Browse Source

Merge branch 'unstable' of evolix/ansible-roles into stable

tags/9.9.0
Jérémy Lecour Gitea 11 months ago
parent
commit
2c11f02554
100 changed files with 6788 additions and 628 deletions
  1. +27
    -0
      CHANGELOG.md
  2. +3
    -3
      README.md
  3. +1
    -1
      apache/meta/main.yml
  4. +1
    -1
      apt/meta/main.yml
  5. +8
    -0
      apt/tasks/backports.yml
  6. +1
    -1
      apt/templates/jessie_backports.list.j2
  7. +0
    -1
      apt/templates/jessie_basics.list.j2
  8. +1
    -1
      bind/meta/main.yml
  9. +1
    -1
      dhcpd/meta/main.yml
  10. +1
    -1
      drbd/meta/main.yml
  11. +2
    -0
      elasticsearch/defaults/main.yml
  12. +23
    -0
      elasticsearch/files/upgrade_elasticsearch_plugins.sh
  13. +1
    -1
      elasticsearch/meta/main.yml
  14. +22
    -0
      elasticsearch/tasks/additional_scripts.yml
  15. +2
    -0
      elasticsearch/tasks/main.yml
  16. +1
    -1
      etc-git/meta/main.yml
  17. +1
    -0
      etc-git/tasks/main.yml
  18. +1
    -1
      evoacme/README.md
  19. +18
    -0
      evoacme/files/hooks/commit
  20. +0
    -1
      evoacme/files/make-csr.sh
  21. +1
    -1
      evoacme/meta/main.yml
  22. +1
    -0
      evoacme/tasks/main.yml
  23. +778
    -299
      evocheck/files/evocheck.sh
  24. +1
    -1
      evocheck/meta/main.yml
  25. +1
    -1
      evolinux-base/meta/main.yml
  26. +14
    -5
      evolinux-base/tasks/packages.yml
  27. +1
    -1
      evolinux-todo/meta/main.yml
  28. +1
    -1
      evolinux-users/meta/main.yml
  29. +566
    -122
      evomaintenance/files/evomaintenance.sh
  30. +1
    -1
      evomaintenance/meta/main.yml
  31. +1
    -1
      fail2ban/meta/main.yml
  32. +6
    -0
      fail2ban/templates/jail.local.j2
  33. +1
    -1
      filebeat/meta/main.yml
  34. +1
    -1
      haproxy/meta/main.yml
  35. +1
    -1
      java/meta/main.yml
  36. +1
    -1
      jenkins/meta/main.yml
  37. +1
    -1
      kibana/meta/main.yml
  38. +1
    -1
      kvm-host/meta/main.yml
  39. +1
    -1
      ldap/meta/main.yml
  40. +1
    -1
      listupgrade/meta/main.yml
  41. +1
    -1
      logstash/meta/main.yml
  42. +1
    -1
      lxc/templates/default.conf
  43. +1
    -1
      memcached/meta/main.yml
  44. +1
    -1
      metricbeat/meta/main.yml
  45. +1
    -1
      minifirewall/files/minifirewall.conf
  46. +1
    -1
      minifirewall/meta/main.yml
  47. +1
    -1
      minifirewall/templates/minifirewall.j2
  48. +1
    -1
      monit/meta/main.yml
  49. +1
    -1
      munin/meta/main.yml
  50. +1
    -1
      mysql-oracle/meta/main.yml
  51. +1
    -1
      mysql/meta/main.yml
  52. +1
    -1
      nagios-nrpe/meta/main.yml
  53. +1
    -1
      networkd-to-ifconfig/meta/main.yml
  54. +1
    -1
      newrelic/meta/main.yml
  55. +1
    -1
      nginx/meta/main.yml
  56. +1
    -0
      nginx/templates/evolinux-default.conf.j2
  57. +1
    -1
      nodejs/meta/main.yml
  58. +9
    -24
      opendkim/files/opendkim-add.sh
  59. +0
    -1
      opendkim/files/opendkim.conf
  60. +17
    -10
      opendkim/tasks/main.yml
  61. +1
    -1
      packweb-apache/meta/main.yml
  62. +1
    -1
      php/files/sury.preferences
  63. +1
    -1
      php/meta/main.yml
  64. +17
    -17
      php/tasks/sury_post.yml
  65. +1
    -1
      postfix/meta/main.yml
  66. +1
    -1
      postgresql/meta/main.yml
  67. +1
    -1
      proftpd/meta/main.yml
  68. +1
    -1
      rabbitmq/meta/main.yml
  69. +1
    -1
      rbenv/meta/main.yml
  70. +1
    -0
      redis/files/redis-server@.service
  71. +1
    -1
      redis/meta/main.yml
  72. +18
    -17
      redis/tasks/instances.yml
  73. +7
    -0
      redis/tasks/main.yml
  74. +4
    -4
      spamassasin/files/sa-update.sh
  75. +8
    -0
      spamassasin/tasks/main.yml
  76. +1
    -0
      squid/files/evolinux-whitelist-defaults.conf
  77. +1
    -1
      squid/meta/main.yml
  78. +1
    -1
      ssl/meta/main.yml
  79. +0
    -0
      tomcat-instance/files/tomcat7/catalina.properties
  80. +0
    -0
      tomcat-instance/files/tomcat7/context.xml
  81. +0
    -0
      tomcat-instance/files/tomcat7/logging.properties
  82. +0
    -0
      tomcat-instance/files/tomcat7/tomcat-users.xml
  83. +0
    -0
      tomcat-instance/files/tomcat7/web.xml
  84. +152
    -0
      tomcat-instance/files/tomcat8/catalina.properties
  85. +30
    -0
      tomcat-instance/files/tomcat8/context.xml
  86. +23
    -0
      tomcat-instance/files/tomcat8/jaspic-providers.xml
  87. +56
    -0
      tomcat-instance/files/tomcat8/logging.properties
  88. +44
    -0
      tomcat-instance/files/tomcat8/tomcat-users.xml
  89. +4681
    -0
      tomcat-instance/files/tomcat8/web.xml
  90. +1
    -1
      tomcat-instance/meta/main.yml
  91. +15
    -13
      tomcat-instance/tasks/bootstrap.yml
  92. +0
    -0
      tomcat-instance/templates/server.xml-tomcat7.j2
  93. +169
    -0
      tomcat-instance/templates/server.xml-tomcat8.j2
  94. +1
    -0
      tomcat/defaults/main.yml
  95. +0
    -15
      tomcat/files/tomcat_stretch.service
  96. +1
    -1
      tomcat/meta/main.yml
  97. +1
    -5
      tomcat/tasks/main.yml
  98. +7
    -7
      tomcat/tasks/packages.yml
  99. +0
    -29
      tomcat/tasks/packages_stretch.yml
  100. +2
    -2
      tomcat/templates/tomcat.service.j2

+ 27
- 0
CHANGELOG.md View File

@@ -18,6 +18,33 @@ The **patch** part changes incrementally at each release.

