diff --git a/CHANGELOG.md b/CHANGELOG.md index ee794f8..b2f2728 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Security +## [2.9.0] - 2021-02-22 + +### Added + +* bkctld-init: install check_policy template +* bkctld-upgrade-config: install check_policy template if missing +* test: bkctld check-incs shouldn't fail without incs_policy file + +### Changed + +* Rename incs_policy template +* bkctld-check-incs: Correct shellsheck warnings + +### Fixed + +* tests: clean jail configuration after each test +* bkctld-check-incs: Protect `jail_config_epoch` + ## [2.8.0] - 2020-11-28 ### Added diff --git a/lib/bkctld-check-incs b/lib/bkctld-check-incs index 1a1f5c3..14093fe 100755 --- a/lib/bkctld-check-incs +++ b/lib/bkctld-check-incs @@ -7,7 +7,7 @@ set -u # shellcheck source=./includes -LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes" +LIBDIR="$(dirname "$0")" && . "${LIBDIR}/includes" # default return value is 0 (succes) rc=0 @@ -20,14 +20,14 @@ for jail_name in $("${LIBDIR}/bkctld-list"); do # Today in ISO format today_iso=$(date +"%Y-%m-%d") - # get jail last configuration date - jail_config_epoch=$(date --date "$(stat -c %y ${incs_policy_file})" +"%s") - if [ -n "${incs_policy_file}" ]; then - # loop for each line in jail configuration - for line in $(cat ${incs_policy_file}); do + # get jail last configuration date + jail_config_epoch=$(date --date "$(stat -c %y "${incs_policy_file}")" +"%s") + + # read each line in jail configuration + while read line; do # inc date in ISO format - inc_iso=$(relative_date ${line}) + inc_iso=$(relative_date "${line}") # inc date in seconds from epoch inc_epoch=$(date --date "${inc_iso}" +"%s") @@ -48,7 +48,7 @@ for jail_name in $("${LIBDIR}/bkctld-list"); do echo "INFO: ${jail_name} : no inc expected for ${inc_iso}" fi fi - done + done < "${incs_policy_file}" else echo "INFO: ${jail_name} : no inc expected at all" fi diff --git a/lib/bkctld-upgrade-config b/lib/bkctld-upgrade-config index e835f7b..a0905af 100755 --- a/lib/bkctld-upgrade-config +++ b/lib/bkctld-upgrade-config @@ -45,3 +45,24 @@ elif [ -f "${legacy_incs_policy_file}" ]; then info "${jail_name}: config has been upgraded" fi + +check_policy_file=$(jail_check_policy_file "${jail_name}") +if [ ! -f "${check_policy_file}" ]; then + check_policy_tpl="${TPLDIR}/check_policy.tpl" + test -f "${LOCALTPLDIR}/check_policy.tpl" && check_policy_tpl="${LOCALTPLDIR}/check_policy.tpl" + mkdir --parents "$(dirname "${check_policy_file}")" + install -m 0640 "${check_policy_tpl}" "${check_policy_file}" + + info "${jail_name}: check_policy template ha been installed" +fi + +legacy_incs_policy_tpl="${LOCALTPLDIR}/inc.tpl" +incs_policy_tpl="${LOCALTPLDIR}/incs_policy.tpl" +if [ -f "${legacy_incs_policy_tpl}" ]; then + # Create directory if missing + mkdir -p "$(jail_config_dir "${jail_name}")" + # move the main config file + mv -f "${legacy_incs_policy_tpl}" "${incs_policy_tpl}" + + info "${jail_name}: incs_policy local template has been renamed" +fi diff --git a/lib/includes b/lib/includes index c5870d9..f2aae3c 100755 --- a/lib/includes +++ b/lib/includes @@ -6,7 +6,7 @@ [ -f /etc/default/bkctld ] && . /etc/default/bkctld -VERSION="2.7.0" +VERSION="2.9.0" LIBDIR=${LIBDIR:-/usr/lib/bkctld} CONFDIR="${CONFDIR:-/etc/evobackup}" @@ -374,13 +374,20 @@ setup_jail_config() { info "4 - Copie default sshd_config" install -m 0640 "${sshd_config_tpl}" "${jail_sshd_config}" - inctpl="${TPLDIR}/inc.tpl" - test -f "${LOCALTPLDIR}/inc.tpl" && inctpl="${LOCALTPLDIR}/inc.tpl" info "5 - Copie