evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

Merge branch 'unstable' of evolix/ansible-roles into stable

Browse source
This commit is contained in:
Jérémy Lecour 2019-06-21 10:51:00 +02:00 committed by Gitea
parent 2c11f02554 39d0167408
commit 4b84314b92
79 changed files with 2471 additions and 1511 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
.drone.yml Normal file
View file

@ -0,0 +1,36 @@
kind: pipeline
name: default
steps:
- name: build tagged docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
auto_tag: true
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
event:
- tag
- name: build latest docker image
image: plugins/docker
settings:
username:
from_secret: docker_username
password:
from_secret: docker_password
dockerfile: Dockerfile
repo: evolix/ansible-roles
tags: latest
environment:
ROLES_VERSION: $DRONE_COMMIT_SHA
when:
branch:
- unstable

35
CHANGELOG.md
View file

@ -18,12 +18,45 @@ The **patch** part changes incrementally at each release.
### Security
## [9.10.0] - 2019-06-21
### Added
* apache: add server status suffix in VHost (and default site) if missing
* apache: add a variable to customize the server-status host
* apt: add a script to manage packages with "hold" mark
* etc-git: gitignore /etc/letsencrypt/.certbot.lock
* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
* evomaintenance: make hooks configurable
* nginx: add server status suffix in VHost (and default site) if missing
* redmine: enable gzip compression in nginx vhost
### Changed
* evocheck : update (unreleased) from upstream
* evomaintenance : use the web API instead of PG Insert
* fluentd: store gpg key locally
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.6.3
* redmine: update default version to 4.0.3
* nagios-nrpe: change required status code for http and https check
* redmine: use custom errors-pages in Nginx vhost
* nagios-nrpe: check_load is now based on ansible_processor_vcpus
* php: Stop enforcing /var/www/html as chroot while we use /var/www
* apt: Add Debian Buster repositories
### Fixed
* rbenv: add check_mode for check rbenv and ruby versions
* nagios-nrpe: fix redis_instances check when Redis port equal 0
* redmine: fix 500 error on logging
* evolinux-base: Validate sshd config with "-t" instead of "-T"
* evolinux-base: Ensure rename is present
* evolinux-users: Validate sshd config with "-t" instead of "-T"
* nagios-nrpe: Replace the dummy packages nagios-plugins-* with monitoring-plugins-*
## [9.9.0] - 2019-04-16
### Added
* evocheck : add "x-frame-options: sameorigin" for Munin
* etc-git: ignore evobackup/.keep-* files
* lxc: /home is mounted in the container by default
* nginx : add "x-frame-options: sameorigin" for Munin
### Changed
* changed remote repository to https://gitea.evolix.org/evolix/ansible-roles

22
Dockerfile Normal file
View file

@ -0,0 +1,22 @@
FROM debian:stretch-slim
ENV ROLES_VERSION=${ROLES_VERSION:-unstable}
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
git \
ansible \
&& rm -rf /var/lib/apt/lists/*
RUN ansible-galaxy install --force \
--roles-path /etc/ansible \
"git+https://gitea.evolix.org/evolix/ansible-roles.git,${ROLES_VERSION},roles"
ENV ANSIBLE_FORCE_COLOR=1
ENV ANSIBLE_HOST_KEY_CHECKING=false
ENV ANSIBLE_RETRY_FILES_ENABLED=false
ENV PYTHONUNBUFFERED=1
WORKDIR /data
ENTRYPOINT ["ansible-playbook"]

2
apache/defaults/main.yml
View file

@ -19,3 +19,5 @@ apache_munin_include: True
general_alert_email: "root@localhost"
log2mail_alert_email: Null
apache_serverstatus_host: 127.0.0.1

8
apache/tasks/main.yml
View file

@ -46,10 +46,6 @@
tags:
- apache
- include: server_status.yml
tags:
- apache
- name: Copy Apache defaults config file
copy:
src: evolinux-defaults.conf
@ -118,6 +114,10 @@
tags:
- apache
- include: server_status.yml
tags:
- apache
- name: is umask already present?
command: "grep -E '^umask ' /etc/apache2/envvars"
failed_when: False

18
apache/tasks/server_status.yml
View file

@ -40,6 +40,19 @@
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ apache_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
dest: /var/www/index.html
regexp: '"/server-status-?"'
replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
dest: /etc/apache2/sites-available/000-evolinux-default.conf
regexp: '<Location /server-status-?>'
replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
notify: reload apache
- name: Munin configuration has a section for apache
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
@ -49,7 +62,8 @@
- name: apache-status URL is configured for Munin
lineinfile:
dest: /etc/munin/plugin-conf.d/munin-node
line: "env.url http://127.0.0.1/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: "env.url http://127.0.0.1/server-status"
line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
regexp: 'env.url http://[^\\/]+/server-status'
insertafter: "[apache_*]"
create: no
notify: restart munin-node

8
apt/README.md
View file

@ -7,7 +7,8 @@ A few APT related operations, like easily install backports of change components
Tasks are extracted in several files, included in `tasks/main.yml` :
* `backports.yml` : add a sources list for backports ;
* `basics_components.yml` : replace components for the basic sources.
* `basics_components.yml` : replace components for the basic sources ;
* `hold_packages.yml` : install script to automatically hold packages.
## Available variables
@ -16,7 +17,10 @@ Tasks are extracted in several files, included in `tasks/main.yml` :
* `apt_basics_components` : basic sources components (default: `main`) ;
* `apt_install_backports` : install backports sources (default: `False`) ;
* `apt_backports_components` : backports sources (default: `main`) ;
* `apt_install_evolix_public` : install Evolix public repositories (default: `True`).
* `apt_install_evolix_public` : install Evolix public repositories (default: `True`) ;
* `apt_install_hold_packages` : install script to automatically hold packages (default: `True`).
* `apt_hold_packages`: list of packages that must have a "hold" mark (default: `[]`)
* `apt_unhold_packages`: list of packages that must not have a "hold" mark (default: `[]`)
## Examples

11
apt/defaults/main.yml
View file

@ -14,3 +14,14 @@ apt_backports_components: "main"
apt_install_evolix_public: True
apt_clean_gandi_sourceslist: False
apt_install_hold_packages: True
apt_hold_packages: []
apt_unhold_packages: []
apt_check_hold_cron_minute: "45"
apt_check_hold_cron_hour: "*/4"
apt_check_hold_cron_weekday: "*"
apt_check_hold_cron_day: "*"
apt_check_hold_cron_month: "*"

32
apt/files/check_held_packages.sh Normal file
View file

@ -0,0 +1,32 @@
#!/bin/sh
is_held() {
package=$1
apt-mark showhold ${package} | grep --silent ${package}
}
is_installed() {
package=$1
dpkg -l "${package}" 2>/dev/null | grep -q -E '^(i|h)i'
}
config_file="/etc/evolinux/apt_hold_packages.cf"
return_code=0
if [ -f ${config_file} ]; then
packages="$(cat ${config_file})"
if [ -n "${packages}" ]; then
for package in ${packages}; do
if [ -n "${package}" ]; then
if is_installed ${package} && ! is_held ${package}; then
apt-mark hold ${package}
>&2 echo "Package \`${package}' has been marked \`hold'."
return_code=1
fi
fi
done
fi
fi
exit ${return_code}

10
apt/tasks/backports.yml
View file

@ -5,7 +5,7 @@
regexp: "backports"
state: absent
tags:
- apt
- apt
- name: Backports sources list is installed
template:
@ -15,7 +15,7 @@
mode: "0640"
register: apt_backports_list
tags:
- apt
- apt
- name: Backports configuration
copy:
@ -25,7 +25,7 @@
mode: "0640"
register: apt_backports_config
tags:
- apt
- apt
- name: Archived backport are accepted (jessie)
lineinfile:
@ -34,10 +34,12 @@
create: yes
state: present
when: ansible_distribution_release == "jessie"
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_backports_list | changed or apt_backports_config | changed
tags:
- apt
- apt

12
apt/tasks/basics.yml
View file

@ -8,21 +8,23 @@
force: yes
register: apt_basic_list
tags:
- apt
- apt
- name: Clean GANDI sources.list.d/debian-security.list
file:
path: '{{ item }}'
state: absent
with_items:
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-update.list
- /etc/apt/sources.list.d/debian-security.list
- /etc/apt/sources.list.d/debian-stretch.list
- /etc/apt/sources.list.d/debian-update.list
when: apt_clean_gandi_sourceslist
tags:
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_basic_list | changed
tags:
- apt
- apt

22
apt/tasks/config.yml
View file

@ -9,9 +9,11 @@
state: present
mode: "0640"
with_items:
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
- { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
- { line: "APT::Install-Suggests \"false\";", regexp: 'APT::Install-Suggests' }
when: apt_evolinux_config
tags:
- apt
- name: DPkg invoke hooks
lineinfile:
@ -21,24 +23,32 @@
state: present
mode: "0640"
with_items:
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
- "DPkg::Pre-Invoke { \"df /tmp | grep -q /tmp && mount -oremount,exec /tmp || true\"; };"
- "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
- "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
- "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
when: apt_hooks
tags:
- apt
- name: Remove Aptitude
apt:
name: aptitude
state: absent
when: apt_remove_aptitude
tags:
- apt
- name: Updating APT cache
apt:
update_cache: yes
changed_when: False
tags:
- apt
- name: Upgrading system
apt:
upgrade: dist
when: apt_upgrade
tags:
- apt

6
apt/tasks/evolix_public.yml
View file

@ -12,6 +12,8 @@
apt_key:
#url: http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x44975278B8612B5D
data: "{{ lookup('file', 'reg.gpg') }}"
tags:
- apt
- name: Evolix public list is installed
template:
@ -21,11 +23,11 @@
mode: "0640"
register: apt_evolix_public
tags:
- apt
- apt
- name: Apt update
apt:
update_cache: yes
when: apt_evolix_public | changed
tags:
- apt
- apt

71
apt/tasks/hold_packages.yml Normal file
View file

@ -0,0 +1,71 @@
---
- name: "hold packages (apt)"
shell: "(apt-mark showhold | grep --quiet {{ item }}) || apt-mark hold {{ item }}"
register: apt_mark
changed_when: "'{{ item }} set on hold.' in apt_mark.stdout"
with_items: "{{ apt_hold_packages }}"
tags:
- apt
- name: "hold packages (config)"
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
state: present
with_items: "{{ apt_hold_packages }}"
tags:
- apt
- name: "unhold packages (apt)"
shell: "(apt-mark showhold | grep --quiet {{ item }}) && apt-mark unhold {{ item }}"
register: apt_mark
changed_when: "'Canceled hold on {{ item }}.' in apt_mark.stdout"
with_items: "{{ apt_unhold_packages }}"
tags:
- apt
- name: "unhold packages (config)"
lineinfile:
dest: /etc/evolinux/apt_hold_packages.cf
line: "{{ item }}"
create: True
state: absent
with_items: "{{ apt_unhold_packages }}"
tags:
- apt
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
mode: "0700"
owner: root
group: root
state: directory
tags:
- apt
- name: Check scripts is installed
copy:
src: check_held_packages.sh
dest: /usr/share/scripts/check_held_packages.sh
force: yes
mode: "0755"
tags:
- apt
- name: Check for held packages (script)
cron:
cron_file: apt-hold-packages
name: check_held_packages
job: "/usr/share/scripts/check_held_packages.sh"
user: root
minute: "{{ apt_check_hold_cron_minute }}"
hour: "{{ apt_check_hold_cron_hour }}"
weekday: "{{ apt_check_hold_cron_weekday }}"
day: "{{ apt_check_hold_cron_day }}"
month: "{{ apt_check_hold_cron_month }}"
state: "present"
tags:
- apt

18
apt/tasks/main.yml
View file

@ -4,30 +4,36 @@
fail:
msg: only compatible with Debian >= 8
when:
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
- ansible_distribution != "Debian" or ansible_distribution_major_version | version_compare('8', '<')
tags:
- apt
- apt
- name: Custom configuration
include: config.yml
when: apt_config
tags:
- apt
- apt
- name: Install basics repositories
include: basics.yml
when: apt_install_basics
tags:
- apt
- apt
- name: Install APT Backports repository
include: backports.yml
when: apt_install_backports
tags:
- apt
- apt
- name: Install Evolix Public APT repository
include: evolix_public.yml
when: apt_install_evolix_public
tags:
- apt
- apt
- name: Install check for packages marked hold
include: hold_packages.yml
when: apt_install_hold_packages
tags:
- apt

3
apt/templates/buster_backports.list.j2 Normal file
View file

@ -0,0 +1,3 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian buster-backports {{ apt_backports_components | mandatory }}

5
apt/templates/buster_basics.list.j2 Normal file
View file

@ -0,0 +1,5 @@
# {{ ansible_managed }}
deb http://mirror.evolix.org/debian buster {{ apt_basics_components | mandatory }}
deb http://mirror.evolix.org/debian/ buster-updates {{ apt_basics_components | mandatory }}
deb http://security.debian.org/debian-security buster/updates {{ apt_basics_components | mandatory }}

1
etc-git/tasks/main.yml
View file

@ -56,6 +56,7 @@
- "postfix/*.db"
- "postfix/spamd.cidr"
- "evobackup/.keep-*"
- "letsencrypt/.certbot.lock"
tags:
- etc-git

