From 835072c1e2cde8240d65a8fa3105f5476c3f9b15 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Mon, 2 May 2022 10:27:32 +0200 Subject: [PATCH 01/20] CI: Support Jenkins --- .Jenkinsfile | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .Jenkinsfile diff --git a/.Jenkinsfile b/.Jenkinsfile new file mode 100644 index 00000000..3f488638 --- /dev/null +++ b/.Jenkinsfile @@ -0,0 +1,50 @@ +pipeline { + agent { label 'docker' } + + environment { + ROLES_VERSION = "${env.GIT_COMMIT}" + } + + stages { + stage('Build tagged docker image') { + when { + buildingTag() + } + steps { + script { + def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}") + im.inside { + sh 'echo Test needed' + } + def version = TAG_NAME + def versions = version.split('\\.') + def major = versions[0] + def minor = versions[0] + '.' + versions[1] + def patch = version.trim() + /* No crendentials yet + im.push(major) + im.push(minor) + im.push(patch) + */ + } + } + } + + stage('Build latest docker image') { + when { + branch 'unstable' + } + steps { + script { + def im = docker.build("evolix/ansible-roles:build${env.BUILD_ID}") + im.inside { + sh 'echo Test needed' + } + /* No crendentials yet + im.push('latest') + */ + } + } + } + } +} From e0c95b4c7868dafebcf64c09155ba13daea19b95 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Fri, 8 Jul 2022 11:26:00 +0200 Subject: [PATCH 02/20] Ensure apply dbpurgeage from stretch and buster for fail2ban --- fail2ban/tasks/fix-dbpurgeage.yml | 19 +++++++++++++++++++ fail2ban/tasks/main.yml | 9 ++++++++- fail2ban/templates/fail2ban_dbpurge.j2 | 3 +++ fail2ban/tests/test.yml | 4 +++- 4 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 fail2ban/tasks/fix-dbpurgeage.yml create mode 100644 fail2ban/templates/fail2ban_dbpurge.j2 diff --git a/fail2ban/tasks/fix-dbpurgeage.yml b/fail2ban/tasks/fix-dbpurgeage.yml new file mode 100644 index 00000000..67819a3f --- /dev/null +++ b/fail2ban/tasks/fix-dbpurgeage.yml @@ -0,0 +1,19 @@ +- name: Sqlite needed + ansible.builtin.apt: + name: + - sqlite3 + state: present + +- name: Register bantime from default config from package + shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1" + register: default_dbpurgeage + changed_when: false + check_mode: false + +- name: Add crontab + template: + src: fail2ban_dbpurge.j2 + dest: /etc/cron.daily/fail2ban_dbpurge + mode: 0700 + owner: root + group: root diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 56378c9b..08478112 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -103,4 +103,11 @@ mode: "0644" notify: restart fail2ban when: - - fail2ban_recidive \ No newline at end of file + - fail2ban_recidive + +- name: Fix dbpurgeage for stretch and buster + include: fix-dbpurgeage.yml + when: + - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster" + tags: + - fail2ban diff --git a/fail2ban/templates/fail2ban_dbpurge.j2 b/fail2ban/templates/fail2ban_dbpurge.j2 new file mode 100644 index 00000000..1611bcbd --- /dev/null +++ b/fail2ban/templates/fail2ban_dbpurge.j2 @@ -0,0 +1,3 @@ +#!/bin/sh +# Juin 2022 : #64088 +/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{ fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;" diff --git a/fail2ban/tests/test.yml b/fail2ban/tests/test.yml index 67c6e10c..59e70a73 100644 --- a/fail2ban/tests/test.yml +++ b/fail2ban/tests/test.yml @@ -1,4 +1,6 @@ --- -- hosts: test-kitchen +- hosts: all + become: yes +# gather_facts: no roles: - role: fail2ban From 213c6dd6ac2a52a004ad633d3d7c4c4aedc8b82d Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Fri, 8 Jul 2022 11:28:29 +0200 Subject: [PATCH 03/20] Add change for fail2ban role --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2429f2fe..9b2ccee7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,12 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Security +## [22.07] 2022-07-08 + +### Added + +* fail2ban: Ensure apply dbpurgeage from stretch and buster + ## [22.07] 2022-07-06 ### Added From 0b41efd188e07f369b004b52cb83ffabaf9ee343 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 18 Jul 2022 15:54:42 +0200 Subject: [PATCH 04/20] mongodb: replace version_compare() with version() --- CHANGELOG.md | 2 ++ mongodb/tasks/main_bullseye.