diff --git a/CHANGELOG.md b/CHANGELOG.md index def29043..105cc811 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,10 +56,11 @@ The **patch** part changes incrementally at each release. * bind: change name of logrotate file to bind9 * certbot: commit hook must be executed at the end * elasticsearch: listen on local interface only by default -* evocheck: upstream version 20.02.1 +* evocheck: upstream version 20.04.2 * evocheck: cron jobs execute in verbose * evolinux-base: use "evolinux_internal_group" for SSH authentication * evolinux-base: Don't customize the logcheck recipient by default. +* evolinux-base: configure cciss-vol-statusd in the proper file * evomaintenance: upstream release 0.6.3 * evomaintenance: Turn on API by default (instead of DB) * evomaintenance: install PG dependencies only when needed @@ -82,6 +83,7 @@ The **patch** part changes incrementally at each release. * php: Make sure the default pool we define can be fully functionnal witout debian's default pool file * php: Change the default pool names to something more explicit (and same for the variables names) * php: Add a task to remove Debian's default FPM pool file (off by default) +* php: Cleanup CLI Settings. Also, allow url fopen and don't disable functions (in CLI only) * postgresql : changed logrotate config to 10 days (and fixed permissions) * rbenv: changed default Ruby version to 2.7.0 * squid: Remove wait time when we turn off squid diff --git a/certbot/handlers/main.yml b/certbot/handlers/main.yml index 7c7c3d8c..4a9d305a 100644 --- a/certbot/handlers/main.yml +++ b/certbot/handlers/main.yml @@ -18,3 +18,6 @@ - name: systemd daemon-reload systemd: daemon_reload: yes + +- name: install certbot-auto + command: /usr/local/bin/certbot --install-only diff --git a/certbot/tasks/install-sources.yml b/certbot/tasks/install-sources.yml index 6c24cc48..1bc7c864 100644 --- a/certbot/tasks/install-sources.yml +++ b/certbot/tasks/install-sources.yml @@ -16,6 +16,7 @@ owner: root group: root force: no + notify: install certbot-auto - name: systemd artefacts are absent file: diff --git a/evoacme/files/hooks/reload_apache b/evoacme/files/hooks/reload_apache index 2cceb972..1db59b5b 100755 --- a/evoacme/files/hooks/reload_apache +++ b/evoacme/files/hooks/reload_apache @@ -1,6 +1,7 @@ #!/bin/sh readonly PROGNAME=$(basename "$0") +# shellcheck disable=SC2124,SC2034 readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} @@ -17,6 +18,7 @@ debug() { } if [ -n "$(pidof apache2)" ]; then + # shellcheck disable=SC2091 if $($(command -v apache2ctl) -t 2> /dev/null); then debug "Apache detected... reloading" service apache2 reload diff --git a/evoacme/files/hooks/reload_dovecot b/evoacme/files/hooks/reload_dovecot index 31da4fb4..602e7c85 100755 --- a/evoacme/files/hooks/reload_dovecot +++ b/evoacme/files/hooks/reload_dovecot @@ -1,6 +1,7 @@ #!/bin/sh readonly PROGNAME=$(basename "$0") +# shellcheck disable=SC2124,SC2034 readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} @@ -17,7 +18,9 @@ debug() { } if [ -n "$(pidof dovecot)" ]; then + # shellcheck disable=SC2091 if $($(command -v doveconf) > /dev/null); then + # shellcheck disable=SC2091 if $($(command -v doveconf)|grep -E "^ssl_cert[^_]"|grep -q "letsencrypt"); then debug "Dovecot detected... reloading" service dovecot reload diff --git a/evoacme/files/hooks/reload_nginx b/evoacme/files/hooks/reload_nginx index 35db3787..48c49da9 100755 --- a/evoacme/files/hooks/reload_nginx +++ b/evoacme/files/hooks/reload_nginx @@ -1,6 +1,7 @@ #!