default inc configuration" + incs_policy_tpl="${TPLDIR}/incs_policy.tpl" + test -f "${LOCALTPLDIR}/incs_policy.tpl" && incs_policy_tpl="${LOCALTPLDIR}/incs_policy.tpl" jail_incs_policy_file=$(jail_incs_policy_file "${jail_name}") mkdir --parents "$(dirname "${jail_incs_policy_file}")" - install -m 0640 "${inctpl}" "${jail_incs_policy_file}" + install -m 0640 "${incs_policy_tpl}" "${jail_incs_policy_file}" + + check_policy_tpl="${TPLDIR}/check_policy.tpl" + test -f "${LOCALTPLDIR}/check_policy.tpl" && check_policy_tpl="${LOCALTPLDIR}/check_policy.tpl" + jail_check_policy_file=$(jail_check_policy_file "${jail_name}") + mkdir --parents "$(dirname "${jail_check_policy_file}")" + install -m 0640 "${check_policy_tpl}" "${jail_check_policy_file}" + "${LIBDIR}/bkctld-port" "${jail_name}" auto } diff --git a/test/checks.bats b/test/checks.bats index f8e5c85..65a2ccc 100644 --- a/test/checks.bats +++ b/test/checks.bats @@ -235,4 +235,18 @@ OUT run /usr/lib/bkctld/bkctld-check-incs assert_equal "0" "$status" } + +@test "Check-incs doesn't fail without incs_policy file" { + # Delete all possible incs polixy files + rm -f /etc/evobackup/${JAILNAME} + rm -rf /etc/evobackup/${JAILNAME}.d/incs_policy + + # Run bkctld-check-incs and store stderr in a file + local stderrPath="${BATS_TMPDIR}/${BATS_TEST_NAME}.stderr" + /usr/lib/bkctld/bkctld-check-incs 2> ${stderrPath} + + # Verify if + run grep -E "^stat:" ${stderrPath} + assert_failure +} # TODO: write many more tests for bkctld-check-incs diff --git a/test/main.bats b/test/main.bats index 7ebe490..7d7e7bb 100755 --- a/test/main.bats +++ b/test/main.bats @@ -15,6 +15,16 @@ load test_helper fi } +@test "New jail should have a incs_policy file" { + run test -f "/etc/evobackup/${JAILNAME}.d/incs_policy" + assert_success +} + +@test "New jail should have a check_policy file" { + run test -f "/etc/evobackup/${JAILNAME}.d/check_policy" + assert_success +} + @test "A jail should be able to be started" { /usr/lib/bkctld/bkctld-start "${JAILNAME}" pid=$(cat "${JAILPATH}/${SSHD_PID}") diff --git a/test/test_helper.bash b/test/test_helper.bash index 386180b..b0cf5d3 100644 --- a/test/test_helper.bash +++ b/test/test_helper.bash @@ -20,7 +20,8 @@ setup() { teardown() { remove_variable "/etc/default/bkctld" "BACKUP_DISK" - FORCE=1 /usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}" + FORCE=1 /usr/lib/bkctld/bkctld-remove "${JAILNAME}" \ + && rm -rf "${INCSPATH}" "/etc/evobackup/${JAILNAME}" "/etc/evobackup/${JAILNAME}.d" } random_jail_name() { diff --git a/tpl/check_policy.tpl b/tpl/check_policy.tpl new file mode 100644 index 0000000..e462801 --- /dev/null +++ b/tpl/check_policy.tpl @@ -0,0 +1,3 @@ +## Uncomment and adapt thresholds (values are in hours) +# WARNING=24 +# CRITICAL=48 diff --git a/tpl/inc.tpl b/tpl/incs_policy.tpl similarity index 100% rename from tpl/inc.tpl rename to tpl/incs_policy.tpl diff --git a/zzz_evobackup b/zzz_evobackup index 7826ed2..c9e4957 100755 --- a/zzz_evobackup +++ b/zzz_evobackup @@ -32,17 +32,18 @@ SERVERS_FALLBACK=${SERVERS_FALLBACK:-1} # timeout (in seconds) for SSH connections SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90} -## We use /home/backup : feel free to use your own dir +# We use /home/backup : feel free to use your own dir LOCAL_BACKUP_DIR="/home/backup" # You can set "linux" or "bsd" manually or let it choose automatically SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') -# Change these 2 variables if you have more than one backup cron -PIDFILE="/var/run/evobackup.pid" -