2607
evocheck/files/evocheck.sh
View file

@ -4,164 +4,7 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
# Repository: https://gitea.evolix.org/evolix/evocheck
# Commit: 84d197047a718f4f5b31c39a2e1741b5963271de
VERSION="0.14.0.beta2"
# Disable LANG*
export LANG=C
export LANGUAGE=C
# Default configuration values
IS_TMP_1777=1
IS_ROOT_0700=1
IS_VARTMPFS=1
IS_USRSHARESCRIPTS=1
IS_SERVEURBASE=1
IS_LOGROTATECONF=1
IS_SYSLOGCONF=1
IS_DEBIANSECURITY=1
IS_APTITUDEONLY=1
IS_APTITUDE=1
IS_APTGETBAK=1
IS_APTICRON=0
IS_USRRO=1
IS_TMPNOEXEC=1
IS_LISTCHANGESCONF=1
IS_DPKGWARNING=1
IS_CUSTOMCRONTAB=1
IS_CUSTOMSUDOERS=1
IS_SSHPERMITROOTNO=1
IS_SSHALLOWUSERS=1
IS_TMOUTPROFILE=1
IS_ALERT5BOOT=1
IS_ALERT5MINIFW=1
IS_MINIFW=1
IS_NRPEPERMS=1
IS_MINIFWPERMS=1
IS_NRPEDISKS=0
IS_NRPEPOSTFIX=1
IS_NRPEPID=1
IS_GRSECPROCS=1
IS_UMASKSUDOERS=1
IS_EVOMAINTENANCEUSERS=1
IS_APACHEMUNIN=1
IS_MYSQLUTILS=1
IS_RAIDSOFT=1
IS_AWSTATSLOGFORMAT=1
IS_MUNINLOGROTATE=1
IS_EVOMAINTENANCECONF=1
#IS_METCHE=1
IS_SQUID=1
IS_MODDEFLATE=1
IS_LOG2MAILRUNNING=1
IS_LOG2MAILAPACHE=1
IS_LOG2MAILMYSQL=1
IS_LOG2MAILSQUID=1
IS_BINDCHROOT=1
IS_REPVOLATILE=1
IS_AUTOIF=1
IS_INTERFACESGW=1
IS_USERLOGROTATE=1
IS_MODSECURITY=1
IS_APACHECTL=1
IS_APACHESYMLINK=1
IS_APACHEIPINALLOW=1
IS_MUNINAPACHECONF=1
IS_SAMBAPINPRIORITY=1
IS_KERNELUPTODATE=1
IS_UPTIME=1
IS_MUNINRUNNING=1
IS_BACKUPUPTODATE=1
IS_ETCGIT=1
IS_GITPERMS=1
IS_NOTUPGRADED=1
IS_TUNE2FS_M5=1
IS_PRIVKEYWOLRDREADABLE=1
IS_EVOLINUXSUDOGROUP=1
IS_USERINADMGROUP=1
IS_APACHE2EVOLINUXCONF=1
IS_BACKPORTSCONF=1
IS_BIND9MUNIN=1
IS_BIND9LOGROTATE=1
IS_BROADCOMFIRMWARE=1
IS_HARDWARERAIDTOOL=1
IS_LOG2MAILSYSTEMDUNIT=1
IS_LISTUPGRADE=1
IS_MARIADBEVOLINUXCONF=1
IS_MARIADBSYSTEMDUNIT=1
IS_MYSQLMUNIN=1
IS_PHPEVOLINUXCONF=1
IS_SQUIDLOGROTATE=1
IS_SQUIDEVOLINUXCONF=1
IS_SQL_BACKUP=1
IS_POSTGRES_BACKUP=1
IS_LDAP_BACKUP=1
IS_REDIS_BACKUP=1
IS_ELASTIC_BACKUP=1
IS_MONGO_BACKUP=1
IS_MOUNT_FSTAB=1
IS_NETWORK_INTERFACES=1
IS_EVOBACKUP=1
IS_DUPLICATE_FS_LABEL=1
IS_EVOMAINTENANCE_FW=1
IS_EVOLIX_USER=1
IS_EVOACME_CRON=1
IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1
IS_OLD_HOME_DIR=1
IS_LSBRELEASE=1
#Proper to OpenBSD
IS_SOFTDEP=1
IS_WHEEL=1
IS_SUDOADMIN=1
IS_PKGMIRROR=1
IS_HISTORY=1
IS_VIM=1
IS_TTYC0SECURE=1
IS_CUSTOMSYSLOG=1
IS_NOINETD=1
IS_SUDOMAINT=1
IS_POSTGRESQL=1
IS_NRPE=1
IS_NRPEDAEMON=1
IS_ALERTBOOT=1
IS_RSYNC=1
# Default return code : 0 = no error
RC=0
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf
# OS detection
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""
if [ -e /etc/debian_version ]; then
DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ -x "${LSB_RELEASE_BIN}" ]; then
DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short)
else
case ${DEBIAN_VERSION} in
5) DEBIAN_RELEASE="lenny";;
6) DEBIAN_RELEASE="squeeze";;
7) DEBIAN_RELEASE="wheezy";;
8) DEBIAN_RELEASE="jessie";;
9) DEBIAN_RELEASE="stretch";;
esac
fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi
# Functions
# base functions
show_version() {
cat <<END
@ -199,6 +42,31 @@ Options
END
}
detect_os() {
# OS detection
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""
if [ -e /etc/debian_version ]; then
DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ -x "${LSB_RELEASE_BIN}" ]; then
DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short)
else
case ${DEBIAN_VERSION} in
5) DEBIAN_RELEASE="lenny";;
6) DEBIAN_RELEASE="squeeze";;
7) DEBIAN_RELEASE="wheezy";;
8) DEBIAN_RELEASE="jessie";;
9) DEBIAN_RELEASE="stretch";;
esac
fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi
}
is_debian() {
test -n "${DEBIAN_RELEASE}"
}
@ -238,8 +106,19 @@ is_installed(){
dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
done
}
minifirewall_file() {
case ${DEBIAN_RELEASE} in
lenny) echo "/etc/firewall.rc" ;;
squeeze) echo "/etc/firewall.rc" ;;
wheezy) echo "/etc/firewall.rc" ;;
jessie) echo "/etc/default/minifirewall" ;;
stretch) echo "/etc/default/minifirewall" ;;
*) echo "/etc/default/minifirewall" ;;
esac
}
# logging
failed() {
check_name=$1
shift
@ -255,6 +134,1242 @@ failed() {
fi
}
# check functions
check_lsbrelease(){
if [ -x "${LSB_RELEASE_BIN}" ]; then
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cut -d "." -f 1 < /etc/debian_version)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
else
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
fi
}
check_dpkgwarning() {
if is_debian_squeeze; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
fi
elif is_debian_wheezy; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
}
check_umasksudoers(){
if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
}
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
check_nrpepostfix() {
if is_installed postfix; then
if is_debian_squeeze; then
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*;
} || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
}
# Check if mod-security config file is present
check_modsecurity() {
if is_debian_squeeze; then
if is_installed libapache-mod-security; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
}
check_customsudoers() {
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS"
}
check_vartmpfs() {
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
}
check_vartmpfs() {
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
}
check_serveurbase() {
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
}
check_logrotateconf() {
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF"
}
check_syslogconf() {
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF"
}
check_debiansecurity() {
grep -q "^deb.*security" /etc/apt/sources.list \
|| failed "IS_DEBIANSECURITY"
}
check_aptitudeonly() {
if is_debian_squeeze || is_debian_wheezy; then
test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY"
fi
}
check_aptitude() {
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/aptitude && failed "IS_APTITUDE"
fi
}
check_aptgetbak() {
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK"
fi
}
check_apticron() {
status="OK"
test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
if is_debian_squeeze || is_debian_wheezy; then
test "$status" = "fail" && failed "IS_APTICRON"
fi
}
check_usrro() {
grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO"
}
check_tmpnoexec() {
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC"
}
check_mountfstab() {
# Test if lsblk available, if not skip this test...
LSBLK_BIN=$(command -v lsblk)
if test -x "${LSBLK_BIN}"; then
for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB"
done
fi
}
check_listchangesconf() {
if is_debian_stretch; then
if is_installed apt-listchanges; then
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch"
fi
else
if [ -e "/etc/apt/listchanges.conf" ]; then
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
if [ "$lines" != 2 ]; then
failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect"
fi
else
failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing"
fi
fi
}
check_customcrontab() {
found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab)
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB"
}
check_sshallowusers() {
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS"
}
check_diskperf() {
test -e /root/disk-perf.txt || failed "IS_DISKPERF"
}
check_tmoutprofile() {
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
}
check_alert5boot() {
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi
}
check_alert5minifw() {
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi
}
check_minifw() {
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW"
}
check_nrpeperms() {
if [ -d /etc/nagios ]; then
actual=$(stat --format "%a" /etc/nagios)
expected="750"
test "$expected" = "$actual" || failed "IS_NRPEPERMS"
fi
}
check_minifwperms() {
if [ -f "$MINIFW_FILE" ]; then
actual=$(stat --format "%a" "$MINIFW_FILE")
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
fi
}
check_nrpedisks() {
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)")
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS"
}
check_nrpepid() {
if ! is_debian_squeeze; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID"
fi
}
check_grsecprocs() {
if uname -a | grep -q grsec; then
{ grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \
&& grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root";
} || failed "IS_GRSECPROCS"
fi
}
check_apachemunin() {
if test -e /etc/apache2/apache2.conf; then
if is_debian_stretch; then
{ test -h /etc/apache2/mods-enabled/status.load \
&& test -h /etc/munin/plugins/apache_accesses \
&& test -h /etc/munin/plugins/apache_processes \
&& test -h /etc/munin/plugins/apache_volume;
} || failed "IS_APACHEMUNIN" "missing munin plugins for Apache"
else
pattern="/server-status-[[:alnum:]]{4,}"
{ grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \
&& { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \
|| grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf;
};
} || failed "IS_APACHEMUNIN" "server status is not properly configured"
fi
fi
}
# Verification mytop + Munin si MySQL
check_mysqlutils() {
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
if is_installed mysql-server; then
# You can configure MYSQL_ADMIN in evocheck.cf
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
fi
if ! test -x /usr/bin/mytop; then
if ! test -x /usr/local/bin/mytop; then
failed "IS_MYSQLUTILS" "mytop binary missing"
fi
fi
if ! grep -qs debian-sys-maint /root/.mytop; then
failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
fi
fi
}
# Verification de la configuration du raid soft (mdadm)
check_raidsoft() {
if test -e /proc/mdstat && grep -q md /proc/mdstat; then
{ grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf;
} || failed "IS_RAIDSOFT"
fi
}
# Verification du LogFormat de AWStats
check_awstatslogformat() {
if is_installed apache2 awstats; then
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|| failed "IS_AWSTATSLOGFORMAT"
fi
}
# Verification de la présence de la config logrotate pour Munin
check_muninlogrotate() {
{ test -e /etc/logrotate.d/munin-node \
&& test -e /etc/logrotate.d/munin;
} || failed "IS_MUNINLOGROTATE"
}
# Verification de l'activation de Squid dans le cas d'un pack mail
check_squid() {
if is_debian_stretch; then
squidconffile="/etc/squid/evolinux-custom.conf"
else
squidconffile="/etc/squid*/squid.conf"
fi
if is_pack_web && (is_installed squid || is_installed squid3); then
host=$(hostname -i)
# shellcheck disable=SC2086
http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ")
{ grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
} || failed "IS_SQUID"
fi
}
check_evomaintenance_fw() {
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 2 ]; then
failed "IS_EVOMAINTENANCE_FW"
fi
fi
}
# Verification de la conf et de l'activation de mod-deflate
check_moddeflate() {
f=/etc/apache2/mods-enabled/deflate.conf
if is_installed apache2.2; then
{ test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f;
} || failed "IS_MODDEFLATE"
fi
}
# Verification de la conf log2mail
check_log2mailrunning() {
if is_pack_web && is_installed log2mail; then
pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING'
fi
}
check_log2mailapache() {
if is_debian_stretch; then
conf=/etc/log2mail/config/apache
else
conf=/etc/log2mail/config/default
fi
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE"
fi
}
check_log2mailmysql() {
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \
|| failed "IS_LOG2MAILMYSQL"
fi
}
check_log2mailsquid() {
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \
|| failed "IS_LOG2MAILSQUID"
fi
}
# Verification si bind est chroote
check_bindchroot() {
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary"
fi
else
failed "IS_BINDCHROOT" "bind process is not chrooted"
fi
fi
fi
}
# Verification de la présence du depot volatile
check_repvolatile() {
if is_debian_lenny; then
grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
if is_debian_squeeze; then
grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
}
# /etc/network/interfaces should be present, we don't manage systemd-network yet
check_network_interfaces() {
if ! test -f /etc/network/interfaces; then
IS_AUTOIF=0
IS_INTERFACESGW=0
failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet"
fi
}
# Verify if all if are in auto
check_autoif() {
if is_debian_stretch; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
test "${VERBOSE}" = 1 || break
fi
done
}
# Network conf verification
check_interfacesgw() {
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway"
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
}
# Verification de la mise en place d'evobackup
check_evobackup() {
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP"
}
# Verification de la presence du userlogrotate
check_userlogrotate() {
if is_pack_web; then
test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE"
fi
}
# Verification de la syntaxe de la conf d'Apache
check_apachectl() {
if is_installed apache2; then
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
fi
}
# Check if there is regular files in Apache sites-enabled.
check_apachesymlink() {
if is_installed apache2; then
apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
nbApacheFind=$(wc -m <<< "$apacheFind")
if [[ $nbApacheFind -gt 1 ]]; then
if [[ $VERBOSE == 1 ]]; then
while read -r line; do
failed "IS_APACHESYMLINK" "Not a symlink: $line"
done <<< "$apacheFind"
else
failed "IS_APACHESYMLINK"
fi
fi
fi
}
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
check_apacheipinallow() {
# Note: Replace "exit 1" by "print" in Perl code to debug it.
if is_installed apache2; then
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
| grep -iv "from all" \
| grep -iv "env=" \
| perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \
|| failed "IS_APACHEIPINALLOW"
fi
}
# Check if default Apache configuration file for munin is absent (or empty or commented).
check_muninapacheconf() {
if is_debian_squeeze || is_debian_wheezy; then
muninconf="/etc/apache2/conf.d/munin"
else
muninconf="/etc/apache2/conf-available/munin.conf"
fi
if is_installed apache2; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
fi
}
# Verification de la priorité du package samba si les backports sont utilisés
check_sambainpriority() {
if is_debian_lenny && is_pack_samba; then
if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then
priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ")
test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY"
fi
fi
}
# Verification si le système doit redémarrer suite màj kernel.
check_kerneluptodate() {
if is_installed linux-image*; then
# shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE"
fi
fi
}
# Check if the server is running for more than a year.
check_uptime() {
if is_installed linux-image*; then
limit=$(date -d "now - 2 year" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$limit" -gt "$last_reboot_at" ]; then
failed "IS_UPTIME"
fi
fi
}
# Check if munin-node running and RRD files are up to date.
check_muninrunning() {
if ! pgrep munin-node >/dev/null; then
failed "IS_MUNINRUNNING" "Munin is not running"
elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then
limit=$(date +"%s" -d "now - 10 minutes")
if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then
updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)
[ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)"
fi
if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then
updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)
grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)"
fi
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)"
fi
}
# Check if files in /home/backup/ are up-to-date
check_backupuptodate() {
if [ -d /home/backup/ ]; then
if [ -n "$(ls -A /home/backup/)" ]; then
for file in /home/backup/*; do
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is empty"
fi
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is missing"
fi
}
check_etcgit() {
(cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository"
}
# Check if /etc/.git/ has read/write permissions for root only.
check_gitperms() {
if test -d /etc/.git; then
expected="700"
actual=$(stat -c "%a" /etc/.git/)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS"
fi
}
# Check if no package has been upgraded since $limit.
check_notupgraded() {
last_upgrade=0
upgraded=false
for log in /var/log/dpkg.log*; do
if zgrep -qsm1 upgrade "$log"; then
# There is at least one upgrade
upgraded=true
break
fi
done
if $upgraded; then
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
limit=$(date +%s -d "now - 180 days")
else
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
install_date=0
if [ -d /var/log/installer ]; then
install_date=$(stat -c %Z /var/log/installer)
fi
# Check install_date if the system never received an upgrade
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
}
# Check if reserved blocks for root is at least 5% on every mounted partitions.
check_tune2fs_m5() {
min=5
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it.
if [ -z "$blockCount" ]; then
continue
fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
# Use awk to have a rounded percentage
# python is slow, bash is unable and bc rounds weirdly
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
if [ "$percentage" -lt "${min}" ]; then
failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)"
fi
done
}
check_evolinuxsudogroup() {
if is_debian_stretch; then
if grep -q "^evolinux-sudo:" /etc/group; then
grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP"
fi
fi
}
check_userinadmgroup() {
if is_debian_stretch; then
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_apache2evolinuxconf() {
if is_debian_stretch && test -d /etc/apache2; then
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf;
} || failed "IS_APACHE2EVOLINUXCONF"
fi
}
check_backportsconf() {
if is_debian_stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
fi
}
check_bind9munin() {
if is_debian_stretch && is_installed bind9; then
{ test -L /etc/munin/plugins/bind9 \
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN"
fi
}
check_bind9logrotate() {
if is_debian_stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE"
fi
}
check_broadcomfirmware() {
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE"
fi
else
failed "IS_BROADCOMFIRMWARE" "lspci is missing"
fi
}
check_hardwareraidtool() {
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
# shellcheck disable=SC2015
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
fi
if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then
is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed"
fi
else
failed "IS_HARDWARERAIDTOOL" "lspci is missing"
fi
}
check_log2mailsystemdunit() {
if is_debian_stretch; then
{ systemctl -q is-active log2mail.service \
&& test -f /etc/systemd/system/log2mail.service \
&& ! test -f /etc/init.d/log2mail;
} || failed "IS_LOG2MAILSYSTEMDUNIT"
fi
}
check_listupgrade() {
{ test -f /etc/cron.d/listupgrade \
&& test -x /usr/share/scripts/listupgrade.sh;
} || failed "IS_LISTUPGRADE"
}
check_mariadbevolinuxconf() {
if is_debian_stretch; then
if is_installed mariadb-server; then
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
} || failed "IS_MARIADBEVOLINUXCONF"
fi
fi
}