### Security

## [9.9.0] - 2019-04-16

### Added
* evocheck : add "x-frame-options: sameorigin" for Munin
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default

### Changed
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles
* apt: Ensure jessie-backport from archives.debian.org is accepted
* apt: Remove jessie-update suite as it's no longer exists
* apt: Replace mirror.evolix.org by archives.debian.org for jessie-backport
* evocheck : update script from upstream
* evolinux-base: remove apt-listchanges on Stretch and later
* evomaintenance: embed version 0.5.0
* opendkim: aligning roles with our conventions, major changes in opendkim-add.sh
* redis: higher limit of open files
* redis: set variables on inclusion, not with set_facts
* tomcat: better tomcat version management
* webapps/evoadmin-web: add dbadmin.sh to sudoers file


### Fixed
* spamassasin: fix sa-update.sh and ensure service is started and enabled
* tomcat-instance: deploy correct version of config files
* tomcat-instance: deploy correct version of server.xml

## [9.8.0] - 2019-01-31

### Added


+ 3
- 3
README.md View File

@@ -4,7 +4,7 @@ A repository for Ansible roles used by Evolix on Debian GNU/Linux 9 (stretch) se
Few roles are also be compatible with Debian GNU/Linux 8 (jessie) servers.

It contains only roles, everything else is available at
https://forge.evolix.org/projects/ansible-public
https://gitea.evolix.org/evolix/ansible-public

## Branches

@@ -20,7 +20,7 @@ First, check-out the repository :

```
$ cd ~/GIT/
$ git clone https://forge.evolix.org/projects/ansible-roles
$ git clone https://gitea.evolix.org/evolix/ansible-roles
```

Then, add its path to your ansible load path :
@@ -48,7 +48,7 @@ Contributions are welcome, especially bug fixes and "ansible good practices". Th

Before starting anything of importance, we suggest contacting us to discuss what you'd like to add or change.

Our conventions are available in the "ansible-public":https://forge.evolix.org/projects/ansible-public repository, in the CONVENTIONS.md file.
Our conventions are available in the "ansible-public":https://gitea.evolix.org/evolix/ansible-public repository, in the CONVENTIONS.md file.

## Workflow



+ 1
- 1
apache/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Installation and basic configuration of Apache

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 1
- 1
apt/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Add repositories to APT sources list.

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 8
- 0
apt/tasks/backports.yml View File

@@ -27,6 +27,14 @@
tags:
- apt

- name: Archived backport are accepted (jessie)
lineinfile:
dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
line: 'Acquire::Check-Valid-Until no;'
create: yes
state: present
when: ansible_distribution_release == "jessie"

- name: Apt update
apt:
update_cache: yes


+ 1
- 1
apt/templates/jessie_backports.list.j2 View File

@@ -1,3 +1,3 @@
# {{ ansible_managed }}

deb http://mirror.evolix.org/debian jessie-backports {{ apt_backports_components | mandatory }}
deb http://archive.debian.org/debian jessie-backports {{ apt_backports_components | mandatory }}

+ 0
- 1
apt/templates/jessie_basics.list.j2 View File

@@ -1,5 +1,4 @@
# {{ ansible_managed }}

deb http://mirror.evolix.org/debian/ jessie {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ jessie-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/ jessie/updates {{ apt_basics_components | mandatory }}

+ 1
- 1
bind/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Installation and basic configuration of bind9.

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 1
- 1
dhcpd/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Installation and basic configuration of isc-dhcp-server.

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 1
- 1
drbd/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Install tools to setup DRBD replication accross servers.

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 2
- 0
elasticsearch/defaults/main.yml View File

@@ -24,3 +24,5 @@ elasticsearch_plugin_head_group: "{{ elasticsearch_plugin_head_owner }}"
elasticsearch_plugin_head_home: "/home/{{ elasticsearch_plugin_head_owner }}"
elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp"

elasticsearch_additional_scripts_dir: /usr/share/scripts

+ 23
- 0
elasticsearch/files/upgrade_elasticsearch_plugins.sh View File

@@ -0,0 +1,23 @@
#!/bin/bash

# WARNING:
# This script is installed and maintained via Ansible. Don't edit directly.
# Create a fork if you need changes that can't go into the regular script.

set -e
set -u

PLUGIN_BIN=/usr/share/elasticsearch/bin/elasticsearch-plugin
NEED_RESTART=""

for plugin in $(${PLUGIN_BIN} list | grep -v WARNING); do
"${PLUGIN_BIN}" remove "${plugin}"
"${PLUGIN_BIN}" install "${plugin}"
NEED_RESTART="1"
done

if [ -n "${NEED_RESTART}" ]; then
systemctl restart elasticsearch
fi

exit 0

+ 1
- 1
elasticsearch/meta/main.yml View File

@@ -3,7 +3,7 @@ galaxy_info:
author: Evolix
description: Install Elasticsearch

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 22
- 0
elasticsearch/tasks/additional_scripts.yml View File

@@ -0,0 +1,22 @@
---

- include_role:
name: remount-usr
when: elasticsearch_additional_scripts_dir | search ("/usr")

- name: "{{ elasticsearch_additional_scripts_dir }} exists"
file:
dest: "{{ elasticsearch_additional_scripts_dir }}"
mode: "0700"
owner: root
group: root
state: directory

- name: Plugins upgrade script is installed
copy:
src: upgrade_elasticsearch_plugins.sh
dest: "{{ elasticsearch_additional_scripts_dir }}/upgrade_elasticsearch_plugins.sh"
mode: "0755"
owner: "root"
group: "root"
force: yes

+ 2
- 0
elasticsearch/tasks/main.yml View File

@@ -12,6 +12,8 @@

- include: logs.yml

- include: additional_scripts.yml

- include: plugin_head.yml
when: elasticsearch_plugin_head



+ 1
- 1
etc-git/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Put /etc under Git version control.

