi fi
}
# Verification mytop + Munin si MySQL # Verification mytop + Munin si MySQL
check_mysqlutils() { if [ "$IS_MYSQLUTILS" = 1 ]; then
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin} MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
if is_installed mysql-server; then if is_installed mysql-server; then
# With Debian 11 and later, root can connect to MariaDB with the socket
if is_debian_wheezy || is_debian_jessie || is_debian_stretch || is_debian_buster; then
# You can configure MYSQL_ADMIN in evocheck.cf # You can configure MYSQL_ADMIN in evocheck.cf
if ! grep -qs "^user *= *${MYSQL_ADMIN}" /root/.my.cnf; then grep -qs "$MYSQL_ADMIN" /root/.my.cnf && echo 'IS_MYSQLUTILS FAILED!' \
failed "IS_MYSQLUTILS" "${MYSQL_ADMIN} missing in /root/.my.cnf" && verbose 'mysqladmin missing in /root/.my.cnf'
( test -x /usr/bin/mytop || test -x /usr/local/bin/mytop ) \
&& echo 'IS_MYSQLUTILS FAILED!' && verbose 'mytop binary missing'
grep -qs debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' \
&& verbose 'debian-sys-maint missing in /root/.mytop'
fi fi
fi fi
if ! test -x /usr/bin/mytop; then
if ! test -x /usr/local/bin/mytop; then
failed "IS_MYSQLUTILS" "mytop binary missing"
fi
fi
if ! grep -qs '^user *=' /root/.mytop; then
failed "IS_MYSQLUTILS" "credentials missing in /root/.mytop"
fi
fi
}
# Verification de la configuration du raid soft (mdadm) # Verification de la configuration du raid soft (mdadm)
check_raidsoft() { if [ "$IS_RAIDSOFT" = 1 ]; then
if test -e /proc/mdstat && grep -q md /proc/mdstat; then test -e /proc/mdstat && grep -q md /proc/mdstat && \
{ grep -q "^AUTOCHECK=true" /etc/default/mdadm \ ( grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \ && grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
} || failed "IS_RAIDSOFT" "missing or wrong config for mdadm"
fi fi
}
# Verification du LogFormat de AWStats # Verification du LogFormat de AWStats
check_awstatslogformat() { if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
if is_installed apache2 awstats; then is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
awstatsFile="/etc/awstats/awstats.conf.local"
grep -qE '^LogFormat=1' $awstatsFile \
|| failed "IS_AWSTATSLOGFORMAT" "missing or wrong LogFormat directive in $awstatsFile"
fi fi
}
# Verification de la présence de la config logrotate pour Munin # Verification de la présence de la config logrotate pour Munin
check_muninlogrotate() { if [ "$IS_MUNINLOGROTATE" = 1 ]; then
{ test -e /etc/logrotate.d/munin-node \ ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
&& test -e /etc/logrotate.d/munin; fi
} || failed "IS_MUNINLOGROTATE" "missing lorotate file for munin"
} # Verification de la présence de metche
#if [ "$IS_METCHE" = 1 ]; then
# is_installed metche || echo 'IS_METCHE FAILED!'
#fi
# Verification de l'activation de Squid dans le cas d'un pack mail # Verification de l'activation de Squid dans le cas d'un pack mail
check_squid() { if [ "$IS_SQUID" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then squidconffile=/etc/squid*/squid.conf
squidconffile="/etc/squid/evolinux-custom.conf" is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
else is_pack_web && ( is_installed squid || is_installed squid3 \
squidconffile="/etc/squid*/squid.conf" && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
fi fi
if is_pack_web && (is_installed squid || is_installed squid3); then
host=$(hostname -i) if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
# shellcheck disable=SC2086
http_port=$(grep -E "^http_port\s+[0-9]+" $squidconffile | awk '{ print $2 }')
{ grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
} || grep -qE "^PROXY='?on'?" "$MINIFW_FILE" \
|| failed "IS_SQUID" "missing squid rules in minifirewall"
fi
}
check_evomaintenance_fw() {
if [ -f "$MINIFW_FILE" ]; then if [ -f "$MINIFW_FILE" ]; then
hook_db=$(grep -E '^\s*HOOK_DB' /etc/evomaintenance.cf | tr -d ' ' | cut -d= -f2)
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$hook_db" = "1" ] && [ "$rulesNumber" -lt 2 ]; then if [ "$rulesNumber" -lt 2 ]; then
failed "IS_EVOMAINTENANCE_FW" "HOOK_DB is enabled but missing evomaintenance rules in minifirewall" echo 'IS_EVOMAINTENANCE_FW FAILED!'
fi fi
fi fi
} fi
# Verification de la conf et de l'activation de mod-deflate # Verification de la conf et de l'activation de mod-deflate
check_moddeflate() { if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf f=/etc/apache2/mods-enabled/deflate.conf
if is_installed apache2.2; then is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
{ test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \ && grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
} || failed "IS_MODDEFLATE" "missing AddOutputFilterByType directive for apache mod deflate"
fi fi
}
# Verification de la conf log2mail # Verification de la conf log2mail
check_log2mailrunning() { if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
if is_pack_web && is_installed log2mail; then is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
pgrep log2mail >/dev/null || failed "IS_LOG2MAILRUNNING" "log2mail is not running"
fi fi
} if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
check_log2mailapache() { if is_debianversion stretch; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
conf=/etc/log2mail/config/apache conf=/etc/log2mail/config/apache
else else
conf=/etc/log2mail/config/default conf=/etc/log2mail/config/default
fi fi
if is_pack_web && is_installed log2mail; then is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || echo 'IS_LOG2MAILAPACHE FAILED!' )
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE" "missing log2mail directive for apache"
fi fi
} if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
check_log2mailmysql() { is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || echo 'IS_LOG2MAILMYSQL FAILED!' )
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \
|| failed "IS_LOG2MAILMYSQL" "missing log2mail directive for mysql"
fi fi
} if [ "$IS_LOG2MAILSQUID" = 1 ]; then
check_log2mailsquid() { is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
if is_pack_web && is_installed log2mail; then /etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \
|| failed "IS_LOG2MAILSQUID" "missing log2mail directive for squid"
fi fi
}
# Verification si bind est chroote # Verification si bind est chroote
check_bindchroot() { if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9; then if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') echo 'IS_BINDCHROOT FAILED!'
