evocheck: upstream release 20.04.2
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Jérémy Lecour 2020-04-15 18:01:55 +02:00 committed by Jérémy Lecour
parent 155c6a5a88
commit 6764418e75
2 changed files with 27 additions and 3 deletions

View File

@ -56,7 +56,7 @@ The **patch** part changes incrementally at each release.
* bind: change name of logrotate file to bind9
* certbot: commit hook must be executed at the end
* elasticsearch: listen on local interface only by default
* evocheck: upstream version 20.04.1
* evocheck: upstream version 20.04.2
* evocheck: cron jobs execute in verbose
* evolinux-base: use "evolinux_internal_group" for SSH authentication
* evolinux-base: Don't customize the logcheck recipient by default.

View File

@ -4,6 +4,8 @@
# Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix
readonly VERSION="20.04.2"
# base functions
show_version() {
@ -1239,6 +1241,29 @@ check_apt_valid_until() {
fi
}
check_chrooted_binary_not_uptodate() {
# list of processes to check
process_list="sshd"
for process_name in ${process_list}; do
# what is the binary path?
original_bin=$(command -v "${process_name}")
for pid in $(pgrep ${process_name}); do
process_bin=$(realpath /proc/${pid}/exe)
# Is the process chrooted?
real_root=$(realpath /proc/${pid}/root)
if [ "${real_root}" != "/" ]; then
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
# compare md5 checksums
if [ "$original_md5" != "$chrooted_md5" ]; then
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
test "${VERBOSE}" = 1 || break
fi
fi
done
done
}
main() {
# Default return code : 0 = no error
RC=0
@ -1363,6 +1388,7 @@ main() {
test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
fi
#-----------------------------------------------------------
@ -1475,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
# shellcheck disable=2124
readonly ARGS=$@
readonly VERSION="20.04.1"
# Disable LANG*
export LANG=C
export LANGUAGE=C