evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

evocheck: upstream release 22.10

Browse source
This commit is contained in:
Jérémy Dubois 2022-10-14 10:40:23 +02:00
parent d10b2c42b3
commit a458f51289
1 changed files with 18 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
roles/evocheck/files/evocheck.sh
View file

@ -3,7 +3,7 @@
# EvoCheck # EvoCheck
# Script to verify compliance of an OpenBSD server powered by Evolix # Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="22.08" readonly VERSION="22.10"
# base functions # base functions
@ -126,7 +126,7 @@ check_backupuptodate(){
backup_dir="/home/backup" backup_dir="/home/backup"
if [ -d "${backup_dir}" ]; then if [ -d "${backup_dir}" ]; then
if [ -n "$(ls -A ${backup_dir})" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then
for file in "${backup_dir}"/*; do find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do
limit=$(($(date +"%s") - 172800)) limit=$(($(date +"%s") - 172800))
updated_at=$(stat -f "%m" "$file") updated_at=$(stat -f "%m" "$file")
@ -248,7 +248,7 @@ check_usrsharescripts(){
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700" test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
} }
check_sshpermitrootno() { check_sshpermitrootno() {
if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= | grep -q 'permitrootlogin no'); then if ! (sshd -T -C addr=,user=,host=,laddr=,lport=0,rdomain= 2> /dev/null | grep -qi 'permitrootlogin no'); then
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
fi fi
} }
@ -304,12 +304,12 @@ check_defaultroute(){
fi fi
} }
check_ntp(){ check_ntp(){
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then if grep -q "servers ntp.evolix.net" /etc/ntpd.conf; then
if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"." failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"servers ntp.evolix.net\"."
fi fi
else else
failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"." failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"servers ntp.evolix.net\"."
fi fi
} }
check_openvpncronlog(){ check_openvpncronlog(){
@ -352,11 +352,18 @@ check_evobackup_exclude_mount() {
# shellcheck disable=SC2013 # shellcheck disable=SC2013
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" # if the file seems to be a backup script, with an Rsync invocation
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}") if grep -q "^\s*rsync" "${evobackup_file}"; then
for mount in ${not_excluded}; do # If rsync is not limited by "one-file-system"
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" # then we verify that every mount is excluded
done if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
done
fi
fi
done done
rm -rf "${excludes_file}" rm -rf "${excludes_file}"
} }