check_sql_backup() {
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
fi
}
check_postgres_backup() {
if is_installed "postgresql-9*"; then
# If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
fi
}
check_mongo_backup() {
if is_installed "mongodb-org-server"; then
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break
fi
fi
done
else
failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})"
fi
fi
}
check_ldap_backup() {
if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})"
fi
}
check_redis_backup() {
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})"
fi
}
check_elastic_backup() {
if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})"
fi
}
check_mariadbsystemdunit() {
if is_debian_stretch && is_installed mariadb-server; then
{ systemctl -q is-active mariadb.service \
&& test -f /etc/systemd/system/mariadb.service.d/evolinux.conf;
} || failed "IS_MARIADBSYSTEMDUNIT"
fi
}
check_mysqlmunin() {
if is_debian_stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then
failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_mysqlnrpe() {
if is_debian_stretch && is_installed mariadb-server; then
nagios_home=$(getent passwd "nagios" | cut -d: -f6)
nagios_file_abs="${nagios_home}/.my.cnf"
nagios_file_sym="~nagios/.my.cnf"
if ! test -f $nagios_file_abs; then
failed "IS_MYSQLNRPE" "$nagios_file_abs is missing"
elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \
|| [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then
failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions"
else
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
fi
fi
}
check_phpevolinuxconf() {
if is_debian_stretch && is_installed php; then
{ test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini;
} || failed "IS_PHPEVOLINUXCONF"
fi
}
check_squidlogrotate() {
if is_debian_stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE"
fi
}
check_squidevolinuxconf() {
if is_debian_stretch && is_installed squid; then
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf;
} || failed "IS_SQUIDEVOLINUXCONF"
fi
}
check_duplicate_fs_label() {
# Do it only if thereis blkid binary
BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp)
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
done
tmpOutput=$(sort < "$tmpFile" | uniq -d)
# If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then
# shellcheck disable=SC2086
labels=$(echo -n $tmpOutput | tr '\n' ' ')
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
fi
rm "$tmpFile"
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found"
fi
}
check_evolix_user() {
grep -q "evolix:" /etc/passwd && failed "IS_EVOLIX_USER"
}
check_evoacme_cron() {
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme"
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing"
fi
}
check_evoacme_livelinks() {
EVOACME_BIN=$(command -v evoacme)
if [ -x "$EVOACME_BIN" ]; then
# Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ "$numberOfLinks" -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do
actualLink=$(readlink -f "$live")
actualVersion=$(basename "$actualLink")
certDir=$(dirname "$live")
certName=$(basename "$certDir")
# shellcheck disable=SC2012
lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1)
lastVersion=$(basename "$lastCertDir")
if [[ "$lastVersion" != "$actualVersion" ]]; then
failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
}
check_apache_confenabled() {
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked
# to conf-enabled/
if is_debian_jessie || is_debian_stretch; then
if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED"
grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED"
fi
fi
}
check_meltdown_spectre() {
# For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/
if is_debian_stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|| failed "IS_MELTDOWN_SPECTRE"
done
# For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debian_jessie; then
if grep -q "BOOT_IMAGE=" /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f "/boot/${kernelConfig}" ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched"
grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched"
fi
fi
fi
}
check_old_home_dir() {
homeDir=${homeDir:-/home}
for dir in "$homeDir"/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep "UNKNOWN")
# There is at least one dir matching
if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR" "$statResult"
test "${VERBOSE}" = 1 || break
fi
done
}
check_tmp_1777() {
actual=$(stat --format "%a" /tmp)
expected="1777"
test "$expected" = "$actual" || failed "IS_TMP_1777"
}
check_root_0700() {
actual=$(stat --format "%a" /root)
expected="700"
test "$expected" = "$actual" || failed "IS_ROOT_0700"
}
check_usrsharescripts() {
actual=$(stat --format "%a" /usr/share/scripts)
expected="700"
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS"
}
check_sshpermitrootno() {
if is_debian_stretch; then
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
else
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
}
check_evomaintenanceusers() {
if is_debian_stretch; then
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
else
if [ -f /etc/sudoers.d/evolinux ]; then
sudoers="/etc/sudoers.d/evolinux"
else
sudoers="/etc/sudoers"
fi
# combine users from User_Alias and sudo group
users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u)
fi
for user in $users; do
user_home=$(getent passwd "$user" | cut -d: -f6)
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then
failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
test "${VERBOSE}" = 1 || break
fi
fi
done
}
check_evomaintenanceconf() {
f=/etc/evomaintenance.cf
if [ -e "$f" ]; then
perms=$(stat -c "%a" $f)
test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)"
{ grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
&& grep "^PGDB" $f | grep -qv "your-db" \
&& grep "^PGTABLE" $f | grep -qv "your-table" \
&& grep "^PGHOST" $f | grep -qv "your-pg-host" \
&& grep "^FROM" $f | grep -qv "jdoe@example.com" \
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f | grep -qv "example.com" \
&& grep "^API_ENDPOINT" $f | grep -qv "https://example.com/api/" \
&& grep "^API_KEY" $f | grep -qv "secretkey";
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
else
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
fi
}
check_privatekeyworldreadable() {
# a simple globbing fails if directory is empty
if [ -n "$(ls -A /etc/ssl/private/)" ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" "$f")
if [ "${perms: -1}" != 0 ]; then
failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable"
test "${VERBOSE}" = 1 || break
fi
done
fi
}
check_evobackup_incs() {
if is_installed bkctld; then
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
if [ -f "${bkctld_cron_file}" ]; then
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
else
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
fi
fi
}
main() {
# Default return code : 0 = no error
RC=0
# Detect operating system name, version and release
detect_os
#-----------------------------------------------------------
# Tests communs à tous les systèmes
#-----------------------------------------------------------
test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno
test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers
# Verification de la configuration d'evomaintenance
test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable
#-----------------------------------------------------------
# Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
if is_debian; then
MINIFW_FILE=$(minifirewall_file)
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_MODSECURITY:=1}" = 1 && check_modsecurity
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
test "${IS_SERVEURBASE:=1}" = 1 && check_serveurbase
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_APTITUDEONLY:=1}" = 1 && check_aptitudeonly
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_APTICRON:=0}" = 1 && check_apticron
test "${IS_USRRO:=1}" = 1 && check_usrro
test "${IS_TMPNOEXEC:=1}" = 1 && check_tmpnoexec
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_DISKPERF:=0}" = 1 && check_diskperf
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
test "${IS_APACHEMUNIN:=1}" = 1 && check_apachemunin
test "${IS_MYSQLUTILS:=1}" = 1 && check_mysqlutils
test "${IS_RAIDSOFT:=1}" = 1 && check_raidsoft
test "${IS_AWSTATSLOGFORMAT:=1}" = 1 && check_awstatslogformat
test "${IS_MUNINLOGROTATE:=1}" = 1 && check_muninlogrotate
test "${IS_SQUID:=1}" = 1 && check_squid
test "${IS_EVOMAINTENANCE_FW:=1}" = 1 && check_evomaintenance_fw
test "${IS_MODDEFLATE:=1}" = 1 && check_moddeflate
test "${IS_LOG2MAILRUNNING:=1}" = 1 && check_log2mailrunning
test "${IS_LOG2MAILAPACHE:=1}" = 1 && check_log2mailapache
test "${IS_LOG2MAILMYSQL:=1}" = 1 && check_log2mailmysql
test "${IS_LOG2MAILSQUID:=1}" = 1 && check_log2mailsquid
test "${IS_BINDCHROOT:=1}" = 1 && check_bindchroot
test "${IS_REPVOLATILE:=1}" = 1 && check_repvolatile
test "${IS_NETWORK_INTERFACES:=1}" = 1 && check_network_interfaces
test "${IS_AUTOIF:=1}" = 1 && check_autoif
test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw
test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup
test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate
test "${IS_APACHECTL:=1}" = 1 && check_apachectl
test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink
test "${IS_APACHEIPINALLOW:=1}" = 1 && check_apacheipinallow
test "${IS_MUNINAPACHECONF:=1}" = 1 && check_muninapacheconf
test "${IS_SAMBAPINPRIORITY:=1}" = 1 && check_sambainpriority
test "${IS_KERNELUPTODATE:=1}" = 1 && check_kerneluptodate
test "${IS_UPTIME:=1}" = 1 && check_uptime
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
test "${IS_USERINADMGROUP:=1}" = 1 && check_userinadmgroup
test "${IS_APACHE2EVOLINUXCONF:=1}" = 1 && check_apache2evolinuxconf
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
test "${IS_LISTUPGRADE:=1}" = 1 && check_listupgrade
test "${IS_MARIADBEVOLINUXCONF:=1}" = 1 && check_mariadbevolinuxconf
test "${IS_SQL_BACKUP:=1}" = 1 && check_sql_backup
test "${IS_POSTGRES_BACKUP:=1}" = 1 && check_postgres_backup
test "${IS_MONGO_BACKUP:=1}" = 1 && check_mongo_backup
test "${IS_LDAP_BACKUP:=1}" = 1 && check_ldap_backup
test "${IS_REDIS_BACKUP:=1}" = 1 && check_redis_backup
test "${IS_ELASTIC_BACKUP:=1}" = 1 && check_elastic_backup
test "${IS_MARIADBSYSTEMDUNIT:=1}" = 1 && check_mariadbsystemdunit
test "${IS_MYSQLMUNIN:=1}" = 1 && check_mysqlmunin
test "${IS_MYSQLNRPE:=1}" = 1 && check_mysqlnrpe
test "${IS_PHPEVOLINUXCONF:=1}" = 1 && check_phpevolinuxconf
test "${IS_SQUIDLOGROTATE:=1}" = 1 && check_squidlogrotate
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled
test "${IS_MELTDOWN_SPECTRE:=1}" = 1 && check_meltdown_spectre
test "${IS_OLD_HOME_DIR:=1}" = 1 && check_old_home_dir
test "${IS_EVOBACKUP_INCS:=1}" = 1 && check_evobackup_incs
fi
#-----------------------------------------------------------
# Tests spécifiques à OpenBSD
#-----------------------------------------------------------
if is_openbsd; then
if [ "${IS_SOFTDEP:=1}" = 1 ]; then
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
fi
if [ "${IS_WHEEL:=1}" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL"
fi
if [ "${IS_SUDOADMIN:=1}" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
fi
if [ "${IS_PKGMIRROR:=1}" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi
if [ "${IS_HISTORY:=1}" = 1 ]; then
f=/root/.profile
{ grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f;
} || failed "IS_HISTORY"
fi
if [ "${IS_VIM:=1}" = 1 ]; then
command -v vim > /dev/null 2>&1 || failed "IS_VIM"
fi
if [ "${IS_TTYC0SECURE:=1}" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE"
fi
if [ "${IS_CUSTOMSYSLOG:=1}" = 1 ]; then
grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
fi
if [ "${IS_NOINETD:=1}" = 1 ]; then
grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
fi
if [ "${IS_SUDOMAINT:=1}" = 1 ]; then
f=/etc/sudoers
{ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
} || failed "IS_SUDOMAINT"
fi
if [ "${IS_POSTGRESQL:=1}" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi
if [ "${IS_NRPE:=1}" = 1 ]; then
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe;
} || failed "IS_NRPE" "NRPE is not installed"
fi
# if [ "${IS_NRPEDISKS:=1}" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
# fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
# if [ "${IS_NRPEPOSTFIX:=1}" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" )
# fi
if [ "${IS_NRPEDAEMON:=1}" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \
|| failed "IS_NREPEDAEMON"
fi
if [ "${IS_ALERTBOOT:=1}" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
|| failed "IS_ALERTBOOT"
fi
if [ "${IS_RSYNC:=1}" = 1 ]; then
pkg info | grep -q rsync || failed "IS_RSYNC"
fi
if [ "${IS_CRONPATH:=1}" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
|| failed "IS_CRONPATH"
fi
#TODO
# - Check en profondeur de postfix
# - NRPEDISK et NRPEPOSTFIX
fi
exit ${RC}
}
readonly PROGNAME=$(basename "$0")
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
# shellcheck disable=2124
readonly ARGS=$@
readonly VERSION="19.04"
# Disable LANG*
export LANG=C
export LANGUAGE=C
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
while :; do
@ -298,1177 +1413,5 @@ while :; do
shift
done
#-----------------------------------------------------------
#Vérifie si c'est une debian et fait les tests appropriés.
#-----------------------------------------------------------
if is_debian; then
is_debian_lenny && MINIFW_FILE=/etc/firewall.rc
is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc
is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc
is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall
is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall
if [ "$IS_LSBRELEASE" = 1 ]; then
if [ -x "${LSB_RELEASE_BIN}" ]; then
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cut -d "." -f 1 < /etc/debian_version)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
else
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
fi
fi
if [ "$IS_DPKGWARNING" = 1 ]; then
if is_debian_squeeze; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
fi
elif is_debian_wheezy; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
fi
if [ "$IS_UMASKSUDOERS" = 1 ]; then
if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
fi
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
if [ "$IS_NRPEPOSTFIX" = 1 ]; then
if is_installed postfix; then
if is_debian_squeeze; then
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*;
} || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
fi
# Check if mod-security config file is present
if [ "$IS_MODSECURITY" = 1 ]; then
if is_debian_squeeze; then
if is_installed libapache-mod-security; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
fi
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_CUSTOMSUDOERS"
fi
if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi
if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
fi
if [ "$IS_LOGROTATECONF" = 1 ]; then
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF"
fi
if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF"
fi
if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list \
|| failed "IS_DEBIANSECURITY"
fi
if [ "$IS_APTITUDEONLY" = 1 ]; then
if is_debian_squeeze || is_debian_wheezy; then
test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY"
fi
fi
if [ "$IS_APTITUDE" = 1 ]; then
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/aptitude && failed "IS_APTITUDE"
fi
fi
if [ "$IS_APTGETBAK" = 1 ]; then
if is_debian_jessie || is_debian_stretch; then
test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK"
fi
fi
if [ "$IS_APTICRON" = 1 ]; then
status="OK"
test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
if is_debian_squeeze || is_debian_wheezy; then
test "$status" = "fail" && failed "IS_APTICRON"
fi
fi
if [ "$IS_USRRO" = 1 ]; then
grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO"
fi
if [ "$IS_TMPNOEXEC" = 1 ]; then
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC"
fi
if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test...
LSBLK_BIN=$(command -v lsblk)
if test -x "${LSBLK_BIN}"; then
for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB"
done
fi
fi
if [ "$IS_LISTCHANGESCONF" = 1 ]; then
if is_debian_stretch; then
if is_installed apt-listchanges; then
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch"
fi
else
if [ -e "/etc/apt/listchanges.conf" ]; then
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
if [ "$lines" != 2 ]; then
failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect"
fi
else
failed "IS_LISTCHANGESCONF" "apt-listchanges config is missing"
fi
fi
fi
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab)
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB"
fi
if [ "$IS_SSHALLOWUSERS" = 1 ]; then
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS"
fi
if [ "$IS_DISKPERF" = 1 ]; then
test -e /root/disk-perf.txt || failed "IS_DISKPERF"
fi
if [ "$IS_TMOUTPROFILE" = 1 ]; then
grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
fi
if [ "$IS_ALERT5BOOT" = 1 ]; then
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi
fi
if [ "$IS_ALERT5MINIFW" = 1 ]; then
if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi
fi
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW"
fi
if [ "$IS_NRPEPERMS" = 1 ]; then
if [ -d /etc/nagios ]; then
actual=$(stat --format "%a" /etc/nagios)
expected="750"
test "$expected" = "$actual" || failed "IS_NRPEPERMS"
fi
fi
if [ "$IS_MINIFWPERMS" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
fi
fi
if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)")
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS"
fi
if [ "$IS_NRPEPID" = 1 ]; then
if ! is_debian_squeeze; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID"
fi
fi
if [ "$IS_GRSECPROCS" = 1 ]; then
if uname -a | grep -q grsec; then
{ grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \
&& grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root";
} || failed "IS_GRSECPROCS"
fi
fi
if [ "$IS_APACHEMUNIN" = 1 ]; then
if test -e /etc/apache2/apache2.conf; then
if is_debian_stretch; then
{ test -h /etc/apache2/mods-enabled/status.load \
&& test -h /etc/munin/plugins/apache_accesses \
&& test -h /etc/munin/plugins/apache_processes \
&& test -h /etc/munin/plugins/apache_volume; } \
|| failed "IS_APACHEMUNIN" "missing munin plugins for Apache"
else
pattern="/server-status-[[:alnum:]]{4,}"
{ grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \
&& { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \
|| grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf;
};
} || failed "IS_APACHEMUNIN" "server status is not properly configured"
fi
fi
fi
# Verification mytop + Munin si MySQL
if [ "$IS_MYSQLUTILS" = 1 ]; then
MYSQL_ADMIN=${MYSQL_ADMIN:-mysqladmin}
if is_installed mysql-server; then
# You can configure MYSQL_ADMIN in evocheck.cf
if ! grep -qs "$MYSQL_ADMIN" /root/.my.cnf; then
failed "IS_MYSQLUTILS" "mysqladmin missing in /root/.my.cnf"
fi
if ! test -x /usr/bin/mytop; then
if ! test -x /usr/local/bin/mytop; then
failed "IS_MYSQLUTILS" "mytop binary missing"
fi
fi