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 1
- 0
etc-git/tasks/main.yml View File

@@ -55,6 +55,7 @@
- "postfix/sa-blacklist.access"
- "postfix/*.db"
- "postfix/spamd.cidr"
- "evobackup/.keep-*"
tags:
- etc-git



+ 1
- 1
evoacme/README.md View File

@@ -2,7 +2,7 @@

EvoAcme is an [Ansible](https://www.ansible.com/) role and a [Certbot](https://certbot.eff.org) wrapper for generate [Let's Encrypt](https://letsencrypt.org/) certificates.

It is a project hosted at [Evolix's forge](https://forge.evolix.org/projects/ansible-roles/repository/)
It is a project hosted at [Evolix's forge](https://gitea.evolix.org/evolix/ansible-roles/)

Evoacme is open source software licensed under the AGPLv3 License.



+ 18
- 0
evoacme/files/hooks/commit View File

@@ -0,0 +1,18 @@
#!/bin/sh

git_bin=$(command -v git)
letsencrypt_dir=/etc/letsencrypt
export GIT_DIR="/etc/.git"
export GIT_WORK_TREE="/etc"

if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')

if [ "${changed_lines}" != "0" ]; then
${git_bin} add --all ${letsencrypt_dir}
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet
else
echo "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi
fi

+ 0
- 1
evoacme/files/make-csr.sh View File

@@ -215,7 +215,6 @@ main() {
[ -w "${SELF_SIGNED_DIR}" ] || error "Directory ${SELF_SIGNED_DIR} is not writable"

mkdir -p "${SSL_KEY_DIR}"
chown root: "${SSL_KEY_DIR}"
[ -w "${SSL_KEY_DIR}" ] || error "Directory ${SSL_KEY_DIR} is not writable"

[ -r "${SSL_CONFIG_FILE}" ] || error "File ${SSL_CONFIG_FILE} is not readable"


+ 1
- 1
evoacme/meta/main.yml View File

@@ -2,7 +2,7 @@ galaxy_info:
author: Evolix
description: Install evoacme ; a wrapper for Certbot (Let's Encrypt)

issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues

license: GPLv2



+ 1
- 0
evoacme/tasks/main.yml View File

@@ -17,6 +17,7 @@
- reload_nginx
- reload_dovecot
- reload_postfix
- commit

- include: conf.yml



+ 778
- 299
evocheck/files/evocheck.sh View File

@@ -5,7 +5,9 @@
# powered by Evolix

# Repository: https://gitea.evolix.org/evolix/evocheck
# Commit: e6e0b8c216ed28a2ee2229e5e122ff1d49701ffc
# Commit: 84d197047a718f4f5b31c39a2e1741b5963271de

VERSION="0.14.0.beta2"

# Disable LANG*
export LANG=C
@@ -61,7 +63,6 @@ IS_BINDCHROOT=1
IS_REPVOLATILE=1
IS_AUTOIF=1
IS_INTERFACESGW=1
IS_TOOMUCHDEBIANSYSMAINT=1
IS_USERLOGROTATE=1
IS_MODSECURITY=1
IS_APACHECTL=1
@@ -73,6 +74,7 @@ IS_KERNELUPTODATE=1
IS_UPTIME=1
IS_MUNINRUNNING=1
IS_BACKUPUPTODATE=1
IS_ETCGIT=1
IS_GITPERMS=1
IS_NOTUPGRADED=1
IS_TUNE2FS_M5=1
@@ -109,6 +111,8 @@ IS_EVOACME_CRON=1
IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1
IS_OLD_HOME_DIR=1
IS_LSBRELEASE=1

#Proper to OpenBSD
IS_SOFTDEP=1
@@ -127,110 +131,291 @@ IS_NRPEDAEMON=1
IS_ALERTBOOT=1
IS_RSYNC=1

# Default return code : 0 = no error
RC=0

# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf

# If --cron is passed, ignore some checks.
if [ "$1" = "--cron" ]; then
IS_KERNELUPTODATE=0
IS_UPTIME=0
# OS detection
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""

if [ -e /etc/debian_version ]; then
DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ -x "${LSB_RELEASE_BIN}" ]; then
DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short)
else
case ${DEBIAN_VERSION} in
5) DEBIAN_RELEASE="lenny";;
6) DEBIAN_RELEASE="squeeze";;
7) DEBIAN_RELEASE="wheezy";;
8) DEBIAN_RELEASE="jessie";;
9) DEBIAN_RELEASE="stretch";;
esac
fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi

# Functions

show_version() {
cat <<END
evocheck version ${VERSION}

Copyright 2009-2019 Evolix <info@evolix.fr>,
Romain Dessort <rdessort@evolix.fr>,
Benoit Série <bserie@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Tristan Pilat <tpilat@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>
and others.

evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
evocheck is a script that verifies Evolix conventions on Debian/OpenBSD servers.

Usage: evocheck
or evocheck --cron
or evocheck --quiet
or evocheck --verbose

Options
--cron disable a few checks
-v, --verbose increase verbosity of checks
-q, --quiet nothing is printed on stdout nor stderr
-h, --help print this message and exit
--version print version and exit
END
}

is_debian() {
test -n "${DEBIAN_RELEASE}"
}
is_debian_lenny() {
test "${DEBIAN_RELEASE}" = "lenny"
}
is_debian_squeeze() {
test "${DEBIAN_RELEASE}" = "squeeze"
}
is_debian_wheezy() {
test "${DEBIAN_RELEASE}" = "wheezy"
}
is_debian_jessie() {
test "${DEBIAN_RELEASE}" = "jessie"
}
is_debian_stretch() {
test "${DEBIAN_RELEASE}" = "stretch"
}
debian_release() {
printf "%s" "${DEBIAN_RELEASE}"
}
debian_version() {
printf "%s" "${DEBIAN_VERSION}"
}
is_openbsd() {
test -n "${OPENBSD_RELEASE}"
}

is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
}

is_pack_samba(){
test -e /usr/share/scripts/add.pl
}

is_installed(){
for pkg in $*; do
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1
for pkg in "$@"; do
dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
done
}

is_debianversion(){
[ $(lsb_release -c -s) = $1 ] && return 0
# logging
failed() {
check_name=$1
shift
check_comments=$*

