diff --git a/CHANGELOG b/CHANGELOG index 475edd8..10f2411 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -32,7 +32,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changed * accounts: use "evobsd_internal_group" for SSH authentication -* evocheck: imported version 22.03 * base: zzz_evobackup upstream release 22.03 * etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks * etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible @@ -72,6 +71,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them * base: install ncdu and htop often used as diagnostic tools * base: dump-server-state.sh upstream release 23.06 +* evocheck: upstream release 23.06 ### Fixed diff --git a/roles/evocheck/files/evocheck.sh b/roles/evocheck/files/evocheck.sh index e9627ee..c3f162a 100755 --- a/roles/evocheck/files/evocheck.sh +++ b/roles/evocheck/files/evocheck.sh @@ -3,7 +3,7 @@ # EvoCheck # Script to verify compliance of an OpenBSD server powered by Evolix -readonly VERSION="23.02" +readonly VERSION="23.06" # base functions @@ -51,6 +51,17 @@ is_installed(){ # logging +log() { + date=$(/bin/date +"${DATE_FORMAT}") + if [ "${1}" != '' ]; then + printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}" + else + while read line; do + printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}" + done < /dev/stdin + fi +} + failed() { check_name=$1 shift @@ -64,6 +75,9 @@ failed() { printf "%s FAILED!\n" "${check_name}" 2>&1 fi fi + + # Always log verbose + log "${check_name} FAILED! ${check_comments}" } # check functions @@ -104,9 +118,9 @@ check_raidok(){ } check_evobackup(){ if [ -f /etc/daily.local ]; then - grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" + grep -qE "^(ba)?sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" else - failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" + failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" fi } check_uptodate(){ @@ -154,9 +168,9 @@ check_carpadvbase(){ if ls /etc/hostname.carp* 1> /dev/null 2>&1; then bad_advbase=0 for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do - if [ "$advbase" -gt 5 ]; then - bad_advbase=1 - fi + if [ "$advbase" -gt 5 ]; then + bad_advbase=1 + fi done if [ "$bad_advbase" -eq 1 ]; then failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" @@ -172,7 +186,7 @@ check_carppreempt(){ if [ -f /etc/sysctl.conf ]; then grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" else - failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" + failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" fi fi } @@ -415,7 +429,7 @@ get_command() { evocheck) echo "${0}" ;; evomaintenance) command -v "evomaintenance.sh" ;; motd-carp-state) command -v "motd-carp-state.sh" ;; - + ## General case, where the program name is the same as the command name *) command -v "${program}" ;; esac @@ -512,6 +526,17 @@ check_root_user() { failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) " fi } +check_mount(){ + for fstab_entry in $(grep ffs /etc/fstab | grep -v "^#" | awk '{print $2}'); do + mount | awk '{print $3}' | grep -q "^$fstab_entry$" || failed "IS_MOUNT" "Local OpenBSD partition(s) detected in /etc/fstab but not mounted" + done +} +check_mountfstab() { + for mount_point in $(mount | awk '{print $3}'); do + grep -q " $mount_point " /etc/fstab || failed "IS_MOUNT_FSTAB" "Partition(s) detected mounted but no presence in /etc/fstab" + done +} + main() { # Default return code : 0 = no error @@ -561,24 +586,34 @@ main() { test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions test "${IS_ROOT_USER:=1}" = 1 && check_root_user + test "${IS_MOUNT:=1}" = 1 && check_mount + test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab exit ${RC} } -cleanup_temp_files() { +cleanup() { + # Cleanup tmp files # shellcheck disable=SC2086 rm -f ${files_to_cleanup} + + log "$PROGNAME exit." } +PROGNAME=$(basename "$0") + +LOGFILE="/var/log/evocheck.log" + +CONFIGFILE="/etc/evocheck.cf" + +DATE_FORMAT="%Y-%m-%d %H:%M:%S" + # Disable LANG* export LANG=C export LANGUAGE=C -files_to_cleanup="" -trap cleanup_temp_files 0 - # Source configuration file # shellcheck disable=SC1091 -test -f /etc/evocheck.cf && . /etc/evocheck.cf +test -f "${CONFIGFILE}" && . "${CONFIGFILE}" # Parse options # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a @@ -621,5 +656,25 @@ while :; do shift done +# Keep this after "show_version(); exit 0" which is called by check_versions +# to avoid logging exit twice. +files_to_cleanup="" +trap cleanup EXIT INT TERM + +log '-----------------------------------------------' +log "Running $PROGNAME $VERSION..." + +# Log config file content +if [ -f "${CONFIGFILE}" ]; then + log "Runtime configuration (${CONFIGFILE}):" + conf=$(sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}") + if [ ! -z "${conf}" ]; then + sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log + else + log "${CONFIGFILE} is empty." + fi +fi + # shellcheck disable=SC2086 main ${ARGS} +