if ! grep -qs debian-sys-maint /root/.mytop; then
failed "IS_MYSQLUTILS" "debian-sys-maint missing in /root/.mytop"
fi
fi
fi
# Verification de la configuration du raid soft (mdadm)
if [ "$IS_RAIDSOFT" = 1 ]; then
if test -e /proc/mdstat && grep -q md /proc/mdstat; then
{ grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf;
} || failed "IS_RAIDSOFT"
fi
fi
# Verification du LogFormat de AWStats
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
if is_installed apache2.2-common awstats; then
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|| failed "IS_AWSTATSLOGFORMAT"
fi
fi
# Verification de la présence de la config logrotate pour Munin
if [ "$IS_MUNINLOGROTATE" = 1 ]; then
{ test -e /etc/logrotate.d/munin-node \
&& test -e /etc/logrotate.d/munin;
} || failed "IS_MUNINLOGROTATE"
fi
# Verification de la présence de metche
#if [ "$IS_METCHE" = 1 ]; then
# is_installed metche || failed "IS_METCHE"
#fi
# Verification de l'activation de Squid dans le cas d'un pack mail
if [ "$IS_SQUID" = 1 ]; then
if is_debian_stretch; then
squidconffile="/etc/squid/evolinux-custom.conf"
else
squidconffile="/etc/squid*/squid.conf"
fi
if is_pack_web && (is_installed squid || is_installed squid3); then
host=$(hostname -i)
# shellcheck disable=SC2086
http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ")
{ grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
} || failed "IS_SQUID"
fi
fi
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
if [ -f "$MINIFW_FILE" ]; then
rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE")
if [ "$rulesNumber" -lt 2 ]; then
failed "IS_EVOMAINTENANCE_FW"
fi
fi
fi
# Verification de la conf et de l'activation de mod-deflate
if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf
if is_installed apache2.2; then
{ test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f;
} || failed "IS_MODDEFLATE"
fi
fi
# Verification de la conf log2mail
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
if is_pack_web && is_installed log2mail; then
pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING'
fi
fi
if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
if is_debian_stretch; then
conf=/etc/log2mail/config/apache
else
conf=/etc/log2mail/config/default
fi
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE"
fi
fi
if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \
|| failed "IS_LOG2MAILMYSQL"
fi
fi
if [ "$IS_LOG2MAILSQUID" = 1 ]; then
if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \
|| failed "IS_LOG2MAILSQUID"
fi
fi
# Verification si bind est chroote
if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary"
fi
else
failed "IS_BINDCHROOT" "bind process is not chrooted"
fi
fi
fi
fi
# Verification de la présence du depot volatile
if [ "$IS_REPVOLATILE" = 1 ]; then
if is_debian_lenny; then
grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
if is_debian_squeeze; then
grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
fi
# /etc/network/interfaces should be present, we don't manage systemd-network yet
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then
IS_AUTOIF=0
IS_INTERFACESGW=0
failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet"
fi
fi
# Verify if all if are in auto
if [ "$IS_AUTOIF" = 1 ]; then
if is_debian_stretch; then
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
else
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
test "${VERBOSE}" = 1 || break
fi
done
fi
# Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway"
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
fi
# Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then
evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP"
fi
# Verification de la presence du userlogrotate
if [ "$IS_USERLOGROTATE" = 1 ]; then
if is_pack_web; then
test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE"
fi
fi
# Verification de la syntaxe de la conf d'Apache
if [ "$IS_APACHECTL" = 1 ]; then
if is_installed apache2.2-common; then
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
fi
fi
# Check if there is regular files in Apache sites-enabled.
if [ "$IS_APACHESYMLINK" = 1 ]; then
if is_installed apache2.2-common; then
stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
fi
fi
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
if [ "$IS_APACHEIPINALLOW" = 1 ]; then
# Note: Replace "exit 1" by "print" in Perl code to debug it.
if is_installed apache2.2-common; then
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
| grep -iv "from all" \
| grep -iv "env=" \
| perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \
|| failed "IS_APACHEIPINALLOW"
fi
fi
# Check if default Apache configuration file for munin is absent (or empty or commented).
if [ "$IS_MUNINAPACHECONF" = 1 ]; then
if is_debian_squeeze || is_debian_wheezy; then
muninconf="/etc/apache2/conf.d/munin"
else
muninconf="/etc/apache2/conf-available/munin.conf"
fi
if is_installed apache2.2-common; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
fi
fi
# Verification de la priorité du package samba si les backports sont utilisés
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
if is_debian_lenny && is_pack_samba; then
if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then
priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ")
test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY"
fi
fi
fi
# Verification si le système doit redémarrer suite màj kernel.
if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image*; then
# shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE"
fi
fi
fi
# Check if the server is running for more than a year.
if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image*; then
limit=$(date -d "now - 2 year" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$limit" -gt "$last_reboot_at" ]; then
failed "IS_UPTIME"
fi
fi
fi
# Check if munin-node running and RRD files are up to date.
if [ "$IS_MUNINRUNNING" = 1 ]; then
if ! pgrep munin-node >/dev/null; then
failed "IS_MUNINRUNNING" "Munin is not running"
elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then
limit=$(date +"%s" -d "now - 10 minutes")
if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then
updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)
[ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)"
fi
if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then
updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)
grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)"
fi
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)"
fi
fi
# Check if files in /home/backup/ are up-to-date
if [ "$IS_BACKUPUPTODATE" = 1 ]; then
if [ -d /home/backup/ ]; then
if [ -n "$(ls -A /home/backup/)" ]; then
for file in /home/backup/*; do
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is empty"
fi
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is missing"
fi
fi
if [ "$IS_ETCGIT" = 1 ]; then
(cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository"
fi
# Check if /etc/.git/ has read/write permissions for root only.
if [ "$IS_GITPERMS" = 1 ]; then
if test -d /etc/.git; then
expected="700"
actual=$(stat -c "%a" /etc/.git/)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS"
fi
fi
# Check if no package has been upgraded since $limit.
if [ "$IS_NOTUPGRADED" = 1 ]; then
last_upgrade=0
upgraded=false
for log in /var/log/dpkg.log*; do
if zgrep -qsm1 upgrade "$log"; then
# There is at least one upgrade
upgraded=true
break
fi
done
if $upgraded; then
last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
# Manual upgrade process
limit=$(date +%s -d "now - 180 days")
else
# Regular process
limit=$(date +%s -d "now - 90 days")
fi
install_date=0
if [ -d /var/log/installer ]; then
install_date=$(stat -c %Z /var/log/installer)
fi
# Check install_date if the system never received an upgrade
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
fi
# Check if reserved blocks for root is at least 5% on every mounted partitions.
if [ "$IS_TUNE2FS_M5" = 1 ]; then
min=5
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it.
if [ -z "$blockCount" ]; then
continue
fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
# Use awk to have a rounded percentage
# python is slow, bash is unable and bc rounds weirdly
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
if [ "$percentage" -lt "${min}" ]; then
failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)"
fi
done
fi
if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if is_debian_stretch; then
if grep -q "^evolinux-sudo:" /etc/group; then
grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP"
fi
fi
fi
if [ "$IS_USERINADMGROUP" = 1 ]; then
if is_debian_stretch; then
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
if is_debian_stretch && test -d /etc/apache2; then
{ test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf;
} || failed "IS_APACHE2EVOLINUXCONF"
fi
fi
if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debian_stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
fi
fi
if [ "$IS_BIND9MUNIN" = 1 ]; then
if is_debian_stretch && is_installed bind9; then
{ test -L /etc/munin/plugins/bind9 \
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN"
fi
fi
if [ "$IS_BIND9LOGROTATE" = 1 ]; then
if is_debian_stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE"
fi
fi
if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE"
fi
else
failed "IS_BROADCOMFIRMWARE" "lspci is missing"
fi
fi
if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
# shellcheck disable=SC2015
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
fi
if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then
is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed"
fi
else
failed "IS_HARDWARERAIDTOOL" "lspci is missing"
fi
fi
if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
if is_debian_stretch; then
{ systemctl -q is-active log2mail.service \
&& test -f /etc/systemd/system/log2mail.service \
&& ! test -f /etc/init.d/log2mail;
} || failed "IS_LOG2MAILSYSTEMDUNIT"
fi
fi
if [ "$IS_LISTUPGRADE" = 1 ]; then
{ test -f /etc/cron.d/listupgrade \
&& test -x /usr/share/scripts/listupgrade.sh;
} || failed "IS_LISTUPGRADE"
fi
if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
if is_debian_stretch; then
if is_installed mariadb-server; then
{ test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
} || failed "IS_MARIADBEVOLINUXCONF"
fi
fi
fi
if [ "$IS_SQL_BACKUP" = 1 ]; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
fi
fi
if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
if is_installed "postgresql-9*"; then
# If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
fi
fi
if [ "$IS_MONGO_BACKUP" = 1 ]; then
if is_installed "mongodb-org-server"; then
# You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
# Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break
fi
fi
done
else
failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})"
fi
fi
fi
if [ "$IS_LDAP_BACKUP" = 1 ]; then
if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})"
fi
fi
if [ "$IS_REDIS_BACKUP" = 1 ]; then
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})"
fi
fi
if [ "$IS_ELASTIC_BACKUP" = 1 ]; then
if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})"
fi
fi
if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
if is_debian_stretch && is_installed mariadb-server; then
{ systemctl -q is-active mariadb.service \
&& test -f /etc/systemd/system/mariadb.service.d/evolinux.conf;
} || failed "IS_MARIADBSYSTEMDUNIT"
fi
fi
if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_debian_stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \
mysql_myisam_indexes mysql_qcache mysql_qcache_mem \
mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then
failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
if [ "$IS_MYSQLNRPE" = 1 ]; then
if is_debian_stretch && is_installed mariadb-server; then
nagios_file="~nagios/.my.cnf"
{ test -f $nagios_file \
&& [ "$(stat -c %U $nagios_file)" = "nagios" ] \
&& [ "$(stat -c %a $nagios_file)" = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file";
} || failed "IS_MYSQLNRPE"
fi
fi
if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
if is_debian_stretch && is_installed php; then
{ test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini;
} || failed "IS_PHPEVOLINUXCONF"
fi
fi
if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
if is_debian_stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE"
fi
fi
if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
if is_debian_stretch && is_installed squid; then
{ grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf;
} || failed "IS_SQUIDEVOLINUXCONF"
fi
fi
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary
BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp)
parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do
echo "$part" >> "$tmpFile"
done
tmpOutput=$(sort < "$tmpFile" | uniq -d)
# If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then
# shellcheck disable=SC2086
labels=$(echo -n $tmpOutput | tr '\n' ' ')
failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
fi
rm "$tmpFile"
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found"
fi
fi
if [ "$IS_EVOLIX_USER" = 1 ]; then
grep -q "evolix:" /etc/passwd && failed "IS_EVOLIX_USER"
fi
if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme"
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing"
fi
fi
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
EVOACME_BIN=$(command -v evoacme)
if [ -x "$EVOACME_BIN" ]; then
# Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ "$numberOfLinks" -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do
actualLink=$(readlink -f "$live")
actualVersion=$(basename "$actualLink")
certDir=$(dirname "$live")
certName=$(basename "$certDir")
# shellcheck disable=SC2012
lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1)
lastVersion=$(basename "$lastCertDir")
if [[ "$lastVersion" != "$actualVersion" ]]; then
failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
fi
if [ "$IS_APACHE_CONFENABLED" = 1 ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked
# to conf-enabled/
if is_debian_jessie || is_debian_stretch; then
if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED"
grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED"
fi
fi
fi
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/
if is_debian_stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do
test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|| failed "IS_MELTDOWN_SPECTRE"
done
# For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debian_jessie; then
if grep -q "BOOT_IMAGE=" /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f "/boot/${kernelConfig}" ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched"
grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched"
fi
fi
fi
fi
if [ "$IS_OLD_HOME_DIR" = 1 ]; then
homeDir=${homeDir:-/home}
for dir in "$homeDir"/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep "UNKNOWN")
# There is at least one dir matching
if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR" "$statResult"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
if is_openbsd; then
if [ "$IS_SOFTDEP" = 1 ]; then
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
fi
if [ "$IS_WHEEL" = 1 ]; then
grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL"
fi
if [ "$IS_SUDOADMIN" = 1 ]; then
grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
fi
if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi
if [ "$IS_HISTORY" = 1 ]; then
f=/root/.profile
{ grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f;
} || failed "IS_HISTORY"
fi
if [ "$IS_VIM" = 1 ]; then
command -v vim > /dev/null 2>&1 || failed "IS_VIM"
fi
if [ "$IS_TTYC0SECURE" = 1 ]; then
grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE"
fi
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
fi
if [ "$IS_NOINETD" = 1 ]; then
grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
fi
if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers
{ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
} || failed "IS_SUDOMAINT"
fi
if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi
if [ "$IS_NRPE" = 1 ]; then
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe;
} || failed "IS_NRPE" "NRPE is not installed"
fi
# if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
# fi
# Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
#
# if [ "$IS_NRPEPOSTFIX" = 1 ]; then
# pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" )
# fi
if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \
|| failed "IS_NREPEDAEMON"
fi
if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
|| failed "IS_ALERTBOOT"
fi
if [ "$IS_RSYNC" = 1 ]; then
pkg info | grep -q rsync || failed "IS_RSYNC"
fi
if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
|| failed "IS_CRONPATH"
fi
#TODO
# - Check en profondeur de postfix
# - NRPEDISK et NRPEPOSTFIX
fi
if [ "$IS_TMP_1777" = 1 ]; then
actual=$(stat --format "%a" /tmp)
expected="1777"
test "$expected" = "$actual" || failed "IS_TMP_1777"
fi
if [ "$IS_ROOT_0700" = 1 ]; then
actual=$(stat --format "%a" /root)
expected="700"
test "$expected" = "$actual" || failed "IS_ROOT_0700"
fi
if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
actual=$(stat --format "%a" /usr/share/scripts)
expected="700"
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS"
fi
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
if is_debian_stretch; then
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
else
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
fi
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
if is_debian_stretch; then
users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
else
if [ -f /etc/sudoers.d/evolinux ]; then
sudoers="/etc/sudoers.d/evolinux"
else
sudoers="/etc/sudoers"
fi
# combine users from User_Alias and sudo group
users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u)
fi
for user in $users; do
user_home=$(getent passwd "$user" | cut -d: -f6)
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then
failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
test "${VERBOSE}" = 1 || break
fi
fi
done
fi
# Verification de la configuration d'evomaintenance
if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
f=/etc/evomaintenance.cf
if [ -e "$f" ]; then
perms=$(stat -c "%a" $f)
test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)"
{ grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
&& grep "^PGDB" $f | grep -qv "your-db" \
&& grep "^PGTABLE" $f | grep -qv "your-table" \
&& grep "^PGHOST" $f | grep -qv "your-pg-host" \
&& grep "^FROM" $f | grep -qv "jdoe@example.com" \
&& grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f | grep -qv "example.com";
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
else
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
fi
fi
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
# a simple globbing fails if directory is empty
if [ -n "$(ls -A /etc/ssl/private/)" ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" "$f")
if [ "${perms: -1}" != 0 ]; then
failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable"
test "${VERBOSE}" = 1 || break
fi
done
fi
fi
exit ${RC}
# shellcheck disable=SC2086
main ${ARGS}