if [ "$md5_original" != "$md5_chrooted" ]; then
failed "IS_BINDCHROOT" "the chrooted bind binary is different than the original binary"
fi fi
else else
failed "IS_BINDCHROOT" "bind process is not chrooted" echo 'IS_BINDCHROOT FAILED!'
fi fi
fi fi
fi fi
}
# Verification de la présence du depot volatile # Verification de la présence du depot volatile
check_repvolatile() { if [ "$IS_REPVOLATILE" = 1 ]; then
if is_debian_lenny; then test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \ test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
|| failed "IS_REPVOLATILE" "missing debian-volatile repository"
fi fi
if is_debian_squeeze; then
grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE" "missing squeeze-updates repository"
fi
}
# /etc/network/interfaces should be present, we don't manage systemd-network yet # /etc/network/interfaces should be present, we don't manage systemd-network yet
check_network_interfaces() { if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then if ! test -f /etc/network/interfaces; then
echo "IS_NETWORK_INTERFACES FAILED!"
IS_AUTOIF=0 IS_AUTOIF=0
IS_INTERFACESGW=0 IS_INTERFACESGW=0
failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet"
fi
}
# Verify if all if are in auto
check_autoif() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
test "${VERBOSE}" = 1 || break
fi
done
}
# Network conf verification
check_interfacesgw() {
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway"
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
}
# Verification de létat du service networking
check_networking_service() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if systemctl is-enabled networking.service > /dev/null; then
if ! systemctl is-active networking.service > /dev/null; then
failed "IS_NETWORKING_SERVICE" "networking.service is not active"
fi fi
fi fi
fi
}
# Verification de la mise en place d'evobackup
check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron"
}
# Vérification de l'exclusion des montages (NFS) dans les sauvegardes
check_evobackup_exclude_mount() {
excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX")
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
# shellcheck disable=SC2044 # Verify if all if are in auto
for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do if [ "$IS_AUTOIF" = 1 ]; then
# if the file seems to be a backup script, with an Rsync invocation is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
if grep -q "^\s*rsync" "${evobackup_file}"; then grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
# If rsync is not limited by "one-file-system" done
# then we verify that every mount is excluded is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
done done
fi fi
# Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
fi fi
done
} # Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
fi
# Verification de la presence du userlogrotate # Verification de la presence du userlogrotate
check_userlogrotate() { if [ "$IS_USERLOGROTATE" = 1 ]; then
if is_pack_web; then is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" "missing userlogrotate cron"
fi fi
}
# Verification de la syntaxe de la conf d'Apache # Verification de la syntaxe de la conf d'Apache
check_apachectl() { if [ "$IS_APACHECTL" = 1 ]; then
if is_installed apache2; then is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" \
|| failed "IS_APACHECTL" "apache errors detected, run a configtest"
fi fi
}
# Check if there is regular files in Apache sites-enabled. # Check if there is regular files in Apache sites-enabled.
check_apachesymlink() { if [ "$IS_APACHESYMLINK" = 1 ]; then
if is_installed apache2; then is_installed apache2.2-common && \
apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print) (stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && echo 'IS_APACHESYMLINK FAILED!')
nbApacheFind=$(wc -m <<< "$apacheFind")
if [[ $nbApacheFind -gt 1 ]]; then
if [[ $VERBOSE == 1 ]]; then
while read -r line; do
failed "IS_APACHESYMLINK" "Not a symlink: $line"
done <<< "$apacheFind"
else
failed "IS_APACHESYMLINK"
fi fi
fi
fi
}
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
check_apacheipinallow() { if [ "$IS_APACHEIPINALLOW" = 1 ]; then
# Note: Replace "exit 1" by "print" in Perl code to debug it. # Note: Replace "exit 1" by "print" in Perl code to debug it.
if is_installed apache2; then is_installed apache2.2-common && \
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ (grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || echo 'IS_APACHEIPINALLOW FAILED!')
| grep -iv "from all" \
| grep -iv "env=" \
| perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \
|| failed "IS_APACHEIPINALLOW" "bad (Allow|Deny) directives in apache"
fi fi
}
# Check if default Apache configuration file for munin is absent (or empty or commented). # Check if default Apache configuration file for munin is absent (or empty or commented).
check_muninapacheconf() { if [ "$IS_MUNINAPACHECONF" = 1 ]; then
if is_debian_squeeze || is_debian_wheezy; then if is_debianversion squeeze || is_debianversion wheezy; then
muninconf="/etc/apache2/conf.d/munin" muninconf="/etc/apache2/conf.d/munin"
else else
muninconf="/etc/apache2/conf-available/munin.conf" muninconf="/etc/apache2/conf-available/munin.conf"
fi fi
if is_installed apache2; then is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
fi fi
}
# Verification de la priorité du package samba si les backports sont utilisés # Verification de la priorité du package samba si les backports sont utilisés
check_sambainpriority() { if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
if is_debian_lenny && is_pack_samba; then is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then
priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ")
test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" "bad pinning priority for samba"
fi fi
fi
}
# Verification si le système doit redémarrer suite màj kernel. # Verification si le système doit redémarrer suite màj kernel.
check_kerneluptodate() { if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image*; then if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
# shellcheck disable=SC2012 echo 'IS_KERNELUPTODATE FAILED!'
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
fi fi
fi fi
}
# Check if the server is running for more than a year. # Check if the server is running for more than a year.
check_uptime() { if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image*; then if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
limit=$(date -d "now - 2 year" +%s) echo 'IS_UPTIME FAILED!'
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$limit" -gt "$last_reboot_at" ]; then
failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised"
fi fi
fi fi
}
# Check if munin-node running and RRD files are up to date. # Check if munin-node running and RRD files are up to date.
check_muninrunning() { if [ "$IS_MUNINRUNNING" = 1 ]; then
if ! pgrep munin-node >/dev/null; then pgrep munin-node >/dev/null || echo 'IS_MUNINRUNNING FAILED!'
failed "IS_MUNINRUNNING" "Munin is not running" [ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && echo 'IS_MUNINRUNNING FAILED!'
elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && echo 'IS_MUNINRUNNING FAILED!'
limit=$(date +"%s" -d "now - 10 minutes")
if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then
updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)
[ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)"
fi fi
if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then
updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)
grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)"
fi
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)"
fi
}
# Check if files in /home/backup/ are up-to-date # Check if files in /home/backup/ are up-to-date
check_backupuptodate() { if [ "$IS_BACKUPUPTODATE" = 1 ]; then
backup_dir="/home/backup" [ -d /home/backup/ ] && for file in /home/backup/*; do
if [ -d "${backup_dir}" ]; then if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
if [ -n "$(ls -A ${backup_dir})" ]; then echo 'IS_BACKUPUPTODATE FAILED!'
# shellcheck disable=SC2231 break;
for file in ${backup_dir}/*; do fi
limit=$(date +"%s" -d "now - 2 day") done
updated_at=$(stat -c "%Y" "$file") fi
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is empty"
fi
else
failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing"
fi
}
check_etcgit() {
export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc"
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|| failed "IS_ETCGIT" "/etc is not a git repository"
}
# Check if /etc/.git/ has read/write permissions for root only. # Check if /etc/.git/ has read/write permissions for root only.
check_gitperms() { if [ "$IS_GITPERMS" = 1 ]; then
GIT_DIR="/etc/.git" test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || echo 'IS_GITPERMS FAILED!'
if test -d $GIT_DIR; then
expected="700"
actual=$(stat -c "%a" $GIT_DIR)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
fi fi
}
# Check if no package has been upgraded since $limit. # Check if no package has been upgraded since $limit.
check_notupgraded() { if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=0 last_upgrade=0
upgraded=false if zgrep -hq upgrade /var/log/dpkg.log*; then
for log in /var/log/dpkg.log*; do last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
if zgrep -qsm1 upgrade "$log"; then
# There is at least one upgrade
upgraded=true
break
fi fi
done if grep -q '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
if $upgraded; then || grep -q -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process # Manual upgrade process
limit=$(date +%s -d "now - 180 days") limit=$(date +%s -d "now - 180 days")
else else
@ -800,228 +562,174 @@ check_notupgraded() {
install_date=$(stat -c %Z /var/log/installer) install_date=$(stat -c %Z /var/log/installer)
fi fi
# Check install_date if the system never received an upgrade # Check install_date if the system never received an upgrade
if [ "$last_upgrade" -eq 0 ]; then if [ $last_upgrade -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" [ $install_date -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
else else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" [ $last_upgrade -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
fi fi
} fi
# Check if reserved blocks for root is at least 5% on every mounted partitions. # Check if reserved blocks for root is at least 5% on every mounted partitions.
check_tune2fs_m5() { if [ "$IS_TUNE2FS_M5" = 1 ]; then
min=5
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
FINDMNT_BIN=$(command -v findmnt)
for part in $parts; do for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it. # If buggy partition, skip it.
if [ -z "$blockCount" ]; then if [ -z $blockCount ]; then
continue continue
fi fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
# Use awk to have a rounded percentage percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))")
# python is slow, bash is unable and bc rounds weirdly if [ "$percentage" -lt 5 ]; then
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") echo 'IS_TUNE2FS_M5 FAILED!'
verbose "Partition $part has less than 5% reserved blocks!"
fi
done
fi
if [ "$percentage" -lt "${min}" ]; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if [ -x "${FINDMNT_BIN}" ]; then if is_debianversion stretch; then
mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}") (grep -q ^evolinux-sudo: /etc/group \
else && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || echo 'IS_EVOLINUXSUDOGROUP FAILED!'
mount="unknown mount point"
fi
failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)"
fi
done
}
check_evolinuxsudogroup() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if grep -q "^evolinux-sudo:" /etc/group; then
if [ -f /etc/sudoers.d/evolinux ]; then
grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file"
fi fi
fi fi
fi
} if [ "$IS_USERINADMGROUP" = 1 ]; then
check_userinadmgroup() { if is_debianversion stretch; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') groups $user |grep -q adm || echo 'IS_USERINADMGROUP FAILED!'
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done done
fi fi
} fi
check_apache2evolinuxconf() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
if is_installed apache2; then if (test -d /etc/apache2 && is_debianversion stretch); then
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf; && test -f /etc/apache2/ipaddr_whitelist.conf) || echo 'IS_APACHE2EVOLINUXCONF FAILED!'
} || failed "IS_APACHE2EVOLINUXCONF" "missing custom evolinux apache config"
fi fi
fi fi
}
check_backportsconf() { if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \ grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list" && echo 'IS_BACKPORTSCONF FAILED!'
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences" || echo 'IS_BACKPORTSCONF FAILED!'
fi fi
fi fi
} fi
check_bind9munin() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if [ "$IS_BIND9MUNIN" = 1 ]; then
if is_installed bind9; then if is_debianversion stretch && is_installed bind9; then
{ test -L /etc/munin/plugins/bind9 \ (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || echo 'IS_BIND9MUNIN FAILED!'
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN" "missing bind plugin for munin"
fi fi
fi fi
}
check_bind9logrotate() { if [ "$IS_BIND9LOGROTATE" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch && is_installed bind9; then
if is_installed bind9; then test -e /etc/logrotate.d/bind9 || echo 'IS_BIND9LOGROTATE FAILED!'