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b2ccee7..82e65832 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* mongodb: replace version_compare() with version() + ### Fixed ### Removed diff --git a/mongodb/tasks/main_bullseye.yml b/mongodb/tasks/main_bullseye.yml index e31ffed3..78459863 100644 --- a/mongodb/tasks/main_bullseye.yml +++ b/mongodb/tasks/main_bullseye.yml @@ -4,7 +4,7 @@ msg: Not compatible with Debian 11 (Bullseye) when: - ansible_distribution_release == "bullseye" - - mongodb_version is version_compare('5.0', '<=') + - mongodb_version is version('5.0', '<=') - name: MongoDB embedded GPG key is absent From 2e54944a246e21c56eaba0a8ee77cc71aec6b647 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 15:01:20 +0200 Subject: [PATCH 05/20] [packweb-apache] Do gzip logs after web server reload instead of before to address 'file size changed while zipping' error. --- packweb-apache/files/userlogrotate | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index 897c077b..deaf850a 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -5,7 +5,6 @@ HOMEPREFIX="/home" rotate () { mv $1 $1.$DATE - gzip $1.$DATE touch $1 chown $2 $1 chmod g+r $1 @@ -36,5 +35,21 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 +# Zipping is done after web serveur reload, so that the file descriptor is released. +# Else, an error is raised (gzip file size changed while zipping) +# and logs written buring the zipping process might be lost. + +for log in access.log access-*.log error.log; do + for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + +for log in production.log delayed_job.log development.log test.log; do + for i in `ls -1 -d $HOMEPREFIX/*/www/{,current/}log/$log 2>/dev/null | grep -v \.bak\.`; do + gzip $i + done +done + # we want exit 0 true From 9742ec078e20313fd23e0a7bf012ba12e2409ebf Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 15:04:25 +0200 Subject: [PATCH 06/20] [packweb-apache] Fix unsecable spaces --- packweb-apache/files/userlogrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index deaf850a..2656f55d 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -35,8 +35,8 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 -# Zipping is done after web serveur reload, so that the file descriptor is released. -# Else, an error is raised (gzip file size changed while zipping) +# Zipping is done after web serveur reload, so that the file descriptor is released. +# Else, an error is raised (gzip file size changed while zipping) # and logs written buring the zipping process might be lost. for log in access.log access-*.log error.log; do From 8cdaee9658ff80810949dd10a4251bd6a3e6084d Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 19 Jul 2022 15:49:25 +0200 Subject: [PATCH 07/20] [php] Corriger installation sury pour les packweb en bullseye --- php/files/sury.preferences | 2 +- php/tasks/sury_pre.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/php/files/sury.preferences b/php/files/sury.preferences index cc4901c2..15aa9c16 100644 --- a/php/files/sury.preferences +++ b/php/files/sury.preferences @@ -1,4 +1,4 @@ -Package: php* libapache2-mod-php* libpcre2* libzip4* +Package: php* libapache2-mod-php* libpcre2* libzip4* libgd* Pin: origin packages.sury.org Pin-Priority: 999 diff --git a/php/tasks/sury_pre.yml b/php/tasks/sury_pre.yml index c421fe04..13dcc4ec 100644 --- a/php/tasks/sury_pre.yml +++ b/php/tasks/sury_pre.yml @@ -40,3 +40,4 @@ - php-ssh2 - composer - libphp-phpmailer + when: ansible_distribution_release != "bullseye" From 66563d0bf3893f2207bb7bd83cf0dc42f91bb42a Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Tue, 19 Jul 2022 17:19:58 +0200 Subject: [PATCH 08/20] =?UTF-8?q?[packweb-apache]=20#66841=20:=20ajout=20t?= =?UTF-8?q?=C3=A2che=20update=5Fuserlogrotate.yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packweb-apache/tasks/update_userlogrotate.