5
evolinux-base/tasks/packages.yml
View file

@ -16,6 +16,7 @@
- bash-completion
- ssl-cert
- ca-certificates
- rename
when: evolinux_packages_system
- name: Install/Update diagnostic tools
@ -125,8 +126,8 @@
- evolinux_packages_listchanges
- ansible_distribution == "Debian"
- ansible_distribution_release == "jessie"
- name: apt-listchanges is absent on Stretch and later
- name: apt-listchanges is absent on Stretch and later
apt:
name: apt-listchanges
state: absent

8
evolinux-base/tasks/ssh.yml
View file

@ -23,7 +23,7 @@
Match Group evolix
PasswordAuthentication no
insertafter: EOF
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
@ -37,7 +37,7 @@
Match Address {{ evolinux_ssh_password_auth_addresses | join(',') }}
PasswordAuthentication yes
insertafter: EOF
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when:
- evolinux_ssh_password_auth_addresses != []
@ -82,7 +82,7 @@
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ logname.stdout }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
@ -91,7 +91,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
replace: '\1 {{ logname.stdout }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0

4
evolinux-users/tasks/ssh_allowgroups.yml
View file

@ -14,7 +14,7 @@
dest: /etc/ssh/sshd_config
line: "\nAllowGroups {{ evolinux_ssh_group }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc != 0
@ -23,6 +23,6 @@
dest: /etc/ssh/sshd_config
regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
replace: '\1 {{ evolinux_ssh_group }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowgroups_ssh.rc == 0

8
evolinux-users/tasks/ssh_allowusers.yml
View file

@ -14,7 +14,7 @@
dest: /etc/ssh/sshd_config
line: "\nAllowUsers {{ user.name }}"
insertafter: 'Subsystem'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc != 0
@ -23,7 +23,7 @@
dest: /etc/ssh/sshd_config
regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
replace: '\1 {{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_allowusers_ssh.rc == 0
@ -39,7 +39,7 @@
dest: /etc/ssh/sshd_config
line: "\nMatch User {{ user.name }}\n PasswordAuthentication no"
insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc != 0
@ -48,6 +48,6 @@
dest: /etc/ssh/sshd_config
regexp: '^(Match User ((?!{{ user.name }}).)*)$'
replace: '\1,{{ user.name }}'
validate: '/usr/sbin/sshd -T -f %s'
validate: '/usr/sbin/sshd -t -f %s'
notify: reload sshd
when: grep_matchuser_ssh.rc == 0

32
evolinux-users/tasks/user.yml
View file

@ -18,25 +18,25 @@
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
user:
state: present
uid: '{{ user.uid }}'
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
state: present
uid: '{{ user.uid }}'
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when:
- loginisbusy.rc != 0
- uidisbusy.rc != 0
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
user:
state: present
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
state: present
name: '{{ user.name }}'
comment: '{{ user.fullname }}'
shell: /bin/bash
password: '{{ user.password_hash }}'
update_password: on_create
when:
- loginisbusy.rc != 0
- uidisbusy.rc == 0
@ -118,9 +118,9 @@
- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
file:
name: '/home/{{ user.name }}'
mode: "0700"
state: directory
name: '/home/{{ user.name }}'
mode: "0700"
state: directory
# Evomaintenance

8
evomaintenance/defaults/main.yml
View file

@ -31,6 +31,14 @@ evomaintenance_urgency_tel: "06.00.00.00.00"
evomaintenance_realm: "{{ evolinux_internal_domain }}"
evomaintenance_api_endpoint: Null
evomaintenance_api_key: Null
evomaintenance_hook_api: False
evomaintenance_hook_db: True
evomaintenance_hook_commit: True
evomaintenance_hook_mail: True
evomaintenance_default_hosts: []
evomaintenance_additional_hosts: []
evomaintenance_hosts: "{{ evomaintenance_default_hosts | union(evomaintenance_additional_hosts) | unique }}"

100
evomaintenance/files/evomaintenance.sh
View file

@ -29,15 +29,17 @@ evomaintenance is a program that helps reporting what you've done on a server
Usage: evomaintenance
or evomaintenance --message="add new host"
or evomaintenance --no-db --no-mail --no-commit
or evomaintenance --no-api --no-mail --no-commit
or echo "add new vhost" | evomaintenance
Options
-m, --message=MESSAGE set the message from the command line
--mail enable the mail hook (default)
--no-mail disable the mail hook
--db enable the database hook (default)
--no-db disable the database hook
--db enable the database hook
--no-db disable the database hook (default)
--api enable the API hook (default)
--no-api disable the API hook
--commit enable the commit hook (default)
--no-commit disable the commit hook
--evocheck enable evocheck execution (default)
@ -149,8 +151,8 @@ get_evocheck() {
print_log() {
printf "*********** %s ***************\n" "$(get_now)"
print_session_data
printf "Hooks : commit=%s db=%s mail=%s\n"\
"${HOOK_COMMIT}" "${HOOK_DB}" "${HOOK_MAIL}"
printf "Hooks : commit=%s db=%s api=%s mail=%s\n"\
"${HOOK_COMMIT}" "${HOOK_DB}" "${HOOK_API}" "${HOOK_MAIL}"
if [ "${HOOK_MAIL}" = "1" ]; then
printf "Mailto : %s\n" "${EVOMAINTMAIL}"
fi
@ -220,6 +222,35 @@ hook_db() {
fi
}
hook_api() {
if [ "${VERBOSE}" = "1" ]; then
printf "\n********** API call **************\n"
printf "curl -f -s -S -X POST [REDACTED] -k -F api_key=[REDACTED] -F action=insertEvoMaintenance -F hostname=%s -F userid=%s -F ipaddress=%s -F begin_date=%s -F end_date='now()' -F details=%s" \
"${HOSTNAME}" "${USER}" "${IP}" "${BEGIN_DATE}" "${MESSAGE}"
printf "\n***********************************\n"
fi
if [ "${DRY_RUN}" != "1" ] && [ -x "${CURL_BIN}" ]; then
API_RETURN_STATUS=$(curl -f -s -S -X POST \
"${API_ENDPOINT}" -k \
-F api_key="${API_KEY}" \
-F action=insertEvoMaintenance \
-F hostname="${HOSTNAME}" \
-F userid="${USER}" \
-F ipaddress="${IP}" \
-F begin_date="${BEGIN_DATE}" \
-F end_date='now()' \
-F details="${MESSAGE}")
# either cURL or the API backend can throw an error, otherwise it returns this JSON response
if [ "$API_RETURN_STATUS" = '{"status":"Ok"}' ]; then
echo "API call OK."
else
echo "API call FAILED."
fi
fi
}
format_mail() {
cat <<EOTEMPLATE
From: ${FULLFROM}
@ -293,13 +324,15 @@ HOSTNAME=${HOSTNAME:-$(get_fqdn)}
EVOMAINTMAIL=${EVOMAINTMAIL:-"evomaintenance-$(echo "${HOSTNAME}" | cut -d- -f1)@${REALM}"}
LOGFILE=${LOGFILE:-"/var/log/evomaintenance.log"}
HOOK_COMMIT=${HOOK_COMMIT:-"1"}
HOOK_DB=${HOOK_DB:-"1"}
HOOK_DB=${HOOK_DB:-"0"}
HOOK_API=${HOOK_API:-"1"}
HOOK_MAIL=${HOOK_MAIL:-"1"}
DRY_RUN=${DRY_RUN:-"0"}
VERBOSE=${VERBOSE:-"0"}
AUTO=${AUTO:-"0"}
EVOCHECK=${EVOCHECK:-"0"}
GIT_STATUS_MAX_LINES=${GIT_STATUS_MAX_LINES:-20}
API_ENDPOINT=${API_ENDPOINT:-""}
# initialize variables
MESSAGE=""
@ -353,6 +386,14 @@ while :; do
# enable DB hook
HOOK_DB=1
;;
--no-api)
# disable API hook
HOOK_API=0
;;
--api)
# enable API hook
HOOK_API=1
;;
--no-mail)
# disable mail hook
HOOK_MAIL=0
@ -429,6 +470,16 @@ if [ -z "${PSQL_BIN}" ]; then
echo "No \`psql' command has been found, can't save to the database." 2>&1
fi
CURL_BIN=$(command -v curl)
readonly CURL_BIN
if [ -z "${CURL_BIN}" ]; then
echo "No \`curl' command has been found, can't call the API." 2>&1
fi
if [ -z "${API_ENDPOINT}" ]; then
echo "No API endpoint specified, can't call the API." 2>&1
fi
EVOCHECK_BIN="/usr/share/scripts/evocheck.sh"
GIT_REPOSITORIES="/etc /etc/bind"
@ -489,6 +540,9 @@ if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then
if [ "${HOOK_DB}" = "1" ]; then
printf "* save metadata to the database\n"
fi
if [ "${HOOK_API}" = "1" ]; then
printf "* send metadata to the API\n"
fi
echo ""
answer=""
@ -506,6 +560,7 @@ if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then
HOOK_COMMIT=0
HOOK_MAIL=0
HOOK_DB=0
HOOK_API=0
AUTO=1
break
;;
@ -622,6 +677,36 @@ if [ "${INTERACTIVE}" = "1" ] && [ "${AUTO}" = "0" ]; then
;;
esac
done
# API hook
if [ "${HOOK_API}" = "1" ]; then
y="Y"; n="n"
else
y="y"; n="N"
fi
answer=""
while :; do
printf "> Do you want to send the metadata to the API? [%s] " "${y},${n}"
read -r answer
case $answer in
[Yy] )
hook_api;
break
;;
[Nn] )
break
;;
"" )
if [ "${HOOK_API}" = "1" ]; then
hook_api
fi
break
;;
* )
echo "answer with a valid choice"
;;
esac
done
fi
# Log hook
@ -637,6 +722,9 @@ if [ "${INTERACTIVE}" = "0" ] || [ "${AUTO}" = "1" ]; then
if [ "${HOOK_DB}" = "1" ]; then
hook_db
fi
if [ "${HOOK_API}" = "1" ]; then
hook_api
fi
fi
exit 0

