evocheck: upstream release 22.06.1
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
16cdd6b326
commit
3d70438f7e
|
@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
|
* evocheck: upstream release 22.06.1
|
||||||
* minifirewall: upstream release 22.06
|
* minifirewall: upstream release 22.06
|
||||||
* mysql: evomariabackup release 22.06.1
|
* mysql: evomariabackup release 22.06.1
|
||||||
* mysql: reorganize evomariabackup to use mtree instead of our own dir-check
|
* mysql: reorganize evomariabackup to use mtree instead of our own dir-check
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.06"
|
VERSION="22.06.1"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
@ -236,11 +236,11 @@ check_debiansecurity() {
|
||||||
if is_debian_bullseye; then
|
if is_debian_bullseye; then
|
||||||
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
||||||
# https://www.debian.org/security/
|
# https://www.debian.org/security/
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
|
||||||
elif is_debian_buster; then
|
elif is_debian_buster; then
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
|
||||||
elif is_debian_stretch; then
|
elif is_debian_stretch; then
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
|
||||||
else
|
else
|
||||||
pattern="^deb.*security"
|
pattern="^deb.*security"
|
||||||
fi
|
fi
|
||||||
|
@ -363,7 +363,7 @@ check_alert5minifw() {
|
||||||
}
|
}
|
||||||
check_minifw() {
|
check_minifw() {
|
||||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||||
|| failed "IS_MINIFW" "minifirewall seems not starded"
|
|| failed "IS_MINIFW" "minifirewall seems not started"
|
||||||
}
|
}
|
||||||
check_minifw_includes() {
|
check_minifw_includes() {
|
||||||
if is_debian_bullseye; then
|
if is_debian_bullseye; then
|
||||||
|
@ -742,12 +742,13 @@ check_backupuptodate() {
|
||||||
backup_dir="/home/backup"
|
backup_dir="/home/backup"
|
||||||
if [ -d "${backup_dir}" ]; then
|
if [ -d "${backup_dir}" ]; then
|
||||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||||
# shellcheck disable=SC2231
|
# Look for all files, including subdirectories.
|
||||||
for file in ${backup_dir}/*; do
|
# If this turns out to be problematic, we can go back to first level only, with --max-depth=1
|
||||||
|
find "${backup_dir}" -type f | while read -r file; do
|
||||||
limit=$(date +"%s" -d "now - 2 day")
|
limit=$(date +"%s" -d "now - 2 day")
|
||||||
updated_at=$(stat -c "%Y" "$file")
|
updated_at=$(stat -c "%Y" "$file")
|
||||||
|
|
||||||
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
|
if [ "$limit" -gt "$updated_at" ]; then
|
||||||
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
|
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
|
||||||
test "${VERBOSE}" = 1 || break;
|
test "${VERBOSE}" = 1 || break;
|
||||||
fi
|
fi
|
||||||
|
@ -1217,14 +1218,20 @@ check_usrsharescripts() {
|
||||||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
||||||
}
|
}
|
||||||
check_sshpermitrootno() {
|
check_sshpermitrootno() {
|
||||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
|
||||||
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
if is_debian_jessie || is_debian_stretch; then
|
||||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
# Noop, we'll use the default $sshd_args
|
||||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
:
|
||||||
fi
|
elif is_debian_buster; then
|
||||||
|
sshd_args="${sshd_args},rdomain="
|
||||||
else
|
else
|
||||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
# -T doesn't require the additional -C.
|
||||||
|
sshd_args=
|
||||||
|
fi
|
||||||
|
# XXX: We want parameter expension here
|
||||||
|
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
|
||||||
|
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_evomaintenanceusers() {
|
check_evomaintenanceusers() {
|
||||||
|
|
Loading…
Reference in a new issue