diff --git a/CHANGELOG.md b/CHANGELOG.md index 96cb6838..1c9d1bef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* evocheck: upstream release 22.03 * evolinux-base: backup-server-state release 22.03 * evolinux-base: Add non-free repos & install non-free firmware on dedicated hardware * generate-ldif: Add services check for bkctld diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index fb8a6eeb..56805105 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="21.10.4" +VERSION="22.03" readonly VERSION # base functions @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2022 Evolix , Romain Dessort , Benoit Série , Gregory Colpart , @@ -142,9 +142,9 @@ failed() { RC=1 if [ "${QUIET}" != 1 ]; then if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then - printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" else - printf "%s FAILED!\n" "${check_name}" 2>&1 + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" fi fi } @@ -328,8 +328,11 @@ check_tmoutprofile() { check_alert5boot() { if is_debian_buster || is_debian_bullseye; then grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" - test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing" - systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + if [ -f /etc/systemd/system/alert5.service ]; then + systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + else + failed "IS_ALERT5BOOT" "alert5 unit file is missing" + fi else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" @@ -592,9 +595,9 @@ check_evobackup() { } # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { - excludes_file=$(mktemp) - # shellcheck disable=SC2064 - trap "rm -f ${excludes_file}" 0 + excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" @@ -603,7 +606,6 @@ check_evobackup_exclude_mount() { failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" done done - rm -rf "${excludes_file}" } # Verification de la presence du userlogrotate check_userlogrotate() { @@ -809,8 +811,10 @@ check_tune2fs_m5() { check_evolinuxsudogroup() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if grep -q "^evolinux-sudo:" /etc/group; then - grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ - || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" + if [ -f /etc/sudoers.d/evolinux ]; then + grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" + fi fi fi } @@ -827,7 +831,7 @@ check_userinadmgroup() { } check_apache2evolinuxconf() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - if test -d /etc/apache2; then + if is_installed apache2; then { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ && test -f /etc/apache2/ipaddr_whitelist.conf; @@ -1006,6 +1010,8 @@ check_mysqlmunin() { test "${VERBOSE}" = 1 || break fi done + munin-run mysql_commands 2> /dev/null > /dev/null + test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" fi fi } @@ -1062,8 +1068,10 @@ check_squidevolinuxconf() { check_duplicate_fs_label() { # Do it only if thereis blkid binary BLKID_BIN=$(command -v blkid) - if [ -x "$BLKID_BIN" ]; then - tmpFile=$(mktemp -p /tmp) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" @@ -1076,7 +1084,6 @@ check_duplicate_fs_label() { labels=$(echo -n $tmpOutput | tr '\n' ' ') failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi - rm "$tmpFile" else failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" fi @@ -1395,6 +1402,7 @@ get_command() { listupgrade) command -v "evolistupgrade.sh" ;; old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; ## General case, where the program name is the same as the command name *) command -v "${program}" ;; @@ -1415,6 +1423,9 @@ get_version() { add-vm) grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 ;; + minifirewall) + ${command} status | head -1 | cut -d ' ' -f 3 + ;; ## Let's try the --version flag before falling back to grep for the constant kvmstats) if ${command} --version > /dev/null 2> /dev/null; then @@ -1457,9 +1468,9 @@ add_to_path() { echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" } check_versions() { - versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX") - # shellcheck disable=SC2064 - trap "rm -f ${versions_file}" 0 + versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + download_versions "${versions_file}" add_to_path "/usr/share/scripts" @@ -1477,8 +1488,6 @@ check_versions() { fi fi done - - rm -f "${versions_file}" } main() { @@ -1487,6 +1496,9 @@ main() { # Detect operating system name, version and release detect_os + main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + #----------------------------------------------------------- # Tests communs à tous les systèmes #----------------------------------------------------------- @@ -1715,8 +1727,19 @@ main() { # - NRPEDISK et NRPEPOSTFIX fi + if [ -f "${main_output_file}" ]; then + if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + exit ${RC} } +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} PROGNAME=$(basename "$0") # shellcheck disable=SC2034 @@ -1730,6 +1753,10 @@ readonly ARGS export LANG=C export LANGUAGE=C +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + # Source configuration file # shellcheck disable=SC1091 test -f /etc/evocheck.cf && . /etc/evocheck.cf