26
evomaintenance/tasks/install_vendor_debian.yml
View file

@ -7,6 +7,7 @@
with_items:
- postgresql-client
- sudo
- curl
tags:
- evomaintenance
@ -25,28 +26,19 @@
tags:
- evomaintenance
- name: Script is installed
- name: Evomaintenance script and template are installed
copy:
src: evomaintenance.sh
dest: /usr/share/scripts/evomaintenance.sh
mode: "0700"
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: "{{ item.mode }}"
force: yes
backup: yes
tags:
- evomaintenance
- name: Template is installed
copy:
src: evomaintenance.tpl
dest: /usr/share/scripts/evomaintenance.tpl
mode: "0600"
owner: root
group: root
force: yes
backup: yes
tags:
with_items:
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
tags:
- evomaintenance
- name: Configuration is installed

55
evomaintenance/tasks/install_vendor_openbsd.yml
View file

@ -1,5 +1,15 @@
---
- name: Dependencies are installed
openbsd_pkg:
name: "{{ item }}"
state: present
with_items:
- postgresql-client
- curl
tags:
- evomaintenance
- name: /usr/share/scripts exists
file:
dest: /usr/share/scripts
@ -10,28 +20,19 @@
tags:
- evomaintenance
- name: Script is installed
- name: Evomaintenance script and template are installed
copy:
src: evomaintenance.sh
dest: /usr/share/scripts/evomaintenance.sh
mode: "0700"
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: wheel
mode: "{{ item.mode }}"
force: yes
backup: yes
tags:
- evomaintenance
- name: Template is installed
copy:
src: evomaintenance.tpl
dest: /usr/share/scripts/evomaintenance.tpl
mode: "0600"
owner: root
group: wheel
force: yes
backup: yes
tags:
with_items:
- { src: 'evomaintenance.sh', dest: '/usr/share/scripts/', mode: '0700' }
- { src: 'evomaintenance.tpl', dest: '/usr/share/scripts/', mode: '0600' }
tags:
- evomaintenance
- name: Configuration is installed
@ -44,3 +45,23 @@
force: "{{ evomaintenance_force_config | bool }}"
tags:
- evomaintenance
- name: Copy mailevomaintenance
template:
src: mailevomaintenance.sh.j2
dest: /usr/share/scripts/mailevomaintenance.sh
owner: root
group: wheel
mode: "0700"
tags:
- evomaintenance
- name: Add mailevomaintenance cron
cron:
name: "mailevomaintenance"
job: "/usr/share/scripts/mailevomaintenance.sh"
minute: "50"
hour: "22"
disabled: yes
tags:
- mailevomaintenance

10
evomaintenance/tasks/main.yml
View file

@ -5,11 +5,9 @@
- assert:
that:
- evomaintenance_pg_passwd is not none
- evomaintenance_pg_db is not none
- evomaintenance_pg_table is not none
- evomaintenance_pg_host is not none
msg: evomaintenance database variables must be set
- evomaintenance_api_endpoint is not none
- evomaintenance_api_key is not none
msg: evomaintenance api variables must be set
- include: install_package_debian.yml
when:
@ -26,3 +24,5 @@
- ansible_distribution == "OpenBSD"
- include: minifirewall.yml
when:
- ansible_distribution == "Debian"

12
evomaintenance/tasks/minifirewall.yml
View file

@ -28,9 +28,9 @@
tags:
- evomaintenance
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force
tags:
- evomaintenance
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force
tags:
- evomaintenance

7
evomaintenance/templates/evomaintenance.j2
View file

@ -11,3 +11,10 @@ FULLFROM="{{ evomaintenance_full_from }}"
URGENCYFROM={{ evomaintenance_urgency_from }}
URGENCYTEL="{{ evomaintenance_urgency_tel }}"
REALM="{{ evomaintenance_realm }}"
API_ENDPOINT={{ evomaintenance_api_endpoint }}
API_KEY={{ evomaintenance_api_key }}
HOOK_API={{ evomaintenance_hook_api | bool | ternary('1','0') }}
HOOK_DB={{ evomaintenance_hook_db | bool | ternary('1','0') }}
HOOK_COMMIT={{ evomaintenance_hook_commit | bool | ternary('1','0') }}
HOOK_MAIL={{ evomaintenance_hook_mail | bool | ternary('1','0') }}

28
evomaintenance/templates/mailevomaintenance.sh.j2 Normal file
View file

@ -0,0 +1,28 @@
#!/bin/sh
set -eu
cd /etc && _STATUS=$(/usr/local/bin/git status --porcelain)
[ -n "${_STATUS}" ] || exit 0
if [ -e /etc/realname ]; then
_HOSTNAME=$(/bin/cat /etc/realname)
else
_HOSTNAME=$(/bin/hostname)
fi
TMPFILE=$(/usr/bin/mktemp) || exit 1
echo "Dear NOC,\n\nSome changes in /etc/ were not committed." >> $TMPFILE
echo "" >> $TMPFILE
echo "${_STATUS}" >> $TMPFILE
echo "" >> $TMPFILE
/usr/bin/last | head -n 10 >> $TMPFILE
echo "" >> $TMPFILE
echo "Please answer this mail to notify people when you've corrected the problem." >> $TMPFILE
/bin/cat $TMPFILE | mail -s "Verif etc-git ${_HOSTNAME}" noc@{{ evomaintenance_realm }}
/bin/rm $TMPFILE

28
fluentd/.kitchen.yml Normal file
View file

@ -0,0 +1,28 @@
---
driver:
name: docker
privileged: true
use_sudo: false
provisioner:
name: ansible_playbook
hosts: test-kitchen
roles_path: ../
ansible_verbose: true
require_ansible_source: false
require_chef_for_busser: false
idempotency_test: true
platforms:
- name: debian
driver_config:
image: evolix/ansible:2.2.1
suites:
- name: default
provisioner:
name: ansible_playbook
playbook: ./tests/test.yml
transport:
max_ssh_sessions: 6

17
fluentd/README.md Normal file
View file

@ -0,0 +1,17 @@
# Fluentd
Installation and basic configuration of Fluentd.
This role is based on https://docs.fluentd.org/v1.0/articles/install-by-deb
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
Main variables are :
* `fluentd_conf_path`: config file location ;
The full list of variables (with default values) can be found in `defaults/main.yml`.

12
fluentd/defaults/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
fluentd_daemon: td-agent
fluentd_conf_path: /etc/td-agent/td-agent.conf
fluentd_port: 24230
fluentd_bind_interface:
fluentd_host:
fluentd_host_port:
fluentd_flush_interval:
fluentd_heartbeat_type:

53
fluentd/files/fluentd.gpg Normal file
View file

@ -0,0 +1,53 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQINBFhiI8wBEADThWLNd8IKPRw7Ygu3DHS4Sb/Yc6vSZSaMGJ6Wkj245jScvI+C
nG4C4rtO/8ObUj5cUpb4CyfYZX8W4tp9x+W68c4paXevG4s+X4EE3uUsgdwTnFXi
GMa57QDzR4p/JvjUjfGJ2UAr4Bfj8Q2S54LmIu6UAe82ce2B4tEHCeYSxkmVUDAZ
utfmgKoVTbnceTemU0m5ANS6IC1/53KEhgB1sKm5G/FjRJGslHWb3mf+bLrhmlkP
pA4BOKF2w3eFYH3LhWskxMS0SPM7J6aq+6LyNNqtlKL6lUS7qVjRQ6PlgFcmtG4J
tijsZI62bDn1f44DmeLY+LMS/nM0xyIx94lYumGH5EYmjUECagqMool98/+Wx79A
Thtg/1pYNzo8Z76qr0i3xLSRtsQ2Om2Rfal7VGadOrx4sqlkSaUaGI+hBc1r4tNy
tERvBEMGSf78bWDbdzxSNEW4LUDUpniNQb0DrURfWkqRa3q4WcTJr8lpQM/NmAru
owayAXQwKob+OIZ09/O69EaqVJ9MqsM3keQouSHShKvzNrppuo3D3z+Dpy05FsYw
MAiIN7auXxy+XQwCVsKF083YaDHcC0I22GReEgt43yZXQ/b/J9QNrm5nJ+3Cpso3
jJnMzubuniSOOdd3mXQ6MwgZvWgtH/nPF8oUX9VSGwqNohiKWcxQDxW7qQARAQAB
tFRUcmVhc3VyZSBEYXRhLCBJbmMgKFRyZWFzdXJlIEFnZW50IE9mZmljaWFsIFNp
Z25pbmcga2V5KSA8c3VwcG9ydEB0cmVhc3VyZS1kYXRhLmNvbT6JAjcEEwEIACEF
AlhiI8wCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQkB+Rd6uXrL5GrhAA
nh82+caSu9Qu/LW256gN5UjPUFhph66ElT1OVyAR2FoOmz2pJH3t8YYD5cUV2W6/
xqJDmjl+vnL2HBgxjHKRCo2K3hrq6z4LoU7SpWDI1cZ03lkjh1yNx13S+9JvZNlp
jit0WRIspke0n0vWSpNo4nh19Yg3EA1c+vGeHnmlYo6xwRHu6XOhhCwywtFRGC3a
iMJzAV4N69ZU6P5VZZkC6LjYYQtF4aI10COLZ4AcObH2htGAZTj2KlZfdJHmr+Oa
wY57giUYz7OF45LLCuqe+VwpGp2d3UK/MtCnXRLi5InMVJKDvyt18MzRDFuyA27e
WSt+JumVqhEjawh3hmdzIS1cHKmv19gdeE8On2i2Lf8lyek8fsB/YPgADAmp2oSe
cjLu0ocGbgxRjuCR29+6IG+DiUDFCkqFZNdLiGVqzjpjpYHaPhVe77ciwA8TCPru
3dh5t/qv2HglSd7lj95IApZBtny5AK8NS4qtaOeZbBbbDRuOPL0c7fU3bqyIPy57
zvdYi3KdjWZVCawcAmk3ILP83eFSivCRPRoyCqO+HX8U647BBWvlFuEbPa+Y1sgE
12MEF/Y6VVJh3Ptw+h/qKRbra4LdA+5Y30q/9l6WGgbO/4h3NKmGeVCrAFvS3h92
fS0ABYD1nAP7fSNS9RfYIqfBXtJem+tJ14YKJwWiAYW5Ag0EWGIjzAEQAMw5EMJu
RBFRdhXD5UeA7I7wwkql/iYof8ydUALBxh9NSpmwaACkb4Me6h/rHdVsPRO3vIoo
uXftSjkRk2frjziihfEdeYxYU5PPawZxwCRDInr/OLZmcCCA2yCkRnFBhZxQy8NW
iJz0tlJtohhuJ7NRK7+HVJ3rPrtoV1lZVricDrB7DdVySp+7VciEM/XQhKKlesyd
gYXic4fx7xvPS6hRmH/fNVdvFobIhQBNUuPfKJeKpeJqPHeqkCNRz1Kl6NW9XXBq
hNyAlC7SPdKmjsv4UVIcFLUXP5wv7nprtEh15LoDlJCvFEF/iDJzaWI3QeVqY8XS
EI77WNsA/w7nlVNO3lGOPMjW8cxn4Jd2s4lpNa/e+RfrG/PD+ODSS92ISkuihBIU
Z2XeFa1xjQ1ayint4lVe3FGWTBJjqK8qX3JaOVeUD0AlSWqFcJzI7KxfNtVZCOaZ
WL/PVG124A118AUMFEWfb3r2Le8ddl+AKFP5Etsb+00VEWL06VPDampJIHanGjyX
h3dZkzORO3l3dt/P6embimic2QDOmO5x+wESnD8spITPKDl9OuqebCB8Z2oShnnG
+xhKDl045UFCPMVOXLb4kHonBmN2wBT/GIh4qqZj/7mm6r4P194HzN8LQuZsloJs
A6tnEpEmSe33xBDfGAeS0eNxFiATGwAcCRyRABEBAAGJAh8EGAEIAAkFAlhiI8wC
GwwACgkQkB+Rd6uXrL559w/9GfoTxZS+VJQsQc1inW9YKZaWl99Hd4u8CGhE057S
zvzMnIH6fcgib3m+TelevplSEN1QN1GGTvn95n8JQ8RX36xy8SQVzrPIlO4gXGAF
J1uHmSp3SSplrwKIBQk3MORrfbTg78CN9527GCQHih8+qgB3IYe23NhsKLre3mbZ
h9NAWOeMsBF0jG0c0Cu3/F8muY2XSTqENB8R263YJsQSC3qaiaq9TtstisOe/HWK
yQix2Hofg3H96dZXsqbQEvxgyema+A6ptCm7S66eSYoPPeXQaraTsz6nLlVtvhSD
kll2axjAK4NDbSjJuZI/54CkO+FB00bkXDxPFgnfDPWgvPMF1cBuuX0QN1BO8n4C
eA9zyBBdTw9bbzO1kRdeBHLa7n845ecVbEh15Hvtf20/CJB9ua+qRlcXtgxhUf3+
pm/xbAM22z/F3+RsLwGOG8T0Vy2q//VVqLxSFlawiZW9RkClKyV6A1KH0EA6W84d
GcxiDgwrBHd+d40s3VDE/Wlmj0w73xeebEaXCmaTO/Hp5DIA64LfXHB2ckvwv15I
ISQV2g55+ghnwaD/02uGCGpJl0zJgQ+PKvrFAz+wIUqrQJxXP4epqWycmzG98T7g
pi20lwzO87S6b1GIL9t6Q/Zge8bbB7lG5mBR2U5XyGhfHXGaHTb6nQQYh3hCet8G
5Ow=
=Me4L
-----END PGP PUBLIC KEY BLOCK-----

10
fluentd/handlers/main.yml Normal file
View file

@ -0,0 +1,10 @@
---
- name: restart fluentd
systemd:
name: td-agent
state: restarted
- name: restart nagios-nrpe-server
service:
name: nagios-nrpe-server
state: restarted

20
fluentd/meta/main.yml Normal file
View file

@ -0,0 +1,20 @@
galaxy_info:
author: Evolix
description: Installation and basic configuration of Fluentd.
issue_tracker_url: https://gitea.evolix.org/evolix/ansible-roles/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- jessie
- stretch
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