/bin/sh readonly PROGNAME=$(basename "$0") +# shellcheck disable=SC2124,SC2034 readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} @@ -17,6 +18,7 @@ debug() { } if [ -n "$(pidof nginx)" ]; then + # shellcheck disable=SC2091 if $($(command -v nginx) -t 2> /dev/null); then debug "Nginx detected... reloading" service nginx reload diff --git a/evoacme/files/hooks/reload_postfix b/evoacme/files/hooks/reload_postfix index 50ee20ce..eb17b58e 100755 --- a/evoacme/files/hooks/reload_postfix +++ b/evoacme/files/hooks/reload_postfix @@ -1,6 +1,7 @@ #!/bin/sh readonly PROGNAME=$(basename "$0") +# shellcheck disable=SC2124,SC2034 readonly ARGS=$@ readonly VERBOSE=${VERBOSE:-"0"} @@ -17,7 +18,9 @@ debug() { } if [ -n "$(pidof master)" ]; then + # shellcheck disable=SC2091 if $($(command -v postconf) > /dev/null); then + # shellcheck disable=SC2091 if $($(command -v postconf)|grep -E "^smtpd_tls_cert_file"|grep -q "letsencrypt"); then debug "Postfix detected... reloading" service postfix reload diff --git a/evocheck/files/evocheck.sh b/evocheck/files/evocheck.sh index 93c5a8d4..88bb2f29 100644 --- a/evocheck/files/evocheck.sh +++ b/evocheck/files/evocheck.sh @@ -4,6 +4,8 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix +readonly VERSION="20.04.2" + # base functions show_version() { @@ -551,6 +553,20 @@ check_evobackup() { evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" "missing evobackup cron" } +# Vérification de l'exclusion des montages (NFS) dans les sauvegardes +check_evobackup_exclude_mount() { + excludes_file=$(mktemp) + # shellcheck disable=SC2064 + trap "rm -f ${excludes_file}" 0 + # shellcheck disable=SC2044 + for evobackup_file in $(find /etc/cron* -name '*evobackup*'); do + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + done +} # Verification de la presence du userlogrotate check_userlogrotate() { if is_pack_web; then @@ -1225,6 +1241,29 @@ check_apt_valid_until() { fi } +check_chrooted_binary_not_uptodate() { + # list of processes to check + process_list="sshd" + for process_name in ${process_list}; do + # what is the binary path? + original_bin=$(command -v "${process_name}") + for pid in $(pgrep ${process_name}); do + process_bin=$(realpath /proc/${pid}/exe) + # Is the process chrooted? + real_root=$(realpath /proc/${pid}/root) + if [ "${real_root}" != "/" ]; then + chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ') + original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') + # compare md5 checksums + if [ "$original_md5" != "$chrooted_md5" ]; then + failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." + test "${VERBOSE}" = 1 || break + fi + fi + done + done +} + main() { # Default return code : 0 = no error RC=0 @@ -1300,6 +1339,7 @@ main() { test "${IS_AUTOIF:=1}" = 1 && check_autoif test "${IS_INTERFACESGW:=1}" = 1 && check_interfacesgw test "${IS_EVOBACKUP:=1}" = 1 && check_evobackup + test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount test "${IS_USERLOGROTATE:=1}" = 1 && check_userlogrotate test "${IS_APACHECTL:=1}" = 1 && check_apachectl test "${IS_APACHESYMLINK:=1}" = 1 && check_apachesymlink @@ -1348,6 +1388,7 @@ main() { test "${IS_OSPROBER:=1}" = 1 && check_osprober test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until + test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate fi #----------------------------------------------------------- @@ -1460,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")") # shellcheck disable=2124 readonly ARGS=$@ -readonly VERSION="20.02.1" - # Disable LANG* export LANG=C export LANGUAGE=C diff --git a/evolinux-base/tasks/hardware.yml b/evolinux-base/tasks/hardware.yml index 6fb88d8a..628cd6d1 100644 --- a/evolinux-base/tasks/hardware.yml +++ b/evolinux-base/tasks/hardware.yml @@ -52,17 +52,24 @@ - ssacli state: present - - name: Configure packages for HP hardware + - name: cciss-vol-statusd