evocheck: upstream release 22.08

2022-08-29 16:47:12 +02:00 · 2022-08-29 16:47:12 +02:00 · 71aafe161c
parent 9a25d5981f
commit 71aafe161c
2 changed files with 109 additions and 232 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,7 +19,7 @@ The **patch** part changes is incremented if multiple releases happen the same m

 ### Changed

-* evocheck: upstream release 22.07.1
+* evocheck: upstream release 22.08
 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command

 ### Fixed
--- a/evocheck/files/evocheck.sh
+++ b/evocheck/files/evocheck.sh
@ -1,10 +1,10 @@
 #!/bin/bash

 # EvoCheck
-# Script to verify compliance of a Debian/OpenBSD server
+# Script to verify compliance of a Linux (Debian) server
 # powered by Evolix

-VERSION="22.07"
+VERSION="22.08"
 readonly VERSION

 # base functions
@ -30,7 +30,7 @@ END
 }
 show_help() {
    cat <<END
-evocheck is a script that verifies Evolix conventions on Debian/OpenBSD servers.
+evocheck is a script that verifies Evolix conventions on Linux (Debian) servers.

 Usage: evocheck
  or   evocheck --cron
@ -50,7 +50,6 @@ detect_os() {
    # OS detection
    DEBIAN_RELEASE=""
    LSB_RELEASE_BIN=$(command -v lsb_release)
-    OPENBSD_RELEASE=""

    if [ -e /etc/debian_version ]; then
        DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
@ -68,9 +67,6 @@ detect_os() {
                12) DEBIAN_RELEASE="bookworm";;
            esac
        fi
-    elif [ "$(uname -s)" = "OpenBSD" ]; then
-        # use a better release name
-        OPENBSD_RELEASE=$(uname -r)
    fi
 }

@ -107,9 +103,6 @@ debian_release() {
 debian_version() {
    printf "%s" "${DEBIAN_VERSION}"
 }
-is_openbsd() {
-  test -n "${OPENBSD_RELEASE}"
-}

 is_pack_web(){
    test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
@ -1408,8 +1401,6 @@ download_versions() {

    if is_debian; then
        versions_url="https://upgrades.evolix.org/versions-${DEBIAN_RELEASE}"
-    elif is_openbsd; then
-        versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}"
    else
        failed "IS_CHECK_VERSIONS" "error determining os release"
    fi
@ -1536,10 +1527,6 @@ main() {
    main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX")
    files_to_cleanup="${files_to_cleanup} ${main_output_file}"

-    #-----------------------------------------------------------
-    # Tests communs à tous les systèmes
-    #-----------------------------------------------------------
-
    test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
    test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
    test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
@ -1549,13 +1536,6 @@ main() {
    test "${IS_EVOMAINTENANCECONF:=1}" = 1 && check_evomaintenanceconf
    test "${IS_PRIVKEYWOLRDREADABLE:=1}" = 1 && check_privatekeyworldreadable

-    #-----------------------------------------------------------
-    # Vérifie si c'est une debian et fait les tests appropriés.
-    #-----------------------------------------------------------
-
-    if is_debian; then
-        MINIFW_FILE=$(minifirewall_file)
-
    test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
    test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
    test "${IS_UMASKSUDOERS:=1}" = 1 && check_umasksudoers
@ -1661,109 +1641,6 @@ main() {
    test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
    test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
    test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
-    fi
-
-    #-----------------------------------------------------------
-    # Tests spécifiques à OpenBSD
-    #-----------------------------------------------------------
-
-    if is_openbsd; then
-
-        if [ "${IS_SOFTDEP:=1}" = 1 ]; then
-            grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
-        fi
-
-        if [ "${IS_WHEEL:=1}" = 1 ]; then
-            grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL"
-        fi
-
-        if [ "${IS_SUDOADMIN:=1}" = 1 ]; then
-            grep -qE "^User_Alias ADMIN=.*$" /etc/sudoers || failed "IS_SUDOADMIN"
-        fi
-
-        if [ "${IS_PKGMIRROR:=1}" = 1 ]; then
-            grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
-                || failed "IS_PKGMIRROR"
-        fi
-
-        if [ "${IS_HISTORY:=1}" = 1 ]; then
-            f=/root/.profile
-            { grep -q "^HISTFILE=\$HOME/.histfile" $f \
-                && grep -q "^export HISTFILE" $f \
-                && grep -q "^HISTSIZE=1000" $f \
-                && grep -q "^export HISTSIZE" $f;
-            } || failed "IS_HISTORY"
-        fi
-
-        if [ "${IS_VIM:=1}" = 1 ]; then
-            command -v vim > /dev/null 2>&1 || failed "IS_VIM"
-        fi
-
-        if [ "${IS_TTYC0SECURE:=1}" = 1 ]; then
-            grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE"
-        fi
-
-        if [ "${IS_CUSTOMSYSLOG:=1}" = 1 ]; then
-            grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
-        fi
-
-        if [ "${IS_NOINETD:=1}" = 1 ]; then
-            grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
-        fi
-
-        if [ "${IS_SUDOMAINT:=1}" = 1 ]; then
-            f=/etc/sudoers
-            { grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
-                && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
-            } || failed "IS_SUDOMAINT"
-        fi
-
-        if [ "${IS_POSTGRESQL:=1}" = 1 ]; then
-            pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
-        fi
-
-        if [ "${IS_NRPE:=1}" = 1 ]; then
-            { pkg info | grep -qE "nagios-plugins-[0-9.]" \
-                && pkg info | grep -q nagios-plugins-ntp \
-                && pkg info | grep -q nrpe;
-            } || failed "IS_NRPE" "NRPE is not installed"
-        fi
-
-    # if [ "${IS_NRPEDISKS:=1}" = 1 ]; then
-    #     NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
-    #     DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
-    #     [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
-    # fi
-
-    # Verification du check_mailq dans nrpe.cfg (celui-ci doit avoir l'option "-M postfix" si le MTA est Postfix)
-    #
-    # if [ "${IS_NRPEPOSTFIX:=1}" = 1 ]; then
-    #     pkg info | grep -q postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nrpe.cfg 2>/dev/null || failed "IS_NRPEPOSTFIX" )
-    # fi
-
-        if [ "${IS_NRPEDAEMON:=1}" = 1 ]; then
-            grep -q "echo -n ' nrpe';        /usr/local/sbin/nrpe -d" /etc/rc.local \
-                || failed "IS_NREPEDAEMON"
-        fi
-
-        if [ "${IS_ALERTBOOT:=1}" = 1 ]; then
-            grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
-                || failed "IS_ALERTBOOT"
-        fi
-
-        if [ "${IS_RSYNC:=1}" = 1 ]; then
-            pkg info | grep -q rsync || failed "IS_RSYNC"
-        fi
-
-        if [ "${IS_CRONPATH:=1}" = 1 ]; then
-            grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
-                || failed "IS_CRONPATH"
-        fi
-
-        #TODO
-        # - Check en profondeur de postfix
-        # - NRPEDISK et NRPEPOSTFIX
-    fi

    if [ -f "${main_output_file}" ]; then
        lines_found=$(wc -l < "${main_output_file}")