Release 10.0.0 #100
|
@ -56,7 +56,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* bind: change name of logrotate file to bind9
|
* bind: change name of logrotate file to bind9
|
||||||
* certbot: commit hook must be executed at the end
|
* certbot: commit hook must be executed at the end
|
||||||
* elasticsearch: listen on local interface only by default
|
* elasticsearch: listen on local interface only by default
|
||||||
* evocheck: upstream version 20.04.2
|
* evocheck: upstream version 20.04.3
|
||||||
* evocheck: cron jobs execute in verbose
|
* evocheck: cron jobs execute in verbose
|
||||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||||
* evolinux-base: Don't customize the logcheck recipient by default.
|
* evolinux-base: Don't customize the logcheck recipient by default.
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
readonly VERSION="20.04.2"
|
readonly VERSION="20.04.3"
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
|
||||||
|
@ -255,7 +255,7 @@ check_usrro() {
|
||||||
}
|
}
|
||||||
check_tmpnoexec() {
|
check_tmpnoexec() {
|
||||||
FINDMNT_BIN=$(command -v findmnt)
|
FINDMNT_BIN=$(command -v findmnt)
|
||||||
if [ -x ${FINDMNT_BIN} ]; then
|
if [ -x "${FINDMNT_BIN}" ]; then
|
||||||
options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp)
|
options=$(${FINDMNT_BIN} --noheadings --first-only --output OPTIONS /tmp)
|
||||||
echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'"
|
echo "${options}" | grep -qE "\bnoexec\b" || failed "IS_TMPNOEXEC" "/tmp is not mounted with 'noexec'"
|
||||||
else
|
else
|
||||||
|
@ -758,8 +758,8 @@ check_tune2fs_m5() {
|
||||||
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
|
||||||
|
|
||||||
if [ "$percentage" -lt "${min}" ]; then
|
if [ "$percentage" -lt "${min}" ]; then
|
||||||
if [ -x ${FINDMNT_BIN} ]; then
|
if [ -x "${FINDMNT_BIN}" ]; then
|
||||||
mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET ${part})
|
mount=$(${FINDMNT_BIN} --noheadings --first-only --output TARGET "${part}")
|
||||||
else
|
else
|
||||||
mount="unknown mount point"
|
mount="unknown mount point"
|
||||||
fi
|
fi
|
||||||
|
@ -1205,7 +1205,7 @@ check_evobackup_incs() {
|
||||||
if [ -f "${bkctld_cron_file}" ]; then
|
if [ -f "${bkctld_cron_file}" ]; then
|
||||||
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
root_crontab=$(grep -v "^#" "${bkctld_cron_file}")
|
||||||
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -q "bkctld inc" || failed "IS_EVOBACKUP_INCS" "\`bkctld inc' is missing in ${bkctld_cron_file}"
|
||||||
echo "${root_crontab}" | grep -q "check-incs.sh" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
echo "${root_crontab}" | grep -qE "(check-incs.sh|bkctld check-incs)" || failed "IS_EVOBACKUP_INCS" "\`check-incs.sh' is missing in ${bkctld_cron_file}"
|
||||||
else
|
else
|
||||||
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
|
failed "IS_EVOBACKUP_INCS" "Crontab \`${bkctld_cron_file}' is missing"
|
||||||
fi
|
fi
|
||||||
|
@ -1241,28 +1241,42 @@ check_apt_valid_until() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_chrooted_binary_not_uptodate() {
|
check_chrooted_binary_uptodate() {
|
||||||
# list of processes to check
|
# list of processes to check
|
||||||
process_list="sshd"
|
process_list="sshd"
|
||||||
for process_name in ${process_list}; do
|
for process_name in ${process_list}; do
|
||||||
# what is the binary path?
|
# what is the binary path?
|
||||||
original_bin=$(command -v "${process_name}")
|
original_bin=$(command -v "${process_name}")
|
||||||
for pid in $(pgrep ${process_name}); do
|
for pid in $(pgrep ${process_name}); do
|
||||||
process_bin=$(realpath /proc/${pid}/exe)
|
process_bin=$(realpath "/proc/${pid}/exe")
|
||||||
# Is the process chrooted?
|
# Is the process chrooted?
|
||||||
real_root=$(realpath /proc/${pid}/root)
|
real_root=$(realpath "/proc/${pid}/root")
|
||||||
if [ "${real_root}" != "/" ]; then
|
if [ "${real_root}" != "/" ]; then
|
||||||
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
|
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
|
||||||
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
|
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
|
||||||
# compare md5 checksums
|
# compare md5 checksums
|
||||||
if [ "$original_md5" != "$chrooted_md5" ]; then
|
if [ "$original_md5" != "$chrooted_md5" ]; then
|
||||||
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
|
failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
|
||||||
test "${VERBOSE}" = 1 || break
|
test "${VERBOSE}" = 1 || break
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
check_nginx_letsencrypt_uptodate() {
|
||||||
|
snippets=$(find /etc/nginx -type f -name "letsencrypt.conf")
|
||||||
|
while read -r snippet; do
|
||||||
|
if is_debian_jessie; then
|
||||||
|
if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
|
||||||
|
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
|
||||||
|
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done <<< "$snippets"
|
||||||
|
}
|
||||||
|
|
||||||
main() {
|
main() {
|
||||||
# Default return code : 0 = no error
|
# Default return code : 0 = no error
|
||||||
|
@ -1388,7 +1402,8 @@ main() {
|
||||||
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||||
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
||||||
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
||||||
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
|
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
|
||||||
|
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#-----------------------------------------------------------
|
#-----------------------------------------------------------
|
||||||
|
@ -1496,7 +1511,9 @@ main() {
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# shellcheck disable=SC2034
|
||||||
readonly PROGNAME=$(basename "$0")
|
readonly PROGNAME=$(basename "$0")
|
||||||
|
# shellcheck disable=SC2034
|
||||||
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
||||||
# shellcheck disable=2124
|
# shellcheck disable=2124
|
||||||
readonly ARGS=$@
|
readonly ARGS=$@
|
||||||
|
|
Loading…
Reference in a new issue