53
fluentd/tasks/main.yml Normal file
View file

@ -0,0 +1,53 @@
---
- name: Fluentd GPG key is installed
apt_key:
# url: https://packages.treasuredata.com/GPG-KEY-td-agent
data: "{{ lookup('file', 'fluentd.gpg') }}"
tags:
- packages
- fluentd
- name: Fluentd sources list is available
apt_repository:
repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
filename: treasuredata
update_cache: yes
state: present
tags:
- packages
- fluentd
- name: Fluentd is installed.
apt:
name: td-agent
state: present
tags:
- fluentd
- packages
- name: Fluentd is configured.
template:
src: td-agent.conf.j2
dest: "{{ fluentd_conf_path }}"
mode: "0644"
notify: "restart fluentd"
tags:
- fluentd
- name: Fluentd is running and enabled on boot.
systemd:
name: td-agent
enabled: yes
state: started
tags:
- fluentd
- name: NRPE check is configured
lineinfile:
path: /etc/nagios/nrpe.d/evolix.cfg
line: 'command[check_fluentd]=/usr/lib/nagios/plugins/check_tcp -p {{ fluentd_port }}'
notify: "restart nagios-nrpe-server"
tags:
- fluentd
- nrpe

128
fluentd/templates/td-agent.conf.j2 Normal file
View file

@ -0,0 +1,128 @@
####
## Output descriptions:
##
# Treasure Data (http://www.treasure-data.com/) provides cloud based data
# analytics platform, which easily stores and processes data from td-agent.
# FREE plan is also provided.
# @see http://docs.fluentd.org/articles/http-to-td
#
# This section matches events whose tag is td.DATABASE.TABLE
<match td.*.*>
@type tdlog
@id output_td
apikey YOUR_API_KEY
auto_create_table
<buffer>
@type file
path /var/log/td-agent/buffer/td
</buffer>
<secondary>
@type file
path /var/log/td-agent/failed_records
</secondary>
</match>
## match tag=debug.** and dump to console
<match debug.**>
@type stdout
@id output_stdout
</match>
####
## Source descriptions:
##
## built-in TCP input
## @see http://docs.fluentd.org/articles/in_forward
<source>
@type forward
@id input_forward
</source>
## built-in UNIX socket input
#<source>
# type unix
#</source>
# HTTP input
# POST http://localhost:8888/<tag>?json=<json>
# POST http://localhost:8888/td.myapp.login?json={"user"%3A"me"}
# @see http://docs.fluentd.org/articles/in_http
<source>
@type http
@id input_http
port 8888
</source>
## live debugging agent
<source>
@type debug_agent
@id input_debug_agent
bind 127.0.0.1
port 24230
</source>
####
## Examples:
##
## File input
## read apache logs continuously and tags td.apache.access
#<source>
# @type tail
# @id input_tail
# <parse>
# @type apache2
# </parse>
# path /var/log/httpd-access.log
# tag td.apache.access
#</source>
## File output
## match tag=local.** and write to file
#<match local.**>
# @type file
# @id output_file
# path /var/log/td-agent/access
#</match>
## Forwarding
## match tag=system.** and forward to another td-agent server
#<match system.**>
# @type forward
# @id output_system_forward
#
# <server>
# host 192.168.0.11
# </server>
# # secondary host is optional
# <secondary>
# <server>
# host 192.168.0.12
# </server>
# </secondary>
#</match>
## Multiple output
## match tag=td.*.* and output to Treasure Data AND file
#<match td.*.*>
# @type copy
# @id output_copy
# <store>
# @type tdlog
# apikey API_KEY
# auto_create_table
# <buffer>
# @type file
# path /var/log/td-agent/buffer/td
# </buffer>
# </store>
# <store>
# @type file
# path /var/log/td-agent/td-%Y-%m-%d/%H.log
# </store>
#</match>

1
haproxy/tasks/main.yml
View file

@ -23,6 +23,7 @@
src: "{{ item }}"
dest: /etc/haproxy/haproxy.cfg
force: yes
validate: "haproxy -c -f %s"
with_first_found:
- "templates/haproxy/haproxy.{{ inventory_hostname }}.cfg.j2"
- "templates/haproxy/haproxy.{{ host_group }}.cfg.j2"

1
kvm-host/tasks/packages.yml
View file

@ -11,3 +11,4 @@
- libvirt-daemon-system
- libvirt-clients
- kvm-tools
- vlan

23
lxc-php/README.md Normal file
View file

@ -0,0 +1,23 @@
# lxc-php
Create LXC containers and install all the required PHP packages as a way to use multiple PHP version on Debian.
*note : this role depend on the lxc role.*
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
As this role depend on the lxc role, please refer to it for a variable exhaustive list.
Here is the list of available variables for the PHP part:
* `php_conf_short_open_tag` Default: `"Off"`
* `php_conf_expose_php` Default: `"Off"`
* `php_conf_display_errors` Default: `"Off"`
* `php_conf_log_errors` Default: `"On"`
* `php_conf_html_errors` Default: `"Off"`
* `php_conf_allow_url_fopen` Default: `"Off"`
* `php_conf_disable_functions` Default: `"exec,shell-exec,system,passthru,putenv,popen"`

8
lxc-php/defaults/main.yml Normal file
View file

@ -0,0 +1,8 @@
---
php_conf_short_open_tag: "Off"
php_conf_expose_php: "Off"
php_conf_display_errors: "Off"
php_conf_log_errors: "On"
php_conf_html_errors: "Off"
php_conf_allow_url_fopen: "Off"
php_conf_disable_functions: "exec,shell-exec,system,passthru,putenv,popen"

9
lxc-php/handlers/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Reload php56-fpm
command: "lxc-attach -n php56 -- systemctl reload php5-fpm"
- name: Reload php70-fpm
command: "lxc-attach -n php70 -- systemctl reload php7.0-fpm"
- name: Reload php73-fpm
command: "lxc-attach -n php73 -- systemctl reload php7.3-fpm"

18
lxc-php/tasks/main.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: LXC configuration
include_role:
name: lxc
- include: "php.yml name={{item.name}}"
with_items:
- "{{ lxc_containers }}"
- name: Ensure containers root directory is 755
file:
path: "/var/lib/lxc/{{ item.name }}/rootfs"
state: directory
mode: '0755'
with_items:
- "{{ lxc_containers }}"

130
lxc-php/tasks/php.yml Normal file
View file

@ -0,0 +1,130 @@
#
# This playbook configures PHP (php-fpm and specific extensions) inside
# container {{name}}.
#
---
- name: Update APT cache
command: "lxc-attach -n {{name}} -- apt-get update"
- name: Install PHP packages
command: "lxc-attach -n {{name}} -- apt-get install -y php5-fpm php5-cli php5-gd php5-imap php5-ldap php5-mcrypt php5-mysql php5-pgsql php-gettext php5-intl php5-curl php5-ssh2 libphp-phpmailer ssmtp git zip unzip"
when: name == 'php56'
- name: Update APT cache
command: "lxc-attach -n {{name}} -- apt-get update"
when: name == 'php70'
- name: Install PHP packages
command: "lxc-attach -n {{name}} -- apt-get install -y php-fpm php-cli php-gd php-intl php-imap php-ldap php-mcrypt php-mysql php-pgsql php-gettext php-curl php-ssh2 composer libphp-phpmailer ssmtp git zip unzip php-zip"
when: name == 'php70'
- name: Update APT cache
command: "lxc-attach -n {{name}} -- apt-get update"
when: name == 'php73'
- name: Install requirements for sury repository
command: "lxc-attach -n {{name}} -- apt-get install -y --no-install-recommends wget apt-transport-https ca-certificates gnupg"
when: name == 'php73'
- name: Add sury APT repository
copy:
content: "deb https://packages.sury.org/php/ stretch main"
dest: "/var/lib/lxc/{{name}}/rootfs/etc/apt/sources.list.d/sury.list"
mode: "0644"
when: name == 'php73'
- name: Add sury GPG key
shell: "wget -O- https://packages.sury.org/php/apt.gpg |lxc-attach -n {{name}} -- apt-key add -"
when: name == 'php73'
- name: Update APT cache
command: "lxc-attach -n {{name}} -- apt-get update"
when: name == 'php73'
- name: Install PHP packages
command: "lxc-attach -n {{name}} -- apt-get install -y php7.3 php7.3-fpm php7.3-cli php7.3-curl php7.3-mysql php7.3-pgsql php7.3-ldap php7.3-imap php7.3-gd php-ssh2 php-gettext composer libphp-phpmailer ssmtp git zip unzip php7.3-zip"
when: name == 'php73'
- name: Remove default FPM 5.6 pool
file:
name: "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/pool.d/www.conf"
state: absent
notify: "Reload {{name}}-fpm"
when: name == 'php56'
- name: Remove default FPM 7.0 pool
file:
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/pool.d/www.conf"
state: absent
notify: "Reload {{name}}-fpm"
when: name == 'php70'
- name: Remove default FPM 7.3 pool
file:
name: "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/pool.d/www.conf"
state: absent
notify: "Reload {{name}}-fpm"
when: name == 'php73'
- name: Copy evolinux PHP 5.6 configuration
template:
src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}"
mode: "0644"
notify: "Reload {{name}}-fpm"
when: name == 'php56'
with_items:
- "/var/lib/lxc/{{name}}/rootfs/etc/php5/fpm/conf.d/z-evolinux-defaults.ini"
- "/var/lib/lxc/{{name}}/rootfs/etc/php5/cli/conf.d/z-evolinux-defaults.ini"
loop_control:
loop_var: line_item
- name: Copy evolinux PHP 7.0 configuration
template:
src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}"
mode: "0644"
notify: "Reload {{name}}-fpm"
when: name == 'php70'
with_items:
- "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/fpm/conf.d/z-evolinux-defaults.ini"
- "/var/lib/lxc/{{name}}/rootfs/etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini"
loop_control:
loop_var: line_item
- name: Copy evolinux PHP 7.3 configuration
template:
src: z-evolinux-defaults.ini.j2
dest: "{{ line_item }}"
mode: "0644"
notify: "Reload {{name}}-fpm"
when: name == 'php73'
with_items:
- "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/fpm/conf.d/z-evolinux-defaults.ini"
- "/var/lib/lxc/{{name}}/rootfs/etc/php/7.3/cli/conf.d/z-evolinux-defaults.ini"
loop_control:
loop_var: line_item
- name: Configure ssmtp
replace:
name: "/var/lib/lxc/{{name}}/rootfs/etc/ssmtp/ssmtp.conf"
regexp: "^mailhub=.*$"
replace: "mailhub=127.0.0.1"
- name: Configure ssmtp
replace:
name: "/var/lib/lxc/{{name}}/rootfs/etc/ssmtp/ssmtp.conf"
regexp: "^#FromLineOverride=.*$"
replace: "FromLineOverride=YES"
- name: Configure ssmtp
replace:
name: "/var/lib/lxc/{{name}}/rootfs/etc/ssmtp/ssmtp.conf"
regexp: "^hostname=.*"
replace: "hostname={{ansible_fqdn}}"
- name: Configure timezone
copy:
dest: "/var/lib/lxc/{{name}}/rootfs/etc/timezone"
content: "Europe/Paris\n"

BIN
lxc-php/templates/.z-evolinux-defaults.ini.j2.swp Normal file
View file

Binary file not shown.

8
lxc-php/templates/z-evolinux-defaults.ini.j2 Normal file
View file

@ -0,0 +1,8 @@
[PHP]
short_open_tag = {{ php_conf_short_open_tag }}
expose_php = {{ php_conf_expose_php }}
display_errors = {{ php_conf_display_errors }}
log_errors = {{ php_conf_log_errors }}
html_errors = {{ php_conf_html_errors }}
allow_url_fopen = {{ php_conf_allow_url_fopen }}
disable_functions = {{ php_conf_disable_functions }}

10
lxc/tasks/create-container.yml
View file

@ -5,9 +5,17 @@
register: container_exists
- name: Create container
command: "lxc-create -n {{name}} -t download -- --dist debian --release {{release}} --arch amd64"
command: "lxc-create --name {{name}} --template debian --bdev dir --logfile /var/log/lxc/lxc-{{name}}.log --logpriority INFO -- --arch amd64 --release {{release}}"
when: container_exists.stdout_lines == []
#- name: Create container
# lxc_container:
# name: "{{name}}"
# container_log: true
# template: download
# state: stopped
# template_options: "--release {{release}}"
- name: Disable network configuration inside container
replace:
name: "/var/lib/lxc/{{name}}/rootfs/etc/default/networking"

15
lxc/tasks/main.yml
View file

@ -1,7 +1,11 @@
---
- name: Install lxc tools
apt:
name: lxc
name: '{{ item }}'
with_items:
- lxc
- debootstrap
- xz-utils
- name: Copy LXC default containers configuration
template:
@ -17,8 +21,13 @@
- name: Add subuid and subgid ranges to root
command: usermod -v 100000-199999 -w 100000-109999 root
when: lxc_unprivilegied_containers and root_subuids.rc
when:
- lxc_unprivilegied_containers
- root_subuids.rc
- name: Create containers
include: "create-container.yml name={{item.name}} release={{item.release}}"
include: create-container.yml
vars:
name: "{{ item.name }}"
release: "{{item.release}}"
with_items: "{{lxc_containers}}"

8
minifirewall/tasks/main.yml
View file

@ -14,7 +14,7 @@
- include: tail.yml
when: minifirewall_tail_included
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force
- name: Force restart minifirewall
command: /bin/true
notify: restart minifirewall
when: minifirewall_restart_force

10
nagios-nrpe/files/plugins/check_redis_instances
View file

@ -13,9 +13,15 @@ instances=$(ls /etc/redis/redis-*.conf)
for instance in ${instances}; do
name=$(basename "${instance}"| sed '{s/redis-//;s/.conf//}')
port=$(grep "port" "${instance}"|grep -oE "[0-9]*")
socket=$(grep "unixsocket " "${instance}"|awk '{ print $2 }')
if [ -h "/etc/systemd/system/multi-user.target.wants/redis-server@${name}.service" ]; then
/usr/lib/nagios/plugins/check_tcp -p "${port}" >/dev/null 2>&1
ret="${?}"
if [ "${port}" -ne 0 ]; then
/usr/lib/nagios/plugins/check_tcp -p "${port}" >/dev/null 2>&1
ret="${?}"
else
/usr/lib/nagios/plugins/check_tcp -H "${socket}" >/dev/null 2>&1
ret="${?}"
fi
if [ "${ret}" -ge 2 ]; then
nb_crit=$((nb_crit + 1))
output="${output}CRITICAL - ${name} (${port})\n"

8
nagios-nrpe/tasks/main.yml
View file

@ -5,11 +5,11 @@
state: present
with_items:
- nagios-nrpe-server
- nagios-plugins
- nagios-plugins-basic
- nagios-plugins-common
- monitoring-plugins
- monitoring-plugins-basic
- monitoring-plugins-common
- monitoring-plugins-standard
- nagios-plugins-contrib
- nagios-plugins-standard
tags:
- nagios-nrpe