RC=1
if [ "${QUIET}" != 1 ]; then
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
else
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
fi
}

is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
case $1 in
-h|-\?|--help)
show_help
exit 0
;;
--version)
show_version
exit 0
;;
--cron)
IS_KERNELUPTODATE=0
IS_UPTIME=0
;;
-v|--verbose)
VERBOSE=1
;;
-q|--quiet)
QUIET=1
VERBOSE=0
;;
--)
# End of all options.
shift
break
;;
-?*|[[:alnum:]]*)
# ignore unknown options
if [ "${QUIET}" != 1 ]; then
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
fi
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac

shift
done

#-----------------------------------------------------------
#Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------

if [ -e /etc/debian_version ]; then
if is_debian; then

is_debian_lenny && MINIFW_FILE=/etc/firewall.rc
is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc
is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc
is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall
is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall

if [ "$IS_LSBRELEASE" = 1 ]; then
if [ -x "${LSB_RELEASE_BIN}" ]; then
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cut -d "." -f 1 < /etc/debian_version)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
else
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
fi
fi

if [ "$IS_DPKGWARNING" = 1 ]; then
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \
/etc/apt/apt.conf | wc -l | grep -q ^2$ || echo 'IS_DPKGWARNING FAILED!' )
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \
( test -e /etc/apt/apt.conf.d/80evolinux || echo 'IS_DPKGWARNING FAILED!' )
test -e /etc/apt/apt.conf && echo 'IS_DPKGWARNING FAILED!' )
is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || echo 'IS_DPKGWARNING FAILED!')
if is_debian_squeeze; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
fi
elif is_debian_wheezy; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
fi

if [ "$IS_UMASKSUDOERS" = 1 ]; then
is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || echo 'IS_UMASKSUDOERS FAILED!' )
if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
fi

# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
if [ "$IS_NRPEPOSTFIX" = 1 ]; then
is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPOSTFIX FAILED!' )
is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || echo 'IS_NRPEPOSTFIX FAILED!' ) )
if is_installed postfix; then
if is_debian_squeeze; then
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*;
} || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
fi

# Check if mod-security config file is present
if [ "$IS_MODSECURITY" = 1 ]; then
is_debianversion squeeze && is_installed libapache-mod-security && \
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
is_debianversion wheezy && is_installed libapache2-modsecurity && \
(test -e /etc/apache2/conf.d/mod-security2.conf || echo 'IS_MODSECURITY FAILED!')
if is_debian_squeeze; then
if is_installed libapache-mod-security; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
fi

if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
grep -E -qr "umask=0077" /etc/sudoers* || echo 'IS_CUSTOMSUDOERS FAILED!'
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS"
fi

if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || echo 'IS_VARTMPFS FAILED!'
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi

if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || echo 'IS_SERVEURBASE FAILED!'
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
fi

if [ "$IS_LOGROTATECONF" = 1 ]; then
test -e /etc/logrotate.d/zsyslog || echo 'IS_LOGROTATECONF FAILED!'
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF"
fi

if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || echo 'IS_SYSLOGCONF FAILED!'
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF"
fi

if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list || echo 'IS_DEBIANSECURITY FAILED!'
grep -q "^deb.*security" /etc/apt/sources.list \
|| failed "IS_DEBIANSECURITY"
fi

if [ "$IS_APTITUDEONLY" = 1 ]; then
is_debianversion squeeze && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
is_debianversion wheezy && test -e /usr/bin/apt-get && echo 'IS_APTITUDEONLY FAILED!'
if is_debian_squeeze || is_debian_wheezy; then
test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY"
fi
fi

if [ "$IS_APTITUDE" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
is_debianversion stretch && test -e /usr/bin/aptitude && echo 'IS_APTITUDE FAILED!'
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/aptitude && failed "IS_APTITUDE"
fi
fi

if [ "$IS_APTGETBAK" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
is_debianversion stretch && test -e /usr/bin/apt-get.bak && echo 'IS_APTGETBAK FAILED!'
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK"
fi
fi

if [ "$IS_APTICRON" = 1 ]; then
@@ -238,133 +423,216 @@ if [ -e /etc/debian_version ]; then
test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && echo 'IS_APTICRON FAILED!'

if is_debian_squeeze || is_debian_wheezy; then
test "$status" = "fail" && failed "IS_APTICRON"
fi
fi

if [ "$IS_USRRO" = 1 ]; then
grep /usr /etc/fstab | grep -q ro || echo 'IS_USRRO FAILED!'
grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO"
fi

if [ "$IS_TMPNOEXEC" = 1 ]; then
mount | grep "on /tmp" | grep -q noexec || echo 'IS_TMPNOEXEC FAILED!'
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC"
fi

if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test...
if test -x "$(command -v lsblk)"; then
for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || echo 'IS_MOUNT_FSTAB FAILED!'
LSBLK_BIN=$(command -v lsblk)
if test -x "${LSBLK_BIN}"; then
for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB"
done
fi
fi

if [ "$IS_LISTCHANGESCONF" = 1 ]; then
if is_debianversion stretch; then
is_installed apt-listchanges && echo 'IS_LISTCHANGESCONF FAILED!'
if is_debian_stretch; then
if is_installed apt-listchanges; then
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch"
fi
else
test -e /etc/apt/listchanges.conf && grep -E "(which=both|confirm=1)" /etc/apt/listchanges.conf | wc -l | grep -q ^2$ || echo 'IS_LISTCHANGESCONF FAILED!'
if [ -e "/etc/apt/listchanges.conf" ]; then
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
if [ "$lines" != 2 ]; then
failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect"
fi
else
failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing"
fi
fi
fi

if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && echo 'IS_CUSTOMCRONTAB FAILED!'
found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab)
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB"
fi

if [ "$IS_SSHALLOWUSERS" = 1 ]; then
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || echo 'IS_SSHALLOWUSERS FAILED!'
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS"
fi

