Release 10.0.0 #100
|
@ -56,7 +56,7 @@ The **patch** part changes incrementally at each release.
|
|||
* bind: change name of logrotate file to bind9
|
||||
* certbot: commit hook must be executed at the end
|
||||
* elasticsearch: listen on local interface only by default
|
||||
* evocheck: upstream version 20.04.1
|
||||
* evocheck: upstream version 20.04.2
|
||||
* evocheck: cron jobs execute in verbose
|
||||
* evolinux-base: use "evolinux_internal_group" for SSH authentication
|
||||
* evolinux-base: Don't customize the logcheck recipient by default.
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
readonly VERSION="20.04.2"
|
||||
|
||||
# base functions
|
||||
|
||||
show_version() {
|
||||
|
@ -1239,6 +1241,29 @@ check_apt_valid_until() {
|
|||
fi
|
||||
}
|
||||
|
||||
check_chrooted_binary_not_uptodate() {
|
||||
# list of processes to check
|
||||
process_list="sshd"
|
||||
for process_name in ${process_list}; do
|
||||
# what is the binary path?
|
||||
original_bin=$(command -v "${process_name}")
|
||||
for pid in $(pgrep ${process_name}); do
|
||||
process_bin=$(realpath /proc/${pid}/exe)
|
||||
# Is the process chrooted?
|
||||
real_root=$(realpath /proc/${pid}/root)
|
||||
if [ "${real_root}" != "/" ]; then
|
||||
chrooted_md5=$(md5sum "${process_bin}" | cut -f 1 -d ' ')
|
||||
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
|
||||
# compare md5 checksums
|
||||
if [ "$original_md5" != "$chrooted_md5" ]; then
|
||||
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
|
||||
test "${VERBOSE}" = 1 || break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
main() {
|
||||
# Default return code : 0 = no error
|
||||
RC=0
|
||||
|
@ -1363,6 +1388,7 @@ main() {
|
|||
test "${IS_OSPROBER:=1}" = 1 && check_osprober
|
||||
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
|
||||
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
|
||||
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate
|
||||
fi
|
||||
|
||||
#-----------------------------------------------------------
|
||||
|
@ -1475,8 +1501,6 @@ readonly PROGDIR=$(realpath -m "$(dirname "$0")")
|
|||
# shellcheck disable=2124
|
||||
readonly ARGS=$@
|
||||
|
||||
readonly VERSION="20.04.1"
|
||||
|
||||
# Disable LANG*
|
||||
export LANG=C
|
||||
export LANGUAGE=C
|
||||
|
|
Loading…
Reference in a new issue