6
nagios-nrpe/templates/evolix.cfg.j2
View file

@ -7,7 +7,7 @@
allowed_hosts={{ nagios_nrpe_allowed_hosts | join(',') }}
# System checks
command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
command[check_load]=/usr/lib/nagios/plugins/check_load -w {{ ansible_processor_vcpus * 0.7 }},{{ ansible_processor_vcpus * 0.6 }},{{ ansible_processor_vcpus * 0.5 }} -c {{ ansible_processor_vcpus * 0.9 }},{{ ansible_processor_vcpus * 0.8 }},{{ ansible_processor_vcpus * 0.7 }}
command[check_swap]=/usr/lib/nagios/plugins/check_swap -a -w 30% -c 20%
command[check_disk1]=/usr/lib/nagios/plugins/check_disk -x /lib/init/rw -x /dev -x /dev/shm -x /sys/kernel/debug/tracing -w 10% -c 3% -W 10% -K 3% -C -w 5% -c 2% -W 5% -K 2% -p /home
command[check_zombie_procs]=sudo /usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
@ -33,8 +33,8 @@ command[check_imapproxy]=/usr/lib/nagios/plugins/check_imap -H localhost -p 1143
command[check_pop]=/usr/lib/nagios/plugins/check_pop -H localhost
command[check_pops]=/usr/lib/nagios/plugins/check_pop -S -H localhost -p 995
command[check_ftp]=/usr/lib/nagios/plugins/check_ftp -H localhost
command[check_http]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -H localhost
command[check_https]=/usr/lib/nagios/plugins/check_http -e 200 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
command[check_http]=/usr/lib/nagios/plugins/check_http -e 301 -I 127.0.0.1 -H localhost
command[check_https]=/usr/lib/nagios/plugins/check_http -e 403 -I 127.0.0.1 -S -p 443 --sni -H ssl.evolix.net
command[check_bind]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_unbound]=/usr/lib/nagios/plugins/check_dig -l evolix.net -H localhost
command[check_smb]=/usr/lib/nagios/plugins/check_tcp -H 127.0.0.1 -p 445

8
nginx/tasks/main_regular.yml
View file

@ -87,10 +87,6 @@
tags:
- nginx
- include: server_status.yml
tags:
- nginx
- name: nginx vhost is installed
template:
src: evolinux-default.conf.j2
@ -112,6 +108,10 @@
tags:
- nginx
- include: server_status.yml
tags:
- nginx
# - block:
# - name: generate random string for phpmyadmin suffix
# command: "apg -a 1 -M N -n 1"

13
nginx/tasks/server_status.yml
View file

@ -40,3 +40,16 @@
dest: /var/www/index.html
regexp: '__SERVERSTATUS_SUFFIX__'
replace: "{{ nginx_serverstatus_suffix }}"
- name: add server-status suffix in default site index if missing
replace:
dest: /var/www/index.html
regexp: '"/nginx_status-?"'
replace: '"/nginx_status-{{ nginx_serverstatus_suffix }}"'
- name: add server-status suffix in default VHost
replace:
dest: /etc/nginx/sites-available/evolinux-default.conf
regexp: 'location /nginx_status-? {'
replace: 'location /nginx_status-{{ nginx_serverstatus_suffix }} {'
notify: reload nginx

2
php/tasks/config_fpm.yml
View file

@ -49,7 +49,7 @@
- { option: "request_slowlog_timeout", value: "5s" }
- { option: "pm.status_path", value: "/fpm_status" }
- { option: "request_terminate_timeout", value: "60s" }
- { option: "chroot", value: "/var/www/html" }
- { option: "chroot", value: "/var/www" }
notify: "restart {{ php_fpm_service_name }}"
when: ansible_distribution_major_version | version_compare('9', '>=')

2
postgresql/tasks/pgdg-repo.yml
View file

@ -16,7 +16,7 @@
- name: Add GPG key for PGDG repository
apt_key:
#url: http://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
data: "{{ lookup('file', 'ACCC4CF8.asc') }}"
- name: Add APT preference file
template:

4
rbenv/defaults/main.yml
View file

@ -1,6 +1,6 @@
---
rbenv_version: v1.1.1
rbenv_ruby_version: 2.5.1
rbenv_version: v1.1.2
rbenv_ruby_version: 2.6.3
rbenv_root: "~/.rbenv"
rbenv_repo: "https://github.com/rbenv/rbenv.git"
rbenv_plugins:

2
rbenv/tasks/main.yml
View file

@ -94,6 +94,7 @@
warn: no
failed_when: False
changed_when: False
check_mode: False
register: ruby_installed
become_user: "{{ username }}"
become: yes
@ -117,6 +118,7 @@
register: ruby_selected
changed_when: False
failed_when: False
check_mode: False
become_user: "{{ username }}"
become: yes
tags:

2
redmine/defaults/main.yml
View file

@ -3,7 +3,7 @@ puma_env: 'production'
puma_worker: 2
puma_min_thread: 0
puma_max_thread: 4
redmine_version: "4.0.1"
redmine_version: "4.0.3"
redmine_db_name: "{{ redmine_user }}"
redmine_db_host: "localhost"
redmine_db_username: "{{ redmine_user }}"

3
redmine/tasks/nginx.yml
View file

@ -6,6 +6,7 @@
append: True
tags:
- redmine
- nginx
- name: Copy nginx vhost
template:
@ -15,6 +16,7 @@
notify: reload nginx
tags:
- redmine
- nginx
- name: Enable nginx vhost
file:
@ -24,3 +26,4 @@
notify: reload nginx
tags:
- redmine
- nginx

2
redmine/templates/additional_environment.rb.j2
View file

@ -1,5 +1,5 @@
config.log_level = :info
config.logger = Syslogger.new("redmine_{{ redmine_user }}")
config.logger = ActiveSupport::TaggedLogging.new(Syslogger.new("redmine_{{ redmine_user }}"))
{% if redmine_redis_path is defined %}
config.session_store :redis_store,
servers: { path: '{{ redmine_redis_path }}', db: 0, namespace: "session" }

19
redmine/templates/nginx.conf.j2
View file

@ -17,22 +17,29 @@ server {
root /home/{{ redmine_user }}/www/public;
access_log /var/log/nginx/{{ redmine_user }}_access.log;
error_log /var/log/nginx/{{ redmine_user }}_error.log;
error_page 503 @maintenance;
client_max_body_size 50M;
include /etc/nginx/snippets/letsencrypt[.]conf;
include /etc/nginx/snippets/errors-pages[.]conf;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript;
location / {
if (!-f /home/{{ redmine_user }}/run/puma.pid) {
if (-f /home/{{ redmine_user }}/maintenance.lock) {
return 503;
}
if (!-f /home/{{ redmine_user }}/run/puma.pid) {
return 502;
}
try_files $uri @puma;
}
location @maintenance {
rewrite ^(.*)$ /500.html break;
}
location @puma {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;

1
squid/files/evolinux-whitelist-defaults.conf
View file

@ -10,6 +10,7 @@
^.*\.sa-update.*$
^pear\.php\.net$
^repo\.mysql\.com$
^deb\.nodesource\.com$
# Let's Encrypt
^.*\.letsencrypt.org$

10
ssl/tasks/main.yml
View file

@ -12,16 +12,18 @@
copy:
src: "ssl/{{ ssl_cert }}.key"
dest: "/etc/ssl/private/{{ ssl_cert }}.key"
mode: "0600"
mode: "0640"
owner: root
group: ssl-cert
register: ssl_copy_key
tags:
- ssl
- name: Copy SSL dhparam
copy:
src: "ssl/{{ ssl_cert }}.dhp"
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
mode: "0644"
src: "ssl/{{ ssl_cert }}.dhp"
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
mode: "0644"
register: ssl_copy_dhp
tags:
- ssl

4
tomcat-instance/tasks/user.yml
View file

@ -1,8 +1,8 @@
---
- name: Create group instance
group:
name: "{{ tomcat_instance_name }}"
gid: "{{ tomcat_instance_port }}"
name: "{{ tomcat_instance_name }}"
gid: "{{ tomcat_instance_port }}"
- name: Create user instance
user:

4
unbound/handlers/main.yml
View file

@ -1,5 +1,5 @@
---
- name: reload unbound
service:
name: unbound
state: reloaded
name: unbound
state: reloaded

1
webapps/evoadmin-web/defaults/main.yml
View file

@ -11,6 +11,7 @@ evoadmin_host: "evoadmin.{{ ansible_fqdn }}"
evoadmin_username: evoadmin
evoadmin_enable_vhost: True
evoadmin_multi_php: False
evoadmin_tpl_servername: "{{ ansible_fqdn }}"
evoadmin_tpl_address: "{{ ansible_default_ipv4.address }}"

10
webapps/evoadmin-web/files/phpContainer Normal file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env bash
evolixContainerVersion=$(grep SetHandler /etc/apache2/sites-enabled/$LOGNAME.conf 2>/dev/null | grep -m 1 -o 'fpm[0-9][0-9]' | head -n 1 | sed 's/php//g' | sed 's/fpm//g')
if [ "$evolixContainerVersion" != "" ]; then
lxc-attach -n php$evolixContainerVersion -- su - $LOGNAME -c "cd \"${PWD@E}\" && php ${*@Q}"
else
# TODO: fallback?
# command php $*
echo "could not determine \$evolixContainerVersion"
exit 1
fi

5
webapps/evoadmin-web/handlers/main.yml
View file

@ -5,5 +5,10 @@
name: apache2
state: reloaded
- name: restart apache2
service:
name: apache2
state: restarted
- name: newaliases
command: newaliases

7
webapps/evoadmin-web/tasks/config.yml
View file

@ -15,3 +15,10 @@
template:
src: web-mail.tpl.j2
dest: "{{ evoadmin_scripts_dir }}/web-mail.tpl"
- name: Copy multi php-cli script
copy:
src: phpContainer
dest: /usr/local/bin/phpContainer
mode: 0700
when: evoadmin_multi_php == True

6
webapps/evoadmin-web/tasks/user.yml
View file

@ -107,3 +107,9 @@
dest: /etc/sudoers.d/evoadmin
mode: "0600"
validate: "visudo -cf %s"
- name: Modify bashrc skel file
lineinfile:
dest: /etc/skel/.bashrc
line: "alias php='sudo /usr/local/bin/phpContainer'"
when: evoadmin_multi_php == True

7
webapps/evoadmin-web/tasks/web.yml
View file

@ -46,3 +46,10 @@
owner: evoadmin
group: evoadmin
force: no
- name: Enable proxy_fcgi
apache2_module:
state: present
name: proxy_fcgi
notify: restart apache2
when: evoadmin_multi_php == True

3
webapps/evoadmin-web/templates/config.local.php.j2
View file

@ -10,3 +10,6 @@ $localconf['cluster'] = FALSE;
$oriconf['logins'] = array();
//$oriconf['logins']['foo'] = 'd5d3c723fb82cb0078f399888af78204234535ec2ef3da56710fdd51f90d2477';
//$oriconf['logins']['bar'] = '7938c84d6e43d1659612a7ea7c1101ed02e52751bb64597a8c20ebaba8ba4303';
{% if evoadmin_multi_php == True %}
$localconf['php_versions'] = array(56, 70, 73);
{% endif %}

4
webapps/evoadmin-web/templates/sudoers.j2
View file

@ -1,3 +1,7 @@
User_Alias EVOADMIN = www-evoadmin
Cmnd_Alias EVOADMIN_WEB = {{ evoadmin_scripts_dir | mandatory }}/web-*.sh, {{ evoadmin_scripts_dir | mandatory }}/ftpadmin.sh, {{ evoadmin_scripts_dir | mandatory }}/dbadmin.sh
EVOADMIN ALL=NOPASSWD: EVOADMIN_WEB
{% if evoadmin_multi_php == True %}
Defaults env_keep += "LOGNAME PWD"
ALL ALL = NOPASSWD: /usr/local/bin/phpContainer
{% endif %}

3
webapps/evoadmin-web/templates/web-add.conf.j2
View file

@ -1,2 +1,5 @@
CONTACT_MAIL="{{ evoadmin_contact_email or general_alert_email | mandatory }}"
WWWBOUNCE_MAIL="{{ evoadmin_bounce_email or general_alert_email | mandatory }}"
{% if evoadmin_multi_php == True %}
PHP_VERSIONS=(56 70 73)
{% endif %}

54
webapps/roundcube/tasks/main.yml
View file

@ -6,24 +6,24 @@
value: "{{ item.value }}"
vtype: "{{ item.type }}"
with_items:
- { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' }
- { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' }
- { key: 'roundcube/database-type', type: 'select', value: 'sqlite3' }
- { key: 'roundcube/db/basepath', type: 'string', value: '/var/lib/roundcube/' }
tags:
- roundcube
- roundcube
- name: install Roundcube
apt:
name: "{{ item }}"
state: present
with_items:
- imapproxy
- roundcube
- roundcube-sqlite3
- roundcube-plugins
- php-net-sieve
- php-zip
- imapproxy
- roundcube
- roundcube-sqlite3
- roundcube-plugins
- php-net-sieve
- php-zip
tags:
- roundcube
- roundcube
- name: configure imapproxy imap host
lineinfile:
@ -32,7 +32,7 @@
line: "server_hostname {{ roundcube_imap_host }}"
notify: restart imapproxy
tags:
- roundcube
- roundcube
- name: configure imapproxy imap port
lineinfile:
@ -41,7 +41,7 @@
line: "server_port {{ roundcube_imap_port }}"
notify: reload imapproxy
tags:
- roundcube
- roundcube
- name: enable and start imapproxy
service:
@ -49,24 +49,24 @@
state: started
enabled: True
tags:
- roundcube
- roundcube
- name: configure roundcube imap host
lineinfile:
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_host'\\]"
line: "$config['default_host'] = array('127.0.0.1');"
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_host'\\]"
line: "$config['default_host'] = array('127.0.0.1');"
tags:
- roundcube
- roundcube
- name: configure roudcube imap port
lineinfile:
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_port'\\]"
insertafter: "\\$config\\['default_host'\\]"
line: "$config['default_port'] = 1143;"
dest: /etc/roundcube/config.inc.php
regexp: "\\$config\\['default_port'\\]"
insertafter: "\\$config\\['default_host'\\]"
line: "$config['default_port'] = 1143;"
tags:
- roundcube
- roundcube
- name: configure managesieve plugin
copy:
@ -75,7 +75,7 @@
mode: "0644"
remote_src: True
tags:
- roundcube
- roundcube
- name: enable default plugins
replace:
@ -83,7 +83,7 @@
regexp: "^\\$config\\['plugins'\\] = array\\($"
replace: "$config['plugins'] = array('zipdownload','managesieve'"
tags:
- roundcube
- roundcube
- name: deploy apache roundcube vhost
template:
@ -93,7 +93,7 @@
notify: reload apache2
when: roundcube_webserver == "apache"
tags:
- roundcube
- roundcube
- name: enable apache roundcube vhost
file:
@ -103,7 +103,7 @@
notify: reload apache2
when: roundcube_webserver == "apache"
tags:
- roundcube
- roundcube
- name: deploy Nginx roundcube vhost
template:
@ -128,4 +128,4 @@
line: ' <li><a href="https://{{ roundcube_host }}">Webmail</a></li>'
insertbefore: "</ul>"
tags:
- roundcube
- roundcube