evocheck: upstream release 22.10
This commit is contained in:
parent
d10b2c42b3
commit
a458f51289
|
@ -3,7 +3,7 @@
|
||||||
# EvoCheck
|
# EvoCheck
|
||||||
# Script to verify compliance of an OpenBSD server powered by Evolix
|
# Script to verify compliance of an OpenBSD server powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="22.08"
|
readonly VERSION="22.10"
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
|
@ -126,7 +126,7 @@ check_backupuptodate(){
|
||||||
backup_dir="/home/backup"
|
backup_dir="/home/backup"
|
||||||
if [ -d "${backup_dir}" ]; then
|
if [ -d "${backup_dir}" ]; then
|
||||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||||
for file in "${backup_dir}"/*; do
|
find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do
|
||||||
limit=$(($(date +"%s") - 172800))
|
limit=$(($(date +"%s") - 172800))
|
||||||
updated_at=$(stat -f "%m" "$file")
|
updated_at=$(stat -f "%m" "$file")
|
||||||
|
|
||||||
|
@ -248,7 +248,7 @@ check_usrsharescripts(){
|
||||||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
|
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
|
||||||
}
|
}
|
||||||
check_sshpermitrootno() {
|
check_sshpermitrootno() {
|
||||||
if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= | grep -q 'permitrootlogin no'); then
|
if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= 2> /dev/null | grep -qi 'permitrootlogin no'); then
|
||||||
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
|
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -304,12 +304,12 @@ check_defaultroute(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_ntp(){
|
check_ntp(){
|
||||||
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
|
if grep -q "servers ntp.evolix.net" /etc/ntpd.conf; then
|
||||||
if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
|
if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
|
||||||
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
|
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"servers ntp.evolix.net\"."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"."
|
failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"servers ntp.evolix.net\"."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_openvpncronlog(){
|
check_openvpncronlog(){
|
||||||
|
@ -352,11 +352,18 @@ check_evobackup_exclude_mount() {
|
||||||
|
|
||||||
# shellcheck disable=SC2013
|
# shellcheck disable=SC2013
|
||||||
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
|
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
|
||||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
# if the file seems to be a backup script, with an Rsync invocation
|
||||||
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
|
if grep -q "^\s*rsync" "${evobackup_file}"; then
|
||||||
for mount in ${not_excluded}; do
|
# If rsync is not limited by "one-file-system"
|
||||||
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
# then we verify that every mount is excluded
|
||||||
done
|
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
|
||||||
|
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||||
|
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
|
||||||
|
for mount in ${not_excluded}; do
|
||||||
|
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
rm -rf "${excludes_file}"
|
rm -rf "${excludes_file}"
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue