evocheck: upstream release
Some checks failed
Ansible Lint |Total|New|Outstanding|Fixed|Trend |:-:|:-:|:-:|:-:|:-: |0|0|0|0|:clap:
gitea/ansible-roles/pipeline/head There was a failure building this commit

This commit is contained in:
David Prevot 2024-09-06 10:16:18 +02:00
parent 4ef20559c5
commit 4e3d21f495
5 changed files with 32 additions and 16 deletions

View file

@ -46,7 +46,7 @@ The **patch** part is incremented if multiple releases happen the same month
* docker-host: install docker compose and buildx by default
* docker-host: split tasks in different task files
* Elastic Stack : default to version 8.x
* evocheck: upstream release 24.08
* evocheck: upstream release 24.09
* evolinux-base: Add commented Match all
* evolinux-base: Customize logcheck recipient when serveur-base is installed
* evolinux-base/evolinux-users: search only files that matter

View file

@ -13,6 +13,25 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Fixed
## [24.09] 2024-09-06
### Added
### Changed
* Merge CONTRIBUTING files in README
* Move LICENSE file at the root of the repo
* IS_LXC_PHP_BAD_DEBIAN_VERSION: Trixie support
* IS_PHPEVOLINUXCONF: Trixie support
* IS_SSHALLOWUSERS: Trixie support
### Removed
* IS_EVOLIX_GROUP: too many false positive
### Fixed
* IS_LXC_PHP_FPM_SERVICE_UMASK_SET: suffixed container name support
## [24.08] 2024-08-01
@ -20,6 +39,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
* VERSION variable must contain valid characters only
## [24.07] 2024-07-18
### Added
* IS_EVOLIX_GROUP: new check to verify that all Evolix users are in "evolix" group
@ -233,7 +254,7 @@ New checks :
### Changed
* IS_NETWORKING_SERVICE: not in cron mode
* IS_NETWORKING_SERVICE: not in cron mode
### Fixed:
@ -338,7 +359,7 @@ New checks :
### Fixed
* IS_DEBIANSECURITY: optional trailing slash
* IS_DEBIANSECURITY: optional trailing slash
## [21.09] 2021-09-30

View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian 8 only) server
# powered by Evolix
VERSION="24.08"
VERSION="24.09"
readonly VERSION
# base functions

View file

@ -6,7 +6,7 @@
#set -x
VERSION="24.08"
VERSION="24.09"
readonly VERSION
# base functions
@ -313,7 +313,7 @@ check_customcrontab() {
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
check_sshallowusers() {
if is_debian_bookworm; then
if { ! is_debian_stretch && ! is_debian_buster && ! is_debian_bullseye ; }; then
if [ -d /etc/ssh/sshd_config.d/ ]; then
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config.d/
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d/ \
@ -1103,6 +1103,7 @@ check_phpevolinuxconf() {
is_debian_buster && phpVersion="7.3"
is_debian_bullseye && phpVersion="7.4"
is_debian_bookworm && phpVersion="8.2"
is_debian_trixie && phpVersion="8.4"
if is_installed php; then
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
@ -1154,13 +1155,6 @@ check_evolix_user() {
grep -q -E "^evolix:" /etc/passwd \
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
}
check_evolix_group() {
users=$(grep ":20..:20..:" /etc/passwd | cut -d ":" -f 1)
for user in ${users}; do
grep -E "^evolix:" /etc/group | grep -q -E "\b${user}\b" \
|| failed "IS_EVOLIX_GROUP" "user \`${user}' should be in \`evolix' group"
done
}
check_evoacme_cron() {
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
@ -1399,7 +1393,7 @@ check_lxc_php_fpm_service_umask_set() {
if [ "$container" = "php56" ]; then
service="php5-fpm"
else
service="${container:0:4}.${container:4}-fpm"
service="${container:0:4}.${container:4:1}-fpm"
fi
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
if [ "$umask" != "0007" ]; then
@ -1427,6 +1421,8 @@ check_lxc_php_bad_debian_version() {
grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye"
elif [ "$container" = "php82" ]; then
grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm"
elif [ "$container" = "php84" ]; then
grep --quiet 'VERSION_ID="13"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Trixie"
fi
done
fi
@ -1682,7 +1678,6 @@ main() {
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOLIX_GROUP:=1}" = 1 && check_evolix_group
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled

View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian 7 only) server
# powered by Evolix
VERSION="24.08"
VERSION="24.09"
readonly VERSION
# base functions