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 packweb-apache/tasks/update_userlogrotate.yml diff --git a/packweb-apache/tasks/update_userlogrotate.yml b/packweb-apache/tasks/update_userlogrotate.yml new file mode 100644 index 00000000..a94080b0 --- /dev/null +++ b/packweb-apache/tasks/update_userlogrotate.yml @@ -0,0 +1,16 @@ +--- + +- name: "Cherche l'emplacement de userlogrotate" + ansible.builtin.find: + path: /etc + patterns: userlogrotate + register: find_logrotate + +- name: "Met-à-jour userlogrotate" + ansible.builtin.copy: + src: userlogrotate + dest: "{{ item }}" + mode: "0755" + loop: "{{ find_logrotate.files }}" + when: find_logrotate.files | length>0 + From d67e03e5a23fb368125023932522864c77f13740 Mon Sep 17 00:00:00 2001 From: David Prevot Date: Tue, 19 Jul 2022 17:23:37 +0200 Subject: [PATCH 09/20] packweb-apache/files/userlogrotate: tfix (comments). --- packweb-apache/files/userlogrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packweb-apache/files/userlogrotate b/packweb-apache/files/userlogrotate index 2656f55d..7ed42668 100644 --- a/packweb-apache/files/userlogrotate +++ b/packweb-apache/files/userlogrotate @@ -35,9 +35,9 @@ fi; test -x /usr/sbin/nginx && invoke-rc.d nginx rotate >/dev/null 2>&1 -# Zipping is done after web serveur reload, so that the file descriptor is released. +# Zipping is done after web server reload, so that the file descriptor is released. # Else, an error is raised (gzip file size changed while zipping) -# and logs written buring the zipping process might be lost. +# and logs written during the zipping process might be lost. for log in access.log access-*.log error.log; do for i in `ls -1 -d $HOMEPREFIX/*/log/$log 2>/dev/null | grep -v \.bak\.`; do From fa5eb5aa5c04f69becc4c11103ab3c217e94d140 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 20 Jul 2022 11:02:44 +0200 Subject: [PATCH 10/20] Avoid find warning global options are not positional (-maxdepth after the argument -type) --- evocheck/files/evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 9391f119..81c18061 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -742,7 +742,7 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - find "${backup_dir}" -type f -maxdepth 1 | while read -r file; do + find "${backup_dir}" -maxdepth 1 -type f | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") From 3f9ac05b1304154afcc692bdcc0cad241668f201 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 25 Jul 2022 17:29:19 +0200 Subject: [PATCH 11/20] =?UTF-8?q?Homog=C3=A9n=C3=A9isation=20du=20port=20O?= =?UTF-8?q?penDKIM=20par=20d=C3=A9faut=20du=20r=C3=B4le=20postfix=20avec?= =?UTF-8?q?=20celui=20du=20r=C3=B4le=20OpenDKIM?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- postfix/templates/packmail_main.cf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/postfix/templates/packmail_main.cf.j2 b/postfix/templates/packmail_main.cf.j2 index d9d90836..82b94afa 100644 --- a/postfix/templates/packmail_main.cf.j2 +++ b/postfix/templates/packmail_main.cf.j2 @@ -412,8 +412,8 @@ smtpd_sasl_path = private/auth-client # Amavis and OpenDKIM content_filter = smtp-amavis:[127.0.0.1]:10024 -smtpd_milters = inet:[127.0.0.1]:54321 -non_smtpd_milters = inet:[127.0.0.1]:54321 +smtpd_milters = inet:[127.0.0.1]:8891 +non_smtpd_milters = inet:[127.0.0.1]:8891 {% if postfix_slow_transport_include == True %} # Slow transports configuration From 4b39f5a9986d28d8e5f0b51246ea7b5233f35e28 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Mon, 25 Jul 2022 17:58:51 +0200 Subject: [PATCH 12/20] [webapps/evoadmin-mail] Ajout remount RW manquant --- webapps/evoadmin-mail/tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/webapps/evoadmin-mail/tasks/main.yml b/webapps/evoadmin-mail/tasks/main.yml index 7f94281b..88f2dbb6 100644 --- a/webapps/evoadmin-mail/tasks/main.yml +++ b/webapps/evoadmin-mail/tasks/main.yml @@ -1,4 +1,9 @@ --- + +- name: Remount /usr RW + include_role: + name: evolix/remount-usr + - name: Install evoadmin-mail package apt: deb: /tmp/evoadmin-mail.deb From b453321b3d6e84dd9bf3a77d66fea2437b46c075 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 09:23:55 +0200 Subject: [PATCH 13/20] nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82e65832..3e118e3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * mongodb: replace version_compare() with version() +* nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index d3d102f0..e7ae1876 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 From f7edd565a391f8af435bb6e13c6e20441f9ecaf9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 09:24:44 +0200 Subject: [PATCH 14/20] nagios-nrpe: check_disk1 returns only alerts --- CHANGELOG.md | 1 + nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3e118e3c..7ea9174d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * mongodb: replace version_compare() with version() * nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 +* nagios-nrpe: check_disk1 returns only alerts ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index e7ae1876..d4b301af 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 From a8c117146c9592ee5f590e7887387b6a106bd282 Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 27 Jul 2022 09:34:30 +0200 Subject: [PATCH 15/20] =?UTF-8?q?[webapps/roundcube]=C2=A0Corrige=20le=20D?= =?UTF-8?q?ocumentRoot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- webapps/roundcube/templates/apache2.conf.j2 | 2 +- webapps/roundcube/templates/nginx.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webapps/roundcube/templates/apache2.conf.j2 b/webapps/roundcube/templates/apache2.conf.j2 index 01c25f3a..87bdf79e 100644 --- a/webapps/roundcube/templates/apache2.conf.j2 +++ b/webapps/roundcube/templates/apache2.conf.j2 @@ -9,7 +9,7 @@ ServerName {{ roundcube_host }} # Repertoire principal - DocumentRoot /var/lib/roundcube/ + DocumentRoot /var/lib/roundcube/public_html # Return 503 if imapproxy doesn't run diff --git a/webapps/roundcube/templates/nginx.conf.j2 b/webapps/roundcube/templates/nginx.conf.j2 index 1719c407..66dcb8a5 100644 --- a/webapps/roundcube/templates/nginx.conf.j2 +++ b/webapps/roundcube/templates/nginx.conf.j2 @@ -10,7 +10,7 @@ server { access_log /var/log/nginx/.{{ roundcube_host }}.access.log; error_log /var/log/nginx/.{{ roundcube_host }}.error.log; - root /var/lib/roundcube/; + root /var/lib/roundcube/public_html; index index.php; location / { From 0d086731ae02e3a054486b017354dca9d44f0c01 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Wed, 27 Jul 2022 15:49:41 +0200 Subject: [PATCH 16/20] evomaintenance: upstream release 22.07 --- CHANGELOG.md | 1 + evomaintenance/files/evomaintenance.sh | 38 ++++++++++++++++++++++---- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7ea9174d..9cefcee0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() * nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 * nagios-nrpe: check_disk1 returns only alerts diff --git a/evomaintenance/files/evomaintenance.sh b/evomaintenance/files/evomaintenance.sh index 3903f2ef..bce0e562 100644 --- a/evomaintenance/files/evomaintenance.sh +++ b/evomaintenance/files/evomaintenance.sh @@ -7,7 +7,7 @@ # Copyright 2007-2022 Evolix , Gregory Colpart , # Jérémy Lecour and others. -VERSION="22.01" +VERSION="22.07" show_version() { cat < Date: Wed, 27 Jul 2022 18:51:24 +0200 Subject: [PATCH 17/20] =?UTF-8?q?[generate-ldif]=C2=A0Fix=20package=20cond?= =?UTF-8?q?ition=20to=20have=20IMAP=20and=20POP=20checks=20added=20to=20ld?= =?UTF-8?q?if.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- generate-ldif/templates/generateldif.sh.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/generate-ldif/templates/generateldif.sh.j2 b/generate-ldif/templates/generateldif.sh.j2 index 86bfc0eb..17ff759a 100755 --- a/generate-ldif/templates/generateldif.sh.j2 +++ b/generate-ldif/templates/generateldif.sh.j2 @@ -488,8 +488,8 @@ EOT fi # Dovecot -if is_pkg_installed dovecot-common; then - dovecot_version=$(get_pkg_version dovecot-common) +if is_pkg_installed dovecot-core; then + dovecot_version=$(get_pkg_version dovecot-core) fi if [ -n "${dovecot_version}" ]; then cat <> "${ldif_file}" From c8898a3d1053c269c0f236524b584d91a1273412 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:25:51 +0200 Subject: [PATCH 18/20] nagios-nrpe: use regexp to exclude paths/devices in check_disk1 --- CHANGELOG.md | 2 +- nagios-nrpe/templates/evolix.cfg.