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
fi fi
fi fi
}
check_broadcomfirmware() { if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
LSPCI_BIN=$(command -v lspci) if lspci | grep -q 'NetXtreme II'; then
if [ -x "${LSPCI_BIN}" ]; then (is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || echo 'IS_BROADCOMFIRMWARE FAILED!'
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
fi
else
failed "IS_BROADCOMFIRMWARE" "lspci not found in ${PATH}"
fi
}
check_hardwareraidtool() {
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'MegaRAID'; then
# shellcheck disable=SC2015
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
fi
if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then
is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed"
fi
else
failed "IS_HARDWARERAIDTOOL" "lspci not found in ${PATH}"
fi
}
check_log2mailsystemdunit() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
systemctl -q is-active log2mail.service \
|| failed "IS_LOG2MAILSYSTEMDUNIT" "log2mail unit not running"
test -f /etc/systemd/system/log2mail.service \
|| failed "IS_LOG2MAILSYSTEMDUNIT" "missing log2mail unit file"
test -f /etc/init.d/log2mail \
&& failed "IS_LOG2MAILSYSTEMDUNIT" "/etc/init.d/log2mail may be deleted (use systemd unit)"
fi
}
check_listupgrade() {
test -f /etc/cron.d/listupgrade \
|| failed "IS_LISTUPGRADE" "missing listupgrade cron"
test -x /usr/share/scripts/listupgrade.sh \
|| failed "IS_LISTUPGRADE" "missing listupgrade script or not executable"
}
check_mariadbevolinuxconf() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
if is_installed mariadb-server; then
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
} || failed "IS_MARIADBEVOLINUXCONF" "missing mariadb custom config"
fi fi
fi fi
}
check_sql_backup() { if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || echo 'IS_HARDWARERAIDTOOL FAILED!')
lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || echo 'IS_HARDWARERAIDTOOL FAILED!')
fi
if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch; then
(systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || echo 'IS_LOG2MAILSYSTEMDUNIT FAILED!'
fi
fi
if [ "$IS_LISTUPGRADE" = 1 ]; then
(test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || echo 'IS_LISTUPGRADE FAILED!'
fi
if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || echo 'IS_MARIADBEVOLINUXCONF FAILED!'
fi
fi
if [ "$IS_SQL_BACKUP" = 1 ]; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
for backup_path in ${SQL_BACKUP_PATH}; do test -f "$SQL_BACKUP_PATH" || echo 'IS_SQL_BACKUP FAILED!'
if [ ! -f "${backup_path}" ]; then
failed "IS_SQL_BACKUP" "MySQL dump is missing (${backup_path})"
test "${VERBOSE}" = 1 || break
fi fi
done
fi fi
}
check_postgres_backup() { if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
if is_installed "postgresql-9*" || is_installed "postgresql-1*"; then if is_installed "postgresql-9*"; then
# If you use something like barman, you should disable this check # If you use something like barman, you should deactivate this check
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak*"} POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
for backup_path in ${POSTGRES_BACKUP_PATH}; do test -f "$POSTGRES_BACKUP_PATH" || echo 'IS_POSTGRES_BACKUP FAILED!'
if [ ! -f "${backup_path}" ]; then
failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${backup_path})"
test "${VERBOSE}" = 1 || break
fi fi
done
fi fi
}
check_mongo_backup() { if [ "$IS_MONGO_BACKUP" = 1 ]; then
if is_installed "mongodb-org-server"; then if is_installed "mongodb-org-server"; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do
# Skip indexes file. # Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then if ! [[ "$file" =~ indexes ]]; then
limit=$(date +"%s" -d "now - 2 day") if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
updated_at=$(stat -c "%Y" "$file") echo 'IS_MONGO_BACKUP FAILED!'
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break break
fi fi
fi fi
done done
else else
failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" echo 'IS_MONGO_BACKUP FAILED!'
fi fi
fi fi
} fi
check_ldap_backup() {
if [ "$IS_LDAP_BACKUP" = 1 ]; then
if is_installed slapd; then if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" test -f "$LDAP_BACKUP_PATH" || echo 'IS_LDAP_BACKUP FAILED!'
fi fi
} fi
check_redis_backup() {
if [ "$IS_REDIS_BACKUP" = 1 ]; then
if is_installed redis-server; then if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})" test -f "$REDIS_BACKUP_PATH" || echo 'IS_REDIS_BACKUP FAILED!'
fi fi
} fi
check_elastic_backup() {
if [ "$IS_ELASTIC_BACKUP" = 1 ]; then
if is_installed elasticsearch; then if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup-elasticsearch"} ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" test -d "$ELASTIC_BACKUP_PATH" || echo 'IS_ELASTIC_BACKUP FAILED!'
fi
}
check_mariadbsystemdunit() {
# TODO: check if it is still needed for bullseye
if is_debian_stretch || is_debian_buster; then
if is_installed mariadb-server; then
if systemctl -q is-active mariadb.service; then
test -f /etc/systemd/system/mariadb.service.d/evolinux.conf \
|| failed "IS_MARIADBSYSTEMDUNIT" "missing systemd override for mariadb unit"
fi fi
fi fi
if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || echo 'IS_MARIADBSYSTEMDUNIT FAILED!'
fi fi
} fi
check_mysqlmunin() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_installed mariadb-server; then if is_debianversion stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \ for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \ mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
@ -1030,73 +738,53 @@ check_mysqlmunin() {
mysql_sorts mysql_tmp_tables; do mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then if [[ ! -L /etc/munin/plugins/$file ]]; then
failed "IS_MYSQLMUNIN" "missing munin plugin '$file'" echo 'IS_MYSQLMUNIN FAILED!'
test "${VERBOSE}" = 1 || break break
fi fi
done done
munin-run mysql_commands 2> /dev/null > /dev/null
test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error"
fi fi
fi fi
}
check_mysqlnrpe() { if [ "$IS_MYSQLNRPE" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch && is_installed mariadb-server; then
if is_installed mariadb-server; then (test -f ~nagios/.my.cnf \
nagios_file=~nagios/.my.cnf && [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \
if ! test -f ${nagios_file}; then && [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \
failed "IS_MYSQLNRPE" "${nagios_file} is missing" && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || echo 'IS_MYSQLNRPE FAILED!'
elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \
|| [ "$(stat -c %a ${nagios_file})" != "600" ]; then
failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions"
else
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
fi fi
fi fi
fi
} if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
check_phpevolinuxconf() { if is_debianversion stretch && is_installed php; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then (test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
is_debian_stretch && phpVersion="7.0" && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || echo 'IS_PHPEVOLINUXCONF FAILED!'
is_debian_buster && phpVersion="7.3"
is_debian_bullseye && phpVersion="7.4"
if is_installed php; then
{ test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini
} || failed "IS_PHPEVOLINUXCONF" "missing php evolinux config"
fi fi
fi fi
}
check_squidlogrotate() { if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch && is_installed squid; then
if is_installed squid; then grep -q monthly /etc/logrotate.d/squid || echo 'IS_SQUIDLOGROTATE FAILED!'
grep -q -e monthly -e daily /etc/logrotate.d/squid \
|| failed "IS_SQUIDLOGROTATE" "missing squid logrotate file"
fi fi
fi fi
}
check_squidevolinuxconf() { if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch && is_installed squid; then
if is_installed squid; then (grep -q "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \ && test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \ && test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \ && test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \ && test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf; && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
} || failed "IS_SQUIDEVOLINUXCONF" "missing squid evolinux config"
fi fi
fi fi
}
check_duplicate_fs_label() {
# Do it only if thereis blkid binary
BLKID_BIN=$(command -v blkid)
if [ -n "$BLKID_BIN" ]; then
tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX")
files_to_cleanup="${files_to_cleanup} ${tmpFile}"
parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary
if [ -x "$(which blkid)" ]; then
tmpFile=$(mktemp -p /tmp)
parts=$(blkid | grep -ve raid_member -e EFI_SYSPART \
| grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do for part in $parts; do
echo "$part" >> "$tmpFile" echo "$part" >> "$tmpFile"
done done
@ -1104,653 +792,210 @@ check_duplicate_fs_label() {
# If there is no duplicate, uniq will have no output # If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate # So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then if [ -n "$tmpOutput" ]; then
# shellcheck disable=SC2086 echo 'IS_DUPLICATE_FS_LABEL FAILED!'
labels=$(echo -n $tmpOutput | tr '\n' ' ') if [ "$VERBOSE" = 1 ]; then
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" echo "Duplicate labels:"
echo -e "$tmpOutput\n"
fi fi
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}"
fi fi
} rm $tmpFile
check_evolix_user() { fi
grep -q -E "^evolix:" /etc/passwd \ fi
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
} if [ "$IS_EVOLIX_USER" = 1 ]; then
check_evoacme_cron() { grep -q "evolix:" /etc/passwd && echo 'IS_EVOLIX_USER FAILED!'
fi
if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted # Old cron file, should be deleted
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme" test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
# evoacme cron file should be present # evoacme cron file should be present
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing" test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
fi fi
} fi
check_evoacme_livelinks() {
EVOACME_BIN=$(command -v evoacme) if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
if [ -x "$EVOACME_BIN" ]; then if [ -x "$(which evoacme)" ]; then
# Sometimes evoacme is installed but no certificates has been generated # Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ "$numberOfLinks" -gt 0 ]; then if [ $numberOfLinks -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do for live in /etc/letsencrypt/*/live; do
actualLink=$(readlink -f "$live") actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
actualVersion=$(basename "$actualLink") actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
certDir=$(dirname "$live") certDir=${liveDir%%/live}
certName=$(basename "$certDir") lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
# shellcheck disable=SC2012 lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) if [[ "$actualCertDate" != "$lastCertDate" ]]; then
lastVersion=$(basename "$lastCertDir") echo 'IS_EVOACME_LIVELINKS FAILED!'
break
if [[ "$lastVersion" != "$actualVersion" ]]; then
failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated"
test "${VERBOSE}" = 1 || break
fi fi
done done
fi fi
fi fi
} fi
check_apache_confenabled() {
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked # must be replaced by conf-available/ and config files symlinked
# to conf-enabled/ # to conf-enabled/
if is_debian_jessie || is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion jessie || is_debianversion stretch; then
if [ -f /etc/apache2/apache2.conf ]; then if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ \ test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
&& failed "IS_APACHE_CONFENABLED" "apache's conf.d directory must not exists" grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
grep -q 'Include conf.d' /etc/apache2/apache2.conf \ echo 'IS_APACHE_CONFENABLED FAILED!'
&& failed "IS_APACHE_CONFENABLED" "apache2.conf must not Include conf.d"
fi fi
fi fi
} fi
check_meltdown_spectre() {
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use # For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/ # /sys/devices/system/cpu/vulnerabilities/
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if is_debianversion stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do for vuln in meltdown spectre_v1 spectre_v2; do
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|| failed "IS_MELTDOWN_SPECTRE" "vulnerable to $vuln"
test "${VERBOSE}" = 1 || break
done done
# For Jessie this is quite complicated to verify and we need to use kernel config file # For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debian_jessie; then elif is_debianversion jessie; then
if grep -q "BOOT_IMAGE=" /proc/cmdline; then if grep -q BOOT_IMAGE= /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-} kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}" kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists. # Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f "/boot/${kernelConfig}" ]; then if [ -f /boot/$kernelConfig ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
|| failed "IS_MELTDOWN_SPECTRE" \ grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
"PAGE_TABLE_ISOLATION must be enabled in kernel, outdated kernel?"
grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" \
"RETPOLINE must be enabled in kernel, outdated kernel?"