init script is present template: src: hardware/cciss-vol-statusd.j2 dest: /etc/init.d/cciss-vol-statusd mode: "0755" + + - name: Configure cciss-vol-statusd + lineinfile: + dest: /etc/default/cciss-vol-statusd + line: 'MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}"' + regexp: 'MAILTO=' + create: yes - name: Enable HP hardware in systemd service: name: cciss-vol-statusd enabled: true - state: started + state: restarted when: "'Hewlett-Packard Company Smart Array' in raidmodel.stdout" - name: MegaRAID SAS package is present diff --git a/evolinux-base/templates/hardware/cciss-vol-statusd.j2 b/evolinux-base/templates/hardware/cciss-vol-statusd.j2 index c51a1a24..82c2c949 100644 --- a/evolinux-base/templates/hardware/cciss-vol-statusd.j2 +++ b/evolinux-base/templates/hardware/cciss-vol-statusd.j2 @@ -20,7 +20,7 @@ PIDFILE=/var/run/$NAME.pid STATUSFILE=/var/run/$NAME.status SCRIPTNAME=/etc/init.d/$NAME -MAILTO="{{ raid_alert_email or general_alert_email | mandatory }}" # Where to report problems +MAILTO="root" # Where to report problems PERIOD=600 # Seconds between each check (default 10 minutes) REMIND=86400 # Seconds between each reminder (default 2 hours) RUN_DAEMON=yes diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 6e97fb2d..e496c07e 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -30,7 +30,7 @@ tags: - fail2ban -- name: Include ignoredips update task +- name: Include ignoredips update task include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips tags: diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index bb60da30..a1449b04 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -52,6 +52,7 @@ mode: "0600" owner: root group: root + force: no - name: old-kernel-autoremoval script is present copy: diff --git a/mongodb/README.md b/mongodb/README.md index e876fe7c..24048b5e 100644 --- a/mongodb/README.md +++ b/mongodb/README.md @@ -2,7 +2,7 @@ Install MongoDB -We use packages from 10Gen for Jessie and packages from Debian for Stretch. +We use Debian packages for Stretch, but MongoDB.org packages for Jessie/Buster ## Tasks diff --git a/php/tasks/config_cli.yml b/php/tasks/config_cli.yml index 75c81080..23ed695c 100644 --- a/php/tasks/config_cli.yml +++ b/php/tasks/config_cli.yml @@ -1,5 +1,5 @@ --- -- name: "Set default php.ini values for CLI (jessie)" +- name: "Set default php.ini values for CLI" ini_file: dest: "{{ php_cli_defaults_ini_file }}" section: PHP @@ -8,21 +8,11 @@ mode: "0644" create: yes with_items: - - { option: "short_open_tag", value: "Off" } - - { option: "expose_php", value: "Off" } - - { option: "display_errors", value: "Off" } - - { option: "log_errors", value: "On" } - - { option: "html_errors", value: "Off" } - - { option: "allow_url_fopen", value: "Off" } + - { option: "display_errors", value: "On" } + - { option: "allow_url_fopen", value: "On" } + - { option: "disable_functions", value: "" } -- name: "Disable PHP functions for CLI (jessie)" - ini_file: - dest: "{{ php_cli_defaults_ini_file }}" - section: PHP - option: disable_functions - value: "exec,shell-exec,system,passthru,putenv,popen" - -- name: Custom php.ini for CLI (jessie) +- name: Custom php.ini for CLI copy: dest: "{{ php_cli_custom_ini_file }}" content: | @@ -31,12 +21,12 @@ # This task is not merged with the above copy # because "force: no" prevents any fix after the fact -- name: "Permissions for custom php.ini for CLI (jessie)" +- name: "Permissions for custom php.ini for CLI" file: dest: "{{ php_cli_custom_ini_file }}" mode: "0644" -- name: "Set custom values for PHP to enable Symfony (jessie)" +- name: "Set custom values for PHP to enable Symfony" ini_file: dest: "{{ php_cli_custom_ini_file }}" section: PHP