if [ "$IS_DISKPERF" = 1 ]; then
test -e /root/disk-perf.txt || echo 'IS_DISKPERF FAILED!'
test -e /root/disk-perf.txt || failed "IS_DISKPERF"
fi

if [ "$IS_TMOUTPROFILE" = 1 ]; then
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || echo 'IS_TMOUTPROFILE FAILED!'
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
fi

if [ "$IS_ALERT5BOOT" = 1 ]; then
grep -q ^date /etc/rc2.d/S*alert5 || echo 'IS_ALERT5BOOT FAILED!'
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi
fi

if [ "$IS_ALERT5MINIFW" = 1 ]; then
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || echo 'IS_ALERT5MINIFW FAILED!'
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi
fi

if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || echo 'IS_MINIFW FAILED!'
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW"
fi

if [ "$IS_NRPEPERMS" = 1 ]; then
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || echo 'IS_NRPEPERMS FAILED!'
if [ -d /etc/nagios ]; then
actual=$(stat --format "%a" /etc/nagios)
expected="750"
test "$expected" = "$actual" || failed "IS_NRPEPERMS"
fi
fi

if [ "$IS_MINIFWPERMS" = 1 ]; then
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!'
if [ -f "$MINIFW_FILE" ]; then
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
fi
fi

if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
[ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)")
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS"
fi

if [ "$IS_NRPEPID" = 1 ]; then
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || echo 'IS_NRPEPID FAILED!')
if ! is_debian_squeeze; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID"
fi
fi

if [ "$IS_GRSECPROCS" = 1 ]; then
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || echo 'IS_GRSECPROCS FAILED!' )
if uname -a | grep -q grsec; then
{ grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \
&& grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root";
} || failed "IS_GRSECPROCS"
fi
fi

if [ "$IS_APACHEMUNIN" = 1 ]; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || echo 'IS_APACHEMUNIN FAILED!' ) )
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || echo 'IS_APACHEMUNIN FAILED!' ) )
if test -e /etc/apache2/apache2.conf; then
if is_debian_stretch; then
{ test -h /etc/apache2/mods-enabled/status.load \
&& test -h /etc/munin/plugins/apache_accesses \
&& test -h /etc/munin/plugins/apache_processes \
&& test -h /etc/munin/plugins/apache_volume; } \
|| failed "IS_APACHEMUNIN" "missing munin plugins for Apache"
else
pattern="/server-status-[[:alnum:]]{4,}"
{ grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \
&& { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \
|| grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf;
};
} || failed "IS_APACHEMUNIN" "server status is not properly configured"
fi
fi
fi

# Verification mytop + Munin si MySQL
if [ "$IS_MYSQLUTILS" = 1 ]; then
is_installed mysql-server && ( grep -q mysqladmin /root/.my.cnf && test -x /usr/bin/mytop && grep -q debian-sys-maint /root/.mytop || echo 'IS_MYSQLUTILS FAILED!' )
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
if is_installed mysql-server; then
# You can configure MYSQL_ADMIN in evocheck.cf
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
fi
if ! test -x /usr/bin/mytop; then
if ! test -x /usr/local/bin/mytop; then
failed "IS_MYSQLUTILS" "mytop binary missing"
fi
fi
if ! grep -qs debian-sys-maint /root/.mytop; then
failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
fi
fi
fi

# Verification de la configuration du raid soft (mdadm)
if [ "$IS_RAIDSOFT" = 1 ]; then
test -e /proc/mdstat && grep -q md /proc/mdstat && \
( grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || echo 'IS_RAIDSOFT FAILED!')
if test -e /proc/mdstat && grep -q md /proc/mdstat; then
{ grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf;
} || failed "IS_RAIDSOFT"
fi
fi

# Verification du LogFormat de AWStats
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || echo 'IS_AWSTATSLOGFORMAT FAILED!' )
if is_installed apache2.2-common awstats; then
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|| failed "IS_AWSTATSLOGFORMAT"
fi
fi

# Verification de la présence de la config logrotate pour Munin
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || echo 'IS_MUNINLOGROTATE FAILED!'
{ test -e /etc/logrotate.d/munin-node \
&& test -e /etc/logrotate.d/munin;
} || failed "IS_MUNINLOGROTATE"
fi

# Verification de la présence de metche
#if [ "$IS_METCHE" = 1 ]; then
# is_installed metche || echo 'IS_METCHE FAILED!'
# is_installed metche || failed "IS_METCHE"
#fi

# Verification de l'activation de Squid dans le cas d'un pack mail
if [ "$IS_SQUID" = 1 ]; then
squidconffile=/etc/squid*/squid.conf
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf
is_pack_web && ( is_installed squid || is_installed squid3 \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' )
if is_debian_stretch; then
squidconffile="/etc/squid/evolinux-custom.conf"
else
squidconffile="/etc/squid*/squid.conf"
fi
if is_pack_web && (is_installed squid || is_installed squid3); then
host=$(hostname -i)
# shellcheck disable=SC2086
http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ")
{ grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
} || failed "IS_SQUID"
fi
fi

if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 2 ]; then
echo 'IS_EVOMAINTENANCE_FW FAILED!'
failed "IS_EVOMAINTENANCE_FW"
fi
fi
fi
@@ -372,265 +640,410 @@ if [ -e /etc/debian_version ]; then
# Verification de la conf et de l'activation de mod-deflate
if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf
is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || echo 'IS_MODDEFLATE FAILED!')
if is_installed apache2.2; then
{ test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f;
} || failed "IS_MODDEFLATE"
fi
fi

# Verification de la conf log2mail
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING')
if is_pack_web && is_installed log2mail; then
pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING'
fi
fi
if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
if is_debianversion stretch; then
if is_debian_stretch; then
conf=/etc/log2mail/config/apache
else
conf=/etc/log2mail/config/default
fi
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || echo 'IS_LOG2MAILAPACHE FAILED!' )
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE"
fi
fi
if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || echo 'IS_LOG2MAILMYSQL FAILED!' )
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \
|| failed "IS_LOG2MAILMYSQL"
fi
fi
if [ "$IS_LOG2MAILSQUID" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \
/etc/log2mail/config/* 2>/dev/null || echo 'IS_LOG2MAILSQUID FAILED!' )
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \
|| failed "IS_LOG2MAILSQUID"
fi
fi

# Verification si bind est chroote
if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then
echo 'IS_BINDCHROOT FAILED!'
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary"
fi
else
failed "IS_BINDCHROOT" "bind process is not chrooted"
fi
else
echo 'IS_BINDCHROOT FAILED!'
fi
fi
fi

# Verification de la présence du depot volatile
if [ "$IS_REPVOLATILE" = 1 ]; then
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || echo 'IS_REPVOLATILE FAILED!')
if is_debian_lenny; then
grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
if is_debian_squeeze; then
grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
fi

# /etc/network/interfaces should be present, we don't manage systemd-network yet
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then
echo "IS_NETWORK_INTERFACES FAILED!"
IS_AUTOIF=0
IS_INTERFACESGW=0
failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet"
fi
fi

# Verify if all if are in auto
if [ "$IS_AUTOIF" = 1 ]; then
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do
grep -q "^auto $interface" /etc/network/interfaces || (echo 'IS_AUTOIF FAILED!' && break)
done
if is_debian_stretch; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
test "${VERBOSE}" = 1 || break
fi
done
fi

# Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway"
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test $number -gt 1 && echo 'IS_INTERFACESGW FAILED!'
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
fi

# Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then
ls /etc/cron* |grep -q "evobackup" || echo 'IS_EVOBACKUP FAILED!'
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP"
fi

# Verification de la presence du userlogrotate
if [ "$IS_USERLOGROTATE" = 1 ]; then
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || echo 'IS_USERLOGROTATE FAILED!')
if is_pack_web; then
test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE"
fi
fi


# Verification de la syntaxe de la conf d'Apache
if [ "$IS_APACHECTL" = 1 ]; then
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || echo 'IS_APACHECTL FAILED!')
if is_installed apache2.2-common; then
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
fi
fi

# Check if there is regular files in Apache sites-enabled.
if [ "$IS_APACHESYMLINK" = 1 ]; then
is_installed apache2.2-common && \
(stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && echo 'IS_APACHESYMLINK FAILED!')
if is_installed apache2.2-common; then
stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
fi
fi

# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
if [ "$IS_APACHEIPINALLOW" = 1 ]; then
# Note: Replace "exit 1" by "print" in Perl code to debug it.
is_installed apache2.2-common && \
(grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || echo 'IS_APACHEIPINALLOW FAILED!')
if is_installed apache2.2-common; then
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
| grep -iv "from all" \
| grep -iv "env=" \
| perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \
|| failed "IS_APACHEIPINALLOW"
fi
fi

# Check if default Apache configuration file for munin is absent (or empty or commented).
if [ "$IS_MUNINAPACHECONF" = 1 ]; then
if is_debianversion squeeze || is_debianversion wheezy; then
if is_debian_squeeze || is_debian_wheezy; then
muninconf="/etc/apache2/conf.d/munin"
else
muninconf="/etc/apache2/conf-available/munin.conf"
fi
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && echo 'IS_MUNINAPACHECONF FAILED!')
if is_installed apache2.2-common; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
fi
fi

# Verification de la priorité du package samba si les backports sont utilisés
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || echo 'IS_SAMBAPINPRIORITY FAILED!' )
if is_debian_lenny && is_pack_samba; then
if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then
priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ")
test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY"
fi
fi
fi

# Verification si le système doit redémarrer suite màj kernel.
if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_KERNELUPTODATE FAILED!'
if is_installed linux-image*; then
# shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE"
fi
fi
fi

# Check if the server is running for more than a year.
if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then
echo 'IS_UPTIME FAILED!'
if is_installed linux-image*; then
limit=$(date -d "now - 2 year" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$limit" -gt "$last_reboot_at" ]; then
failed "IS_UPTIME"
fi
fi
fi

# Check if munin-node running and RRD files are up to date.
if [ "$IS_MUNINRUNNING" = 1 ]; then
pgrep munin-node >/dev/null || echo 'IS_MUNINRUNNING FAILED!'
[ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && echo 'IS_MUNINRUNNING FAILED!'
grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && echo 'IS_MUNINRUNNING FAILED!'
if ! pgrep munin-node >/dev/null; then
failed "IS_MUNINRUNNING" "Munin is not running"
elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then
limit=$(date +"%s" -d "now - 10 minutes")

if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then
updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)
[ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)"
fi

if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then
updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)
grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)"
fi
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)"
fi
fi

# Check if files in /home/backup/ are up-to-date
if [ "$IS_BACKUPUPTODATE" = 1 ]; then
[ -d /home/backup/ ] && for file in /home/backup/*; do
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
echo 'IS_BACKUPUPTODATE FAILED!'
break;
if [ -d /home/backup/ ]; then
if [ -n "$(ls -A /home/backup/)" ]; then
for file in /home/backup/*; do
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")

if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is empty"
fi
done
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is missing"
fi
fi

if [ "$IS_ETCGIT" = 1 ]; then
(cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository"
fi

# Check if /etc/.git/ has read/write permissions for root only.
if [ "$IS_GITPERMS" = 1 ]; then
test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || echo 'IS_GITPERMS FAILED!'
if test -d /etc/.git; then
expected="700"
actual=$(stat -c "%a" /etc/.git/)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS"
fi
fi

# Check if no package has been upgraded since $limit.
if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' '))
if grep -sq '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -sq -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
last_upgrade=0
upgraded=false
for log in /var/log/dpkg.log*; do
if zgrep -qsm1 upgrade "$log"; then
# There is at least one upgrade
upgraded=true
break
fi
done
if $upgraded; then
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
limit=$(date +%s -d "now - 180 days")
else
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
if [ -f /var/log/evolinux/00_prepare_system.log ]; then
install_date=$(stat -c %Z /var/log/evolinux/00_prepare_system.log)
install_date=0
if [ -d /var/log/installer ]; then
install_date=$(stat -c %Z /var/log/installer)
fi
# Check install_date if the system never received an upgrade
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
install_date=0
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
[ $install_date -lt $limit ] && [ $last_upgrade -lt $limit ] && echo 'IS_NOTUPGRADED FAILED!'
fi

# Check if reserved blocks for root is at least 5% on every mounted partitions.
if [ "$IS_TUNE2FS_M5" = 1 ]; then
min=5
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it.
if [ -z $blockCount ]; then
if [ -z "$blockCount" ]; then
continue
fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))")
if [ "$percentage" -lt 5 ]; then
echo 'IS_TUNE2FS_M5 FAILED!'
# Set debug to 1, to displays which partitions has less than 5%
debug=0
if [ "$debug" -eq 1 ]; then
echo "Partition $part has less than 5% reserved blocks!"
fi
# Use awk to have a rounded percentage
# python is slow, bash is unable and bc rounds weirdly
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")

if [ "$percentage" -lt "${min}" ]; then
failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)"
fi
done
fi

if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if is_debianversion stretch; then
(grep -q ^evolinux-sudo: /etc/group \
&& grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || echo 'IS_EVOLINUXSUDOGROUP FAILED!'
if is_debian_stretch; then
if grep -q "^evolinux-sudo:" /etc/group; then
grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP"
fi
fi
fi

if [ "$IS_USERINADMGROUP" = 1 ]; then
if is_debianversion stretch; then
for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do
groups $user |grep -q adm || echo 'IS_USERINADMGROUP FAILED!'
if is_debian_stretch; then
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi

if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
if (test -d /etc/apache2 && is_debianversion stretch); then
(test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
if is_debian_stretch && test -d /etc/apache2; then
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf) || echo 'IS_APACHE2EVOLINUXCONF FAILED!'
&& test -f /etc/apache2/ipaddr_whitelist.conf;
} || failed "IS_APACHE2EVOLINUXCONF"
fi
fi

if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debianversion stretch; then
grep -qE "^[^#].*backports" /etc/apt/sources.list && echo 'IS_BACKPORTSCONF FAILED!'
grep -qE "^[^#].*backports" /etc/apt/sources.list.d/*.list 2>/dev/null && (grep -qE "^[^#].*backports" /etc/apt/preferences.d/* || echo 'IS_BACKPORTSCONF FAILED!')
if is_debian_stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
fi
fi

if [ "$IS_BIND9MUNIN" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then
(test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || echo 'IS_BIND9MUNIN FAILED!'
if is_debian_stretch && is_installed bind9; then
{ test -L /etc/munin/plugins/bind9 \
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN"
fi
fi

if [ "$IS_BIND9LOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || echo 'IS_BIND9LOGROTATE FAILED!'
if is_debian_stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE"
fi
fi

if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
if lspci | grep -q 'NetXtreme II'; then
(is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || echo 'IS_BROADCOMFIRMWARE FAILED!'
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE"
fi
else
failed "IS_BROADCOMFIRMWARE" "lspci is missing"
fi
fi

if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || echo 'IS_HARDWARERAIDTOOL FAILED!')
lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || echo 'IS_HARDWARERAIDTOOL FAILED!')
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
# shellcheck disable=SC2015
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
fi
if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then
is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed"
fi
else
failed "IS_HARDWARERAIDTOOL" "lspci is missing"
fi
fi

if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch; then
(systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || echo 'IS_LOG2MAILSYSTEMDUNIT FAILED!'
if is_debian_stretch; then
{ systemctl -q is-active log2mail.service \
&& test -f /etc/systemd/system/log2mail.service \
&& ! test -f /etc/init.d/log2mail;
} || failed "IS_LOG2MAILSYSTEMDUNIT"
fi
fi

if [ "$IS_LISTUPGRADE" = 1 ]; then
(test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || echo 'IS_LISTUPGRADE FAILED!'
{ test -f /etc/cron.d/listupgrade \
&& test -x /usr/share/scripts/listupgrade.sh;
} || failed "IS_LISTUPGRADE"
fi

if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || echo 'IS_MARIADBEVOLINUXCONF FAILED!'
if is_debian_stretch; then
if is_installed mariadb-server; then
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
} || failed "IS_MARIADBEVOLINUXCONF"
fi
fi
fi

@@ -638,16 +1051,16 @@ if [ -e /etc/debian_version ]; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || echo 'IS_SQL_BACKUP FAILED!'
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
fi
fi

if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
if is_installed "postgresql-9*"; then
# If you use something like barman, you should deactivate this check
# If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || echo 'IS_POSTGRES_BACKUP FAILED!'
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
fi
fi

@@ -656,16 +1069,19 @@ if [ -e /etc/debian_version ]; then
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then
echo 'IS_MONGO_BACKUP FAILED!'
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break
fi
fi
done
else
echo 'IS_MONGO_BACKUP FAILED!'
failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})"
fi
fi
fi
@@ -674,7 +1090,7 @@ if [ -e /etc/debian_version ]; then
if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || echo 'IS_LDAP_BACKUP FAILED!'
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})"
fi
fi

@@ -682,7 +1098,7 @@ if [ -e /etc/debian_version ]; then
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || echo 'IS_REDIS_BACKUP FAILED!'
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})"
fi
fi

@@ -690,114 +1106,128 @@ if [ -e /etc/debian_version ]; then
if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || echo 'IS_ELASTIC_BACKUP FAILED!'
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})"
fi
fi

if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || echo 'IS_MARIADBSYSTEMDUNIT FAILED!'
if is_debian_stretch && is_installed mariadb-server; then
{ systemctl -q is-active mariadb.service \
&& test -f /etc/systemd/system/mariadb.service.d/evolinux.conf;
} || failed "IS_MARIADBSYSTEMDUNIT"
fi
fi

if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
if is_debian_stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do

if [[ ! -L /etc/munin/plugins/$file ]]; then
echo 'IS_MYSQLMUNIN FAILED!'
break
failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi

if [ "$IS_MYSQLNRPE" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then
(test -f ~nagios/.my.cnf \
&& [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \
&& [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || echo 'IS_MYSQLNRPE FAILED!'
if is_debian_stretch && is_installed mariadb-server; then
nagios_file="~nagios/.my.cnf"
{ test -f $nagios_file \
&& [ "$(stat -c %U $nagios_file)" = "nagios" ] \
&& [ "$(stat -c %a $nagios_file)" = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file";
} || failed "IS_MYSQLNRPE"
fi
fi

