From 3d70438f7e22e01e478ba9b9fa7ef59145905005 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 6 Jun 2022 15:05:59 +0200 Subject: [PATCH] evocheck: upstream release 22.06.1 --- CHANGELOG.md | 1 + evocheck/files/evocheck.sh | 37 ++++++++++++++++++++++--------------- 2 files changed, 23 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 069514cd..86fccbe2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.06.1 * minifirewall: upstream release 22.06 * mysql: evomariabackup release 22.06.1 * mysql: reorganize evomariabackup to use mtree instead of our own dir-check diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 6bba06c1..5b1afb09 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.06" +VERSION="22.06.1" readonly VERSION # base functions @@ -236,11 +236,11 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then - pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then - pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main" + pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main" else pattern="^deb.*security" fi @@ -363,7 +363,7 @@ check_alert5minifw() { } check_minifw() { /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ - || failed "IS_MINIFW" "minifirewall seems not starded" + || failed "IS_MINIFW" "minifirewall seems not started" } check_minifw_includes() { if is_debian_bullseye; then @@ -742,12 +742,13 @@ check_backupuptodate() { backup_dir="/home/backup" if [ -d "${backup_dir}" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then - # shellcheck disable=SC2231 - for file in ${backup_dir}/*; do + # Look for all files, including subdirectories. + # If this turns out to be problematic, we can go back to first level only, with --max-depth=1 + find "${backup_dir}" -type f | while read -r file; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" "$file") - if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + if [ "$limit" -gt "$updated_at" ]; then failed "IS_BACKUPUPTODATE" "$file has not been backed up" test "${VERBOSE}" = 1 || break; fi @@ -1217,14 +1218,20 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected" } check_sshpermitrootno() { - if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if grep -q "^PermitRoot" /etc/ssh/sshd_config; then - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" - fi + sshd_args="-C addr=,user=,host=,laddr=,lport=0" + if is_debian_jessie || is_debian_stretch; then + # Noop, we'll use the default $sshd_args + : + elif is_debian_buster; then + sshd_args="${sshd_args},rdomain=" else - grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no" + # NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument + # -T doesn't require the additional -C. + sshd_args= + fi + # XXX: We want parameter expension here + if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then + failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no" fi } check_evomaintenanceusers() {