evocheck: upstream release 22.10

roles/evocheck/files/evocheck.sh

@@ -3,7 +3,7 @@
 # EvoCheck
 # Script to verify compliance of an OpenBSD server powered by Evolix
 
-readonly VERSION="22.08"
+readonly VERSION="22.10"
 
 # base functions
 
@@ -126,7 +126,7 @@ check_backupuptodate(){
     backup_dir="/home/backup"
     if [ -d "${backup_dir}" ]; then
         if [ -n "$(ls -A ${backup_dir})" ]; then
-            for file in "${backup_dir}"/*; do
+            find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do
                 limit=$(($(date +"%s") - 172800))
                 updated_at=$(stat -f "%m" "$file")
 
@@ -248,7 +248,7 @@ check_usrsharescripts(){
     test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
 }
 check_sshpermitrootno() {
-    if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= | grep -q 'permitrootlogin no'); then
+    if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= 2> /dev/null | grep -qi 'permitrootlogin no'); then
        failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
     fi
 }
@@ -304,12 +304,12 @@ check_defaultroute(){
     fi
 }
 check_ntp(){
-    if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
+    if grep -q "servers ntp.evolix.net" /etc/ntpd.conf; then
         if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
-            failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
+            failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"servers ntp.evolix.net\"."
         fi
     else
-        failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"."
+        failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"servers ntp.evolix.net\"."
     fi
 }
 check_openvpncronlog(){
@@ -352,11 +352,18 @@ check_evobackup_exclude_mount() {
 
     # shellcheck disable=SC2013
     for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
-        grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
-        not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
-        for mount in ${not_excluded}; do
-            failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
-        done
+        # if the file seems to be a backup script, with an Rsync invocation
+        if grep -q "^\s*rsync" "${evobackup_file}"; then
+            # If rsync is not limited by "one-file-system"
+            # then we verify that every mount is excluded
+            if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
+                grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
+                not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
+                for mount in ${not_excluded}; do
+                    failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
+                done
+            fi
+        fi
     done
     rm -rf "${excludes_file}"
 }