evocheck: upstream release 23.06
This commit is contained in:
parent
d2574faaef
commit
8a63c8336f
|
@ -32,7 +32,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
* accounts: use "evobsd_internal_group" for SSH authentication
|
* accounts: use "evobsd_internal_group" for SSH authentication
|
||||||
* evocheck: imported version 22.03
|
|
||||||
* base: zzz_evobackup upstream release 22.03
|
* base: zzz_evobackup upstream release 22.03
|
||||||
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
|
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
|
||||||
* etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible
|
* etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible
|
||||||
|
@ -72,6 +71,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
* collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them
|
* collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them
|
||||||
* base: install ncdu and htop often used as diagnostic tools
|
* base: install ncdu and htop often used as diagnostic tools
|
||||||
* base: dump-server-state.sh upstream release 23.06
|
* base: dump-server-state.sh upstream release 23.06
|
||||||
|
* evocheck: upstream release 23.06
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
# EvoCheck
|
# EvoCheck
|
||||||
# Script to verify compliance of an OpenBSD server powered by Evolix
|
# Script to verify compliance of an OpenBSD server powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="23.02"
|
readonly VERSION="23.06"
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
|
@ -51,6 +51,17 @@ is_installed(){
|
||||||
|
|
||||||
# logging
|
# logging
|
||||||
|
|
||||||
|
log() {
|
||||||
|
date=$(/bin/date +"${DATE_FORMAT}")
|
||||||
|
if [ "${1}" != '' ]; then
|
||||||
|
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
|
||||||
|
else
|
||||||
|
while read line; do
|
||||||
|
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
|
||||||
|
done < /dev/stdin
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
failed() {
|
failed() {
|
||||||
check_name=$1
|
check_name=$1
|
||||||
shift
|
shift
|
||||||
|
@ -64,6 +75,9 @@ failed() {
|
||||||
printf "%s FAILED!\n" "${check_name}" 2>&1
|
printf "%s FAILED!\n" "${check_name}" 2>&1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Always log verbose
|
||||||
|
log "${check_name} FAILED! ${check_comments}"
|
||||||
}
|
}
|
||||||
|
|
||||||
# check functions
|
# check functions
|
||||||
|
@ -104,9 +118,9 @@ check_raidok(){
|
||||||
}
|
}
|
||||||
check_evobackup(){
|
check_evobackup(){
|
||||||
if [ -f /etc/daily.local ]; then
|
if [ -f /etc/daily.local ]; then
|
||||||
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
grep -qE "^(ba)?sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
||||||
else
|
else
|
||||||
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_uptodate(){
|
check_uptodate(){
|
||||||
|
@ -154,9 +168,9 @@ check_carpadvbase(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
bad_advbase=0
|
bad_advbase=0
|
||||||
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
||||||
if [ "$advbase" -gt 5 ]; then
|
if [ "$advbase" -gt 5 ]; then
|
||||||
bad_advbase=1
|
bad_advbase=1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [ "$bad_advbase" -eq 1 ]; then
|
if [ "$bad_advbase" -eq 1 ]; then
|
||||||
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||||
|
@ -172,7 +186,7 @@ check_carppreempt(){
|
||||||
if [ -f /etc/sysctl.conf ]; then
|
if [ -f /etc/sysctl.conf ]; then
|
||||||
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
|
||||||
else
|
else
|
||||||
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -415,7 +429,7 @@ get_command() {
|
||||||
evocheck) echo "${0}" ;;
|
evocheck) echo "${0}" ;;
|
||||||
evomaintenance) command -v "evomaintenance.sh" ;;
|
evomaintenance) command -v "evomaintenance.sh" ;;
|
||||||
motd-carp-state) command -v "motd-carp-state.sh" ;;
|
motd-carp-state) command -v "motd-carp-state.sh" ;;
|
||||||
|
|
||||||
## General case, where the program name is the same as the command name
|
## General case, where the program name is the same as the command name
|
||||||
*) command -v "${program}" ;;
|
*) command -v "${program}" ;;
|
||||||
esac
|
esac
|
||||||
|
@ -512,6 +526,17 @@ check_root_user() {
|
||||||
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
|
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
check_mount(){
|
||||||
|
for fstab_entry in $(grep ffs /etc/fstab | grep -v "^#" | awk '{print $2}'); do
|
||||||
|
mount | awk '{print $3}' | grep -q "^$fstab_entry$" || failed "IS_MOUNT" "Local OpenBSD partition(s) detected in /etc/fstab but not mounted"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
check_mountfstab() {
|
||||||
|
for mount_point in $(mount | awk '{print $3}'); do
|
||||||
|
grep -q " $mount_point " /etc/fstab || failed "IS_MOUNT_FSTAB" "Partition(s) detected mounted but no presence in /etc/fstab"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
|
@ -561,24 +586,34 @@ main() {
|
||||||
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
|
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
|
||||||
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
|
||||||
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
|
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
|
||||||
|
test "${IS_MOUNT:=1}" = 1 && check_mount
|
||||||
|
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
|
||||||
|
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
cleanup_temp_files() {
|
cleanup() {
|
||||||
|
# Cleanup tmp files
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
rm -f ${files_to_cleanup}
|
rm -f ${files_to_cleanup}
|
||||||
|
|
||||||
|
log "$PROGNAME exit."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
PROGNAME=$(basename "$0")
|
||||||
|
|
||||||
|
LOGFILE="/var/log/evocheck.log"
|
||||||
|
|
||||||
|
CONFIGFILE="/etc/evocheck.cf"
|
||||||
|
|
||||||
|
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
export LANGUAGE=C
|
export LANGUAGE=C
|
||||||
|
|
||||||
files_to_cleanup=""
|
|
||||||
trap cleanup_temp_files 0
|
|
||||||
|
|
||||||
# Source configuration file
|
# Source configuration file
|
||||||
# shellcheck disable=SC1091
|
# shellcheck disable=SC1091
|
||||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
|
||||||
|
|
||||||
# Parse options
|
# Parse options
|
||||||
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
|
||||||
|
@ -621,5 +656,25 @@ while :; do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Keep this after "show_version(); exit 0" which is called by check_versions
|
||||||
|
# to avoid logging exit twice.
|
||||||
|
files_to_cleanup=""
|
||||||
|
trap cleanup EXIT INT TERM
|
||||||
|
|
||||||
|
log '-----------------------------------------------'
|
||||||
|
log "Running $PROGNAME $VERSION..."
|
||||||
|
|
||||||
|
# Log config file content
|
||||||
|
if [ -f "${CONFIGFILE}" ]; then
|
||||||
|
log "Runtime configuration (${CONFIGFILE}):"
|
||||||
|
conf=$(sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}")
|
||||||
|
if [ ! -z "${conf}" ]; then
|
||||||
|
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
|
||||||
|
else
|
||||||
|
log "${CONFIGFILE} is empty."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
main ${ARGS}
|
main ${ARGS}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue