evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

evocheck: upstream release 23.06

Browse source
This commit is contained in:
Jérémy Dubois 2023-06-05 11:46:12 +02:00
parent d2574faaef
commit 8a63c8336f
2 changed files with 69 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG
View file

@ -32,7 +32,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed ### Changed
* accounts: use "evobsd_internal_group" for SSH authentication * accounts: use "evobsd_internal_group" for SSH authentication
* evocheck: imported version 22.03
* base: zzz_evobackup upstream release 22.03 * base: zzz_evobackup upstream release 22.03
* etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks * etc-git: manage commits with an optimized shell script instead of many slow Ansible tasks
* etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible * etc-git: use "ansible-commit" to efficiently commit all available repositories from Ansible
@ -72,6 +71,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
* collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them * collectd: modified collectd scripts directory and scripts files right so that only _collectd group can execute them
* base: install ncdu and htop often used as diagnostic tools * base: install ncdu and htop often used as diagnostic tools
* base: dump-server-state.sh upstream release 23.06 * base: dump-server-state.sh upstream release 23.06
* evocheck: upstream release 23.06
### Fixed ### Fixed

81
roles/evocheck/files/evocheck.sh
View file

@ -3,7 +3,7 @@
# EvoCheck # EvoCheck
# Script to verify compliance of an OpenBSD server powered by Evolix # Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="23.02" readonly VERSION="23.06"
# base functions # base functions
@ -51,6 +51,17 @@ is_installed(){
# logging # logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() { failed() {
check_name=$1 check_name=$1
shift shift
@ -64,6 +75,9 @@ failed() {
printf "%s FAILED!\n" "${check_name}" 2>&1 printf "%s FAILED!\n" "${check_name}" 2>&1
fi fi
fi fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
} }
# check functions # check functions
@ -104,9 +118,9 @@ check_raidok(){
} }
check_evobackup(){ check_evobackup(){
if [ -f /etc/daily.local ]; then if [ -f /etc/daily.local ]; then
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" grep -qE "^(ba)?sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
else else
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local" failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
fi fi
} }
check_uptodate(){ check_uptodate(){
@ -154,9 +168,9 @@ check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0 bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
if [ "$advbase" -gt 5 ]; then if [ "$advbase" -gt 5 ]; then
bad_advbase=1 bad_advbase=1
fi fi
done done
if [ "$bad_advbase" -eq 1 ]; then if [ "$bad_advbase" -eq 1 ]; then
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
@ -172,7 +186,7 @@ check_carppreempt(){
if [ -f /etc/sysctl.conf ]; then if [ -f /etc/sysctl.conf ]; then
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf" grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
else else
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'" failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
fi fi
fi fi
} }
@ -415,7 +429,7 @@ get_command() {
evocheck) echo "${0}" ;; evocheck) echo "${0}" ;;
evomaintenance) command -v "evomaintenance.sh" ;; evomaintenance) command -v "evomaintenance.sh" ;;
motd-carp-state) command -v "motd-carp-state.sh" ;; motd-carp-state) command -v "motd-carp-state.sh" ;;
## General case, where the program name is the same as the command name ## General case, where the program name is the same as the command name
*) command -v "${program}" ;; *) command -v "${program}" ;;
esac esac
@ -512,6 +526,17 @@ check_root_user() {
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) " failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
fi fi
} }
check_mount(){
for fstab_entry in $(grep ffs /etc/fstab | grep -v "^#" | awk '{print $2}'); do
mount | awk '{print $3}' | grep -q "^$fstab_entry$" || failed "IS_MOUNT" "Local OpenBSD partition(s) detected in /etc/fstab but not mounted"
done
}
check_mountfstab() {
for mount_point in $(mount | awk '{print $3}'); do
grep -q " $mount_point " /etc/fstab || failed "IS_MOUNT_FSTAB" "Partition(s) detected mounted but no presence in /etc/fstab"
done
}
main() { main() {
# Default return code : 0 = no error # Default return code : 0 = no error
@ -561,24 +586,34 @@ main() {
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
test "${IS_ROOT_USER:=1}" = 1 && check_root_user test "${IS_ROOT_USER:=1}" = 1 && check_root_user
test "${IS_MOUNT:=1}" = 1 && check_mount
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
exit ${RC} exit ${RC}
} }
cleanup_temp_files() { cleanup() {
# Cleanup tmp files
# shellcheck disable=SC2086 # shellcheck disable=SC2086
rm -f ${files_to_cleanup} rm -f ${files_to_cleanup}
log "$PROGNAME exit."
} }
PROGNAME=$(basename "$0")
LOGFILE="/var/log/evocheck.log"
CONFIGFILE="/etc/evocheck.cf"
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# Disable LANG* # Disable LANG*
export LANG=C export LANG=C
export LANGUAGE=C export LANGUAGE=C
files_to_cleanup=""
trap cleanup_temp_files 0
# Source configuration file # Source configuration file
# shellcheck disable=SC1091 # shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
# Parse options # Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -621,5 +656,25 @@ while :; do
shift shift
done done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
files_to_cleanup=""
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
conf=$(sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}")
if [ ! -z "${conf}" ]; then
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
else
log "${CONFIGFILE} is empty."
fi
fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
main ${ARGS} main ${ARGS}