evolix
/
ansible-roles
22
2
Fork 2
Code Issues 61 Pull Requests 18 Releases 32 Wiki Activity

evocheck : update from upstream
continuous-integration/drone/push Build encountered an error Details

This commit is contained in:
Jérémy Lecour 2019-06-21 09:42:02 +02:00 committed by Jérémy Lecour
parent 49d90fff09
commit ce12e32375
2 changed files with 35 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -15,12 +15,13 @@ The **patch** part changes incrementally at each release.
* apache: add a variable to customize the server-status host * apache: add a variable to customize the server-status host
* apt: add a script to manage packages with "hold" mark * apt: add a script to manage packages with "hold" mark
* etc-git: gitignore /etc/letsencrypt/.certbot.lock * etc-git: gitignore /etc/letsencrypt/.certbot.lock
* evolinux-base: install "spectre-meltdown-checker" (Debian 10 and later)
* evomaintenance: make hooks configurable * evomaintenance: make hooks configurable
* nginx: add server status suffix in VHost (and default site) if missing * nginx: add server status suffix in VHost (and default site) if missing
* redmine: enable gzip compression in nginx vhost * redmine: enable gzip compression in nginx vhost
### Changed ### Changed
* evocheck : version 19.04 from upstream * evocheck : update (unreleased) from upstream
* evomaintenance : use the web API instead of PG Insert * evomaintenance : use the web API instead of PG Insert
* rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5 * rbenv: update defaults rbenv version to 1.1.2 and ruby version to 2.5.5
* redmine: update default version to 4.0.3 * redmine: update default version to 4.0.3

48
evocheck/files/evocheck.sh
View File

@ -315,7 +315,7 @@ check_nrpeperms() {
} }
check_minifwperms() { check_minifwperms() {
if [ -f "$MINIFW_FILE" ]; then if [ -f "$MINIFW_FILE" ]; then
actual=$(stat --format "%a" $MINIFW_FILE) actual=$(stat --format "%a" "$MINIFW_FILE")
expected="600" expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS" test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
fi fi
@ -386,7 +386,7 @@ check_raidsoft() {
} }
# Verification du LogFormat de AWStats # Verification du LogFormat de AWStats
check_awstatslogformat() { check_awstatslogformat() {
if is_installed apache2.2-common awstats; then if is_installed apache2 awstats; then
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|| failed "IS_AWSTATSLOGFORMAT" || failed "IS_AWSTATSLOGFORMAT"
fi fi
@ -531,20 +531,30 @@ check_userlogrotate() {
} }
# Verification de la syntaxe de la conf d'Apache # Verification de la syntaxe de la conf d'Apache
check_apachectl() { check_apachectl() {
if is_installed apache2.2-common; then if is_installed apache2; then
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
fi fi
} }
# Check if there is regular files in Apache sites-enabled. # Check if there is regular files in Apache sites-enabled.
check_apachesymlink() { check_apachesymlink() {
if is_installed apache2.2-common; then if is_installed apache2; then
stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" apacheFind=$(find /etc/apache2/sites-enabled ! -type l -type f -print)
nbApacheFind=$(wc -m <<< "$apacheFind")
if [[ $nbApacheFind -gt 1 ]]; then
if [[ $VERBOSE == 1 ]]; then
while read -r line; do
failed "IS_APACHESYMLINK" "Not a symlink: $line"
done <<< "$apacheFind"
else
failed "IS_APACHESYMLINK"
fi
fi
fi fi
} }
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
check_apacheipinallow() { check_apacheipinallow() {
# Note: Replace "exit 1" by "print" in Perl code to debug it. # Note: Replace "exit 1" by "print" in Perl code to debug it.
if is_installed apache2.2-common; then if is_installed apache2; then
grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
| grep -iv "from all" \ | grep -iv "from all" \
| grep -iv "env=" \ | grep -iv "env=" \
@ -559,7 +569,7 @@ check_muninapacheconf() {
else else
muninconf="/etc/apache2/conf-available/munin.conf" muninconf="/etc/apache2/conf-available/munin.conf"
fi fi
if is_installed apache2.2-common; then if is_installed apache2; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
fi fi
} }
@ -881,12 +891,19 @@ check_mysqlmunin() {
} }
check_mysqlnrpe() { check_mysqlnrpe() {
if is_debian_stretch && is_installed mariadb-server; then if is_debian_stretch && is_installed mariadb-server; then
nagios_file="~nagios/.my.cnf" nagios_home=$(getent passwd "nagios" | cut -d: -f6)
{ test -f $nagios_file \ nagios_file_abs="${nagios_home}/.my.cnf"
&& [ "$(stat -c %U $nagios_file)" = "nagios" ] \ nagios_file_sym="~nagios/.my.cnf"
&& [ "$(stat -c %a $nagios_file)" = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; if ! test -f $nagios_file_abs; then
} || failed "IS_MYSQLNRPE" failed "IS_MYSQLNRPE" "$nagios_file_abs is missing"
elif [ "$(stat -c %U $nagios_file_abs)" != "nagios" ] \
|| [ "$(stat -c %a $nagios_file_abs)" != "600" ]; then
failed "IS_MYSQLNRPE" "$nagios_file_abs has wrong permissions"
else
grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file_sym" /etc/nagios/nrpe.d/evolix.cfg \
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
fi
fi fi
} }
check_phpevolinuxconf() { check_phpevolinuxconf() {
@ -1102,7 +1119,7 @@ check_evobackup_incs() {
if is_installed bkctld; then if is_installed bkctld; then
bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld} bkctld_cron_file=${bkctld_cron_file:-/etc/cron.d/bkctld}
if [ -f "${bkctld_cron_file}" ]; then if [ -f "${bkctld_cron_file}" ]; then
root_crontab=$(grep -v "^#" ${bkctld_cron_file}) root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}" echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
else else
@ -1158,7 +1175,7 @@ main() {
test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf test "${IS_LISTCHANGESCONF:=1}" = 1 && check_listchangesconf
test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab test "${IS_CUSTOMCRONTAB:=1}" = 1 && check_customcrontab
test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
test "${IS_DISKPERF:=1}" = 1 && check_diskperf test "${IS_DISKPERF:=0}" = 1 && check_diskperf
test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile test "${IS_TMOUTPROFILE:=1}" = 1 && check_tmoutprofile
test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot test "${IS_ALERT5BOOT:=1}" = 1 && check_alert5boot
test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw test "${IS_ALERT5MINIFW:=1}" = 1 && check_alert5minifw
@ -1396,4 +1413,5 @@ while :; do
shift shift
done done
# shellcheck disable=SC2086
main ${ARGS} main ${ARGS}