fi fi
fi fi
fi fi
} fi
check_old_home_dir() {
homeDir=${homeDir:-/home} if [ "$IS_OLD_HOME_DIR" = 1 ]; then
for dir in "$homeDir"/*; do for dir in /home/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep "UNKNOWN") | grep UNKNOWN)
# There is at least one dir matching # There is at least one dir matching
if [[ -n "$statResult" ]]; then if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR" "$statResult" echo 'IS_OLD_HOME_DIR FAILED!'
test "${VERBOSE}" = 1 || break if [[ "$VERBOSE" == 1 ]]; then
fi echo "$statResult"
done
}
check_tmp_1777() {
actual=$(stat --format "%a" /tmp)
expected="1777"
test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be $expected"
}
check_root_0700() {
actual=$(stat --format "%a" /root)
expected="700"
test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be $expected"
}
check_usrsharescripts() {
actual=$(stat --format "%a" /usr/share/scripts)
expected="700"
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
}
check_sshpermitrootno() {
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if is_debian_jessie || is_debian_stretch; then
# Noop, we'll use the default $sshd_args
:
elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
else else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument break
# -T doesn't require the additional -C.
sshd_args=
fi
# XXX: We want parameter expension here
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
fi
}
check_evomaintenanceusers() {
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
else
if [ -f /etc/sudoers.d/evolinux ]; then
sudoers="/etc/sudoers.d/evolinux"
else
sudoers="/etc/sudoers"
fi
# combine users from User_Alias and sudo group
users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u)
fi
for user in $users; do
user_home=$(getent passwd "$user" | cut -d: -f6)
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then
failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
test "${VERBOSE}" = 1 || break
fi fi
fi fi
done done
} fi
check_evomaintenanceconf() {
f=/etc/evomaintenance.cf
if [ -e "$f" ]; then
perms=$(stat -c "%a" $f)
test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)"
{ grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ if [ "$IS_HOME_SIZE" = 1 ]; then
&& grep "^PGDB" $f | grep -qv "your-db" \ # Can be changed in evocheck.cf
&& grep "^PGTABLE" $f | grep -qv "your-table" \ homeDir=${homeDir:-/home}
&& grep "^PGHOST" $f | grep -qv "your-pg-host" \ homeMaxSize=${homeMaxSize:-1048576}
&& grep "^FROM" $f | grep -qv "jdoe@example.com" \ # If the user has an evomaintenance profile trap he is
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \ # considered a sysadmin
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ for homeProfile in ${homeDir}/*/.profile; do
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ if grep -q "evomaintenance.sh" "$homeProfile"; then
&& grep "^REALM" $f | grep -qv "example.com" homeSize=$(du -s "${homeProfile%%.profile}" \
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" | awk '{print $1}')
else homeUser=$(stat "$homeProfile" -c %U)
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" if [ "$homeSize" -gt "$homeMaxSize" ]; then
fi echo 'IS_HOME_SIZE FAILED!'
} verbose "User $homeUser has more than 1G in his home" \
check_privatekeyworldreadable() { || break
# a simple globbing fails if directory is empty
if [ -n "$(ls -A /etc/ssl/private/)" ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" "$f")
if [ "${perms: -1}" != 0 ]; then
failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_evobackup_incs() {
if is_installed bkctld; then
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
if [ -f "${bkctld_cron_file}" ]; then
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
else
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
fi
fi
}
check_osprober() {
if is_installed os-prober qemu-kvm; then
failed "IS_OSPROBER" \
"Removal of os-prober package is recommended as it can cause serious issue on KVM server"
fi
}
check_jessie_backports() {
if is_debian_jessie; then
jessieBackports=$(grep -hs "jessie-backports" /etc/apt/sources.list /etc/apt/sources.list.d/*)
if test -n "$jessieBackports"; then
if ! grep -q "archive.debian.org" <<< "$jessieBackports"; then
failed "IS_JESSIE_BACKPORTS" "You must use deb http://archive.debian.org/debian/ jessie-backports main"
fi
fi
fi
}
check_apt_valid_until() {
aptvalidFile="/etc/apt/apt.conf.d/99no-check-valid-until"
aptvalidText="Acquire::Check-Valid-Until no;"
if grep -qs "archive.debian.org" /etc/apt/sources.list /etc/apt/sources.list.d/*; then
if ! grep -qs "$aptvalidText" /etc/apt/apt.conf.d/*; then
failed "IS_APT_VALID_UNTIL" \
"As you use archive.mirror.org you need ${aptvalidFile}: ${aptvalidText}"
fi
fi
}
check_chrooted_binary_uptodate() {
# list of processes to check
process_list="sshd"
for process_name in ${process_list}; do
# what is the binary path?
original_bin=$(command -v "${process_name}")
for pid in $(pgrep ${process_name}); do
process_bin=$(realpath "/proc/${pid}/exe")
# Is the process chrooted?
real_root=$(realpath "/proc/${pid}/root")
if [ "${real_root}" != "/" ]; then
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
# compare md5 checksums
if [ "$original_md5" != "$chrooted_md5" ]; then
failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
test "${VERBOSE}" = 1 || break
fi fi
fi fi
done done
done
}
check_nginx_letsencrypt_uptodate() {
if [ -d /etc/nginx ]; then
snippets=$(find /etc/nginx -type f -name "letsencrypt.conf")
if [ -n "${snippets}" ]; then
while read -r snippet; do
if is_debian_jessie; then
if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8."
fi
else
if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+."
fi fi
fi fi
done <<< "${snippets}"
fi
fi
}
check_lxc_container_resolv_conf() {
if is_installed lxc; then
container_list=$(lxc-ls)
current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
for container in $container_list; do if [ `uname -s` == "OpenBSD" ]; then
if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
while read -r resolver; do if [ "$IS_SOFTDEP" = 1 ]; then
if ! grep -qE "^nameserver\s+${resolver}" "/var/lib/lxc/${container}/rootfs/etc/resolv.conf"; then grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf miss-match beween host and container : missing nameserver ${resolver} in container ${container} resolv.conf"
fi
done <<< "${current_resolvers}"
else
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
fi
done
fi
}
download_versions() {
local file
file=${1:-}
## The file is supposed to list programs : each on a line, then its latest version number
## Examples:
# evoacme 21.06
# evomaintenance 0.6.4
if is_debian; then
versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
elif is_openbsd; then
versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
else
failed "IS_CHECK_VERSIONS" "error determining os release"
fi fi
# fetch timeout, in seconds if [ "$IS_WHEEL" = 1 ]; then
timeout=10 grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
if command -v curl > /dev/null; then
curl --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
elif command -v wget > /dev/null; then
wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
elif command -v GET; then
GET -t ${timeout}s "${versions_url}" > "${versions_file}"
else
failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET"
fi
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
}
get_command() {
local program
program=${1:-}
case "${program}" in
## Special cases where the program name is different than the command name
evocheck) echo "${0}" ;;
evomaintenance) command -v "evomaintenance.sh" ;;
listupgrade) command -v "evolistupgrade.sh" ;;
old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;;
mysql-queries-killer) command -v "mysql-queries-killer.sh" ;;
minifirewall) echo "/etc/init.d/minifirewall" ;;
## General case, where the program name is the same as the command name
*) command -v "${program}" ;;
esac
}
get_version() {
local program
local command
program=${1:-}
command=${2:-}
case "${program}" in
## Special case if `command --version => 'command` is not the standard way to get the version
# my_command)
# /path/to/my_command --get-version
# ;;
add-vm)
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
;;
minifirewall)
${command} version | head -1 | cut -d ' ' -f 3
;;
## Let's try the --version flag before falling back to grep for the constant
kvmstats)
if ${command} --version > /dev/null 2> /dev/null; then
${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3
else
grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
fi
;;
## General case to get the version
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
esac
}
check_version() {
local program
local expected_version
program=${1:-}
expected_version=${2:-}
command=$(get_command "${program}")
if [ -n "${command}" ]; then
# shellcheck disable=SC2086
actual_version=$(get_version "${program}" "${command}")
# printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
if [ -z "${actual_version}" ]; then
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
else
: # Version check OK
fi
fi
}
add_to_path() {
local new_path
new_path=${1:-}
echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
}
check_versions() {
versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX")
files_to_cleanup="${files_to_cleanup} ${versions_file}"
download_versions "${versions_file}"
add_to_path "/usr/share/scripts"
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
local program
local version
program=$(echo "${line}" | cut -d ' ' -f 1)
version=$(echo "${line}" | cut -d ' ' -f 2)
if [ -n "${program}" ]; then
if [ -n "${version}" ]; then
check_version "${program}" "${version}"
else
failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}"
fi
fi
done
}
main() {
# Default return code : 0 = no error
RC=0
# Detect operating system name, version and release
detect_os
main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
files_to_cleanup="${files_to_cleanup} ${main_output_file}"
#-----------------------------------------------------------
# Tests communs à tous les systèmes
#-----------------------------------------------------------
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno
test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers
# Verification de la configuration d'evomaintenance
test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable
#-----------------------------------------------------------
# Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
if is_debian; then
MINIFW_FILE=$(minifirewall_file)
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_APTICRON:=0}" = 1 && check_apticron
test "${IS_USRRO:=1}" = 1 && check_usrro
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
# Enable when minifirewall is released
test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin
test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils
test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft
test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat
test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate
test "${IS_SQUID:=1}" = 1 && check_squid
test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw
test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate
test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning
test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache
test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql
test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid
test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot
test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_NETWORKING_SERVICE:=1}" = 1 && check_networking_service
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow
test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf
test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority
test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
test "${IS_USERINADMGROUP:=1}" = 1 && check_userinadmgroup
test "${IS_APACHE2EVOLINUXCONF:=1}" = 1 && check_apache2evolinuxconf
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade
test "${IS_MARIADBEVOLINUXCONF:=0}" = 1 && check_mariadbevolinuxconf
test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup
test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup
test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup
test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup
test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup
test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup
test "${IS_MARIADBSYSTEMDUNIT:=1}" = 1 && check_mariadbsystemdunit
test "${IS_MYSQLMUNIN:=1}" = 1 && check_mysqlmunin
test "${IS_MYSQLNRPE:=1}" = 1 && check_mysqlnrpe
test "${IS_PHPEVOLINUXCONF:=0}" = 1 && check_phpevolinuxconf
test "${IS_SQUIDLOGROTATE:=1}" = 1 && check_squidlogrotate
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
test "${IS_OLD_HOME_DIR:=0}" = 1 && check_old_home_dir
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
fi fi
#----------------------------------------------------------- if [ "$IS_SUDOADMIN" = 1 ]; then
# Tests spécifiques à OpenBSD grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
#-----------------------------------------------------------
if is_openbsd; then
if [ "${IS_SOFTDEP:=1}" = 1 ]; then
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
fi fi
if [ "${IS_WHEEL:=1}" = 1 ]; then if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
fi fi
if [ "${IS_SUDOADMIN:=1}" = 1 ]; then if [ "$IS_HISTORY" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
fi
if [ "${IS_PKGMIRROR:=1}" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi
if [ "${IS_HISTORY:=1}" = 1 ]; then
f=/root/.profile f=/root/.profile
{ grep -q "^HISTFILE=\$HOME/.histfile" $f \ grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \ && grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \ && grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f; && grep -q "^export HISTSIZE" $f \
} || failed "IS_HISTORY" || echo 'IS_HISTORY FAILED!'
