evocheck: upstream version 19.11
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
a55e29186f
commit
6b77372f24
|
@ -15,7 +15,6 @@ The **patch** part changes incrementally at each release.
|
||||||
* apt: remove jessie/buster sources from Gandi servers
|
* apt: remove jessie/buster sources from Gandi servers
|
||||||
* certbot : new role to install and configure certbot
|
* certbot : new role to install and configure certbot
|
||||||
* evoacme: upstream version 19.11
|
* evoacme: upstream version 19.11
|
||||||
* evocheck: upstream version 19.10
|
|
||||||
* evolinux-base: default value for "evolinux_ssh_group"
|
* evolinux-base: default value for "evolinux_ssh_group"
|
||||||
* evolinux-base: install /sbin/deny
|
* evolinux-base: install /sbin/deny
|
||||||
* evolinux-base: on debian 10 and later, add noexec on /dev/shm
|
* evolinux-base: on debian 10 and later, add noexec on /dev/shm
|
||||||
|
@ -36,7 +35,7 @@ The **patch** part changes incrementally at each release.
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
* elasticsearch: listen on local interface only by default
|
* elasticsearch: listen on local interface only by default
|
||||||
* evocheck : update (version 19.09) from upstream
|
* evocheck: upstream version 19.11
|
||||||
* evocheck: cron jobs execute in verbose
|
* evocheck: cron jobs execute in verbose
|
||||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||||
* evomaintenance: Turn on API by default (instead of DB)
|
* evomaintenance: Turn on API by default (instead of DB)
|
||||||
|
|
|
@ -252,7 +252,13 @@ check_usrro() {
|
||||||
grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO" "missing ro directive on fstab for /usr"
|
grep /usr /etc/fstab | grep -q ro || failed "IS_USRRO" "missing ro directive on fstab for /usr"
|
||||||
}
|
}
|
||||||
check_tmpnoexec() {
|
check_tmpnoexec() {
|
||||||
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp is mounted with exec, should be noexec"
|
FINDMNT_BIN=$(command -v findmnt)
|
||||||
|
if [ -x ${FINDMNT_BIN} ]; then
|
||||||
|
options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp)
|
||||||
|
grep -qE "\bnoexec\b" ${options} || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'"
|
||||||
|
else
|
||||||
|
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec' (WARNING: findmnt(8) is not found)"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
check_mountfstab() {
|
check_mountfstab() {
|
||||||
# Test if lsblk available, if not skip this test...
|
# Test if lsblk available, if not skip this test...
|
||||||
|
@ -622,7 +628,7 @@ check_uptime() {
|
||||||
limit=$(date -d "now - 2 year" +%s)
|
limit=$(date -d "now - 2 year" +%s)
|
||||||
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
|
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
|
||||||
if [ "$limit" -gt "$last_reboot_at" ]; then
|
if [ "$limit" -gt "$last_reboot_at" ]; then
|
||||||
failed "IS_UPTIME" "machine has an uptime of more thant 2 years, reboot on new kernel advised"
|
failed "IS_UPTIME" "machine has an uptime of more than 2 years, reboot on new kernel advised"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -721,6 +727,7 @@ check_notupgraded() {
|
||||||
check_tune2fs_m5() {
|
check_tune2fs_m5() {
|
||||||
min=5
|
min=5
|
||||||
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
|
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
|
||||||
|
FINDMNT_BIN=$(command -v findmnt)
|
||||||
for part in $parts; do
|
for part in $parts; do
|
||||||
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
|
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
|
||||||
# If buggy partition, skip it.
|
# If buggy partition, skip it.
|
||||||
|
@ -733,7 +740,12 @@ check_tune2fs_m5() {
|
||||||
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
||||||
|
|
||||||
if [ "$percentage" -lt "${min}" ]; then
|
if [ "$percentage" -lt "${min}" ]; then
|
||||||
failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)"
|
if [ -x ${FINDMNT_BIN} ]; then
|
||||||
|
mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET ${part})
|
||||||
|
else
|
||||||
|
mount="unknown mount point"
|
||||||
|
fi
|
||||||
|
failed "IS_TUNE2FS_M5" "Partition ${part} (${mount}) has less than ${min}% reserved blocks (${percentage}%)"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
@ -1446,7 +1458,7 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
||||||
# shellcheck disable=2124
|
# shellcheck disable=2124
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
||||||
readonly VERSION="19.10"
|
readonly VERSION="19.11"
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
|
@ -1471,6 +1483,7 @@ while :; do
|
||||||
--cron)
|
--cron)
|
||||||
IS_KERNELUPTODATE=0
|
IS_KERNELUPTODATE=0
|
||||||
IS_UPTIME=0
|
IS_UPTIME=0
|
||||||
|
IS_MELTDOWN_SPECTRE=0
|
||||||
;;
|
;;
|
||||||
-v|--verbose)
|
-v|--verbose)
|
||||||
VERBOSE=1
|
VERBOSE=1
|
||||||
|
|
Loading…
Reference in a new issue