if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed php; then
(test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || echo 'IS_PHPEVOLINUXCONF FAILED!'
if is_debian_stretch && is_installed php; then
{ test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini;
} || failed "IS_PHPEVOLINUXCONF"
fi
fi

if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || echo 'IS_SQUIDLOGROTATE FAILED!'
if is_debian_stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE"
fi
fi

if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed squid; then
(grep -q "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
if is_debian_stretch && is_installed squid; then
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!'
&& test -f /etc/squid/evolinux-custom.conf;
} || failed "IS_SQUIDEVOLINUXCONF"
fi
fi

if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary
if [ -x "$(which blkid)" ]; then
BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp)
for part in $(blkid | grep -v raid_member | grep -Eo ' LABEL=".*"' | cut -d'"' -f2); do
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
done
tmpOutput=$(sort < "$tmpFile" | uniq -d)
# If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then
echo 'IS_DUPLICATE_FS_LABEL FAILED!'
# For debug, you may echo the contents of $tmpOutput
# echo $tmpOutput
# shellcheck disable=SC2086
labels=$(echo -n $tmpOutput | tr '\n' ' ')
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
fi
rm $tmpFile
rm "$tmpFile"
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found"
fi
fi

if [ "$IS_EVOLIX_USER" = 1 ]; then
getent passwd evolix >/dev/null && echo 'IS_EVOLIX_USER FAILED!'
grep -q "evolix:" /etc/passwd && failed "IS_EVOLIX_USER"
fi

if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && echo 'IS_EVOACME_CRON FAILED!'
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme"
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || echo 'IS_EVOACME_CRON FAILED!'
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing"
fi
fi

if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
if [ -x "$(which evoacme)" ]; then
EVOACME_BIN=$(command -v evoacme)
if [ -x "$EVOACME_BIN" ]; then
# Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ $numberOfLinks -gt 0 ]; then
if [ "$numberOfLinks" -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11)
actualCertDate=$(cut -d'/' -f5 <<< $actualLink)
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
certDir=${liveDir%%/live}
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
echo 'IS_EVOACME_LIVELINKS FAILED!'
break
actualLink=$(readlink -f "$live")
actualVersion=$(basename "$actualLink")

certDir=$(dirname "$live")
certName=$(basename "$certDir")
# shellcheck disable=SC2012
lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1)
lastVersion=$(basename "$lastCertDir")

if [[ "$lastVersion" != "$actualVersion" ]]; then
failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated"
test "${VERBOSE}" = 1 || break
fi
done
fi
@@ -808,11 +1238,10 @@ if [ -e /etc/debian_version ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked
# to conf-enabled/
if is_debianversion jessie || is_debianversion stretch; then
if is_debian_jessie || is_debian_stretch; then
if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && echo 'IS_APACHE_CONFENABLED FAILED!'
grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
echo 'IS_APACHE_CONFENABLED FAILED!'
test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED"
grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED"
fi
fi
fi
@@ -820,113 +1249,135 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/
if is_debianversion stretch; then
if is_debian_stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|| failed "IS_MELTDOWN_SPECTRE"
done
# For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debianversion jessie; then
if grep -q BOOT_IMAGE= /proc/cmdline; then
elif is_debian_jessie; then
if grep -q "BOOT_IMAGE=" /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f /boot/$kernelConfig ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
if [ -f "/boot/${kernelConfig}" ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched"
grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched"
fi
fi
fi
fi

if [ "$IS_OLD_HOME_DIR" = 1 ]; then
homeDir=${homeDir:-/home}
for dir in "$homeDir"/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep "UNKNOWN")
# There is at least one dir matching
if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR" "$statResult"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi


if [ `uname -s` == "OpenBSD" ]; then
if is_openbsd; then

if [ "$IS_SOFTDEP" = 1 ]; then
grep -q "softdep" /etc/fstab || echo 'IS_SOFTDEP FAILED!'
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
fi

if [ "$IS_WHEEL" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || echo 'IS_WHEEL FAILED!'
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL"
fi

if [ "$IS_SUDOADMIN" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || echo 'IS_SUDOADMIN FAILED!'
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
fi

if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || echo 'IS_PKGMIRROR FAILED!'
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi

if [ "$IS_HISTORY" = 1 ]; then
f=/root/.profile
grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f \
|| echo 'IS_HISTORY FAILED!'
{ grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f;
} || failed "IS_HISTORY"
fi

if [ "$IS_VIM" = 1 ]; then
which vim 2>1 >> /dev/null || echo 'IS_VIM FAILED!'
command -v vim > /dev/null 2>&1 || failed "IS_VIM"
fi

if [ "$IS_TTYC0SECURE" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || echo 'IS_TTYC0SECURE FAILED!'
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE"
fi

if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q Evolix /etc/newsyslog.conf || echo 'IS_CUSTOMSYSLOG FAILED!'
grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
fi

if [ "$IS_NOINETD" = 1 ]; then
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || echo 'IS_NOINETD FAILED!'
grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
fi

if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \
|| echo 'IS_SUDOMAINT FAILED!'
{ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
} || failed "IS_SUDOMAINT"
fi

if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || echo 'IS_POSTGRESQL FAILED!'
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi

if [ "$IS_NRPE" = 1 ]; then
( pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe ) || echo 'IS_NRPE FAILED!'
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe;
} || failed "IS_NRPE" "NRPE is not installed"
fi

# if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || echo 'IS_NRPEDISKS FAILED!'
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
# fi

# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || echo 'IS_NRPEPOSTFIX FAILED!' )
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" )
# fi

if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || echo 'IS_NREPEDAEMON FAILED!'
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \
|| failed "IS_NREPEDAEMON"
fi

if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || echo 'IS_ALERTBOOT FAILED!'
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
|| failed "IS_ALERTBOOT"
fi

if [ "$IS_RSYNC" = 1 ]; then
pkg info | grep -q rsync || echo 'IS_RSYNC FAILED!'
pkg info | grep -q rsync || failed "IS_RSYNC"
fi

if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || echo 'IS_CRONPATH FAILED!'
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
|| failed "IS_CRONPATH"
fi

#TODO
@@ -935,61 +1386,89 @@ if [ `uname -s` == "OpenBSD" ]; then
fi

if [ "$IS_TMP_1777" = 1 ]; then