fi fi
if [ "${IS_VIM:=1}" = 1 ]; then if [ "$IS_VIM" = 1 ]; then
command -v vim > /dev/null 2>&1 || failed "IS_VIM" which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
fi fi
if [ "${IS_TTYC0SECURE:=1}" = 1 ]; then if [ "$IS_TTYC0SECURE" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
fi fi
if [ "${IS_CUSTOMSYSLOG:=1}" = 1 ]; then if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
fi fi
if [ "${IS_NOINETD:=1}" = 1 ]; then if [ "$IS_NOINETD" = 1 ]; then
grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
fi fi
if [ "${IS_SUDOMAINT:=1}" = 1 ]; then if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers f=/etc/sudoers
{ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f; && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
} || failed "IS_SUDOMAINT" || echo 'IS_SUDOMAINT FAILED!'
fi fi
if [ "${IS_POSTGRESQL:=1}" = 1 ]; then if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed" pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
fi fi
if [ "${IS_NRPE:=1}" = 1 ]; then if [ "$IS_NRPE" = 1 ]; then
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \ ( pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \ && pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe; && pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
} || failed "IS_NRPE" "NRPE is not installed"
fi fi
# if [ "${IS_NRPEDISKS:=1}" = 1 ]; then # if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) # NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) # DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" # [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
# fi # fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix) # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
# #
# if [ "${IS_NRPEPOSTFIX:=1}" = 1 ]; then # if [ "$IS_NRPEPOSTFIX" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" ) # pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
# fi # fi
if [ "${IS_NRPEDAEMON:=1}" = 1 ]; then if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \ grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
|| failed "IS_NREPEDAEMON"
fi fi
if [ "${IS_ALERTBOOT:=1}" = 1 ]; then if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \ grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
|| failed "IS_ALERTBOOT"
fi fi
if [ "${IS_RSYNC:=1}" = 1 ]; then if [ "$IS_RSYNC" = 1 ]; then
pkg info | grep -q rsync || failed "IS_RSYNC" pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
fi fi
if [ "${IS_CRONPATH:=1}" = 1 ]; then if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \ grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
|| failed "IS_CRONPATH"
fi fi
#TODO #TODO
@ -1758,86 +1003,80 @@ main() {
# - NRPEDISK et NRPEPOSTFIX # - NRPEDISK et NRPEPOSTFIX
fi fi
if [ -f "${main_output_file}" ]; then if [ "$IS_TMP_1777" = 1 ]; then
lines_found=$(wc -l < "${main_output_file}") ls -ld /tmp | grep -q drwxrwxrwt || echo 'IS_TMP_1777 FAILED!'
# shellcheck disable=SC2086
if [ ${lines_found} -gt 0 ]; then
cat "${main_output_file}" 2>&1
fi
fi fi
exit ${RC} if [ "$IS_ROOT_0700" = 1 ]; then
} ls -ld /root | grep -q drwx------ || echo 'IS_ROOT_0700 FAILED!'
cleanup_temp_files() { fi
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
}
PROGNAME=$(basename "$0") if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
# shellcheck disable=SC2034 ls -ld /usr/share/scripts | grep -q drwx------ || echo 'IS_USRSHARESCRIPTS FAILED!'
readonly PROGNAME fi
# shellcheck disable=SC2124 if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
ARGS=$@ is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
readonly ARGS is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || echo 'IS_SSHPERMITROOTNO FAILED!' )
fi
# Disable LANG* if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
export LANG=C # Can be changed in evocheck.cf
export LANGUAGE=C homeDir=${homeDir:-/home}
if ! is_debianversion stretch; then
files_to_cleanup="" if [ -f /etc/sudoers.d/evolinux ]; then
# shellcheck disable=SC2064 sudoers="/etc/sudoers.d/evolinux"
trap cleanup_temp_files 0 else
sudoers="/etc/sudoers"
# Source configuration file fi
# shellcheck disable=SC1091 for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do
test -f /etc/evocheck.cf && . /etc/evocheck.cf grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile
if [ $? != 0 ]; then
# Parse options echo 'IS_EVOMAINTENANCEUSERS FAILED!'
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a if [ "$VERBOSE" = 1 ]; then
while :; do echo "$i doesn't have evomaintenance trap!"
case $1 in else
-h|-\?|--help)
show_help
exit 0
;;
--version)
show_version
exit 0
;;
--cron)
IS_KERNELUPTODATE=0
IS_UPTIME=0
IS_MELTDOWN_SPECTRE=0
IS_CHECK_VERSIONS=0
;;
-v|--verbose)
VERBOSE=1
;;
-q|--quiet)
QUIET=1
VERBOSE=0
;;
--)
# End of all options.
shift
break break
;;
-?*|[[:alnum:]]*)
# ignore unknown options
if [ "${QUIET}" != 1 ]; then
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
fi fi
;; fi
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done done
else
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile
if [ $? != 0 ]; then
echo 'IS_EVOMAINTENANCEUSERS FAILED!'
if [ "$VERBOSE" = 1 ]; then
echo "$i doesn't have evomaintenance trap!"
else
break
fi
fi
done
fi
fi
# shellcheck disable=SC2086 # Verification de la configuration d'evomaintenance
main ${ARGS} if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
f=/etc/evomaintenance.cf
( test -e $f \
&& test $(stat -c "%a" $f) = "600" \
&& grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \
&& grep "^PGDB" $f |grep -qv "your-db" \
&& grep "^PGTABLE" $f |grep -qv "your-table" \
&& grep "^PGHOST" $f |grep -qv "your-pg-host" \
&& grep "^FROM" $f |grep -qv "jdoe@example.com" \
&& grep "^FULLFROM" $f |grep -qv "John Doe <jdoe@example.com>" \
&& grep "^URGENCYFROM" $f |grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f |grep -qv "example.com" ) || echo 'IS_EVOMAINTENANCECONF FAILED!'
fi
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" $f)
if [ ${perms: -1} != "0" ]; then
echo 'IS_PRIVKEYWOLRDREADABLE FAILED!'
break
fi
done
fi