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cefcee0..627bbd3a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,8 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m * evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() -* nagios-nrpe: exclude /run/shm and /run/lock from check_disk1 * nagios-nrpe: check_disk1 returns only alerts +* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 ### Fixed diff --git a/nagios-nrpe/templates/evolix.cfg.j2 b/nagios-nrpe/templates/evolix.cfg.j2 index d4b301af..b007b3a8 100644 --- a/nagios-nrpe/templates/evolix.cfg.j2 +++ b/nagios-nrpe/templates/evolix.cfg.j2 @@ -9,7 +9,7 @@ allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }} # System checks command[check_load]=/usr/lib/nagios/plugins/check_load --percpu --warning=0.7,0.6,0.5 --critical=0.9,0.8,0.7 command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20% -command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -x /lib/init/rw -x /dev -x /dev/shm -x /run/lock -x /run/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home +command[check_disk1]=/usr/lib/nagios/plugins/check_disk -e -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home -x /lib/init/rw -x /dev -x /dev/shm -x /run -I '^/run/' -I '^/sys/' command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z command[check_total_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 400 -c 600 command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10 From f10ebe8cd6e9cf9079f8a49849cb1c6fedf9a592 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:38:33 +0200 Subject: [PATCH 19/20] evocheck: upstream release 22.07 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 17 +++++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 627bbd3a..21319b1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.07 * evomaintenance: upstream release 22.07 * mongodb: replace version_compare() with version() * nagios-nrpe: check_disk1 returns only alerts diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 81c18061..1bc54d79 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06.2" +VERSION="22.07" readonly VERSION # base functions @@ -610,6 +610,14 @@ check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" } +# Vérification de la mise en place de la purge pour fail2ban +check_purge_fail2ban() { + if is_debian_stretch || is_debian_buster; then + if is_installed fail2ban; then + test -f /etc/cron.daily/fail2ban_dbpurge || failed "IS_FAIL2BAN_PURGE" "missing script fail2ban_dbpurge cron" + fi + fi +} # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") @@ -970,7 +978,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") @@ -1227,8 +1235,8 @@ check_sshpermitrootno() { # -T doesn't require the additional -C. sshd_args= fi - # XXX: We want parameter expension here - if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then + # shellcheck disable=SC2086 + if ! (sshd -T ${sshd_args} | grep -q 'permitrootlogin no'); then failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } @@ -1810,6 +1818,7 @@ while :; do IS_UPTIME=0 IS_MELTDOWN_SPECTRE=0 IS_CHECK_VERSIONS=0 + IS_NETWORKING_SERVICE=0 ;; -v|--verbose) VERBOSE=1 From 25b96c3283471b3130b0d77369e2ff20d98efed9 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 28 Jul 2022 13:49:57 +0200 Subject: [PATCH 20/20] Release 22.07.1 --- CHANGELOG.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21319b1a..2a162ae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,18 +14,22 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -* evocheck: upstream release 22.07 -* evomaintenance: upstream release 22.07 -* mongodb: replace version_compare() with version() -* nagios-nrpe: check_disk1 returns only alerts -* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 - ### Fixed ### Removed ### Security +## [22.07.1] 2022-07-28 + +### Changed + +* evocheck: upstream release 22.07 +* evomaintenance: upstream release 22.07 +* mongodb: replace version_compare() with version() +* nagios-nrpe: check_disk1 returns only alerts +* nagios-nrpe: use regexp to exclude paths/devices in check_disk1 + ## [22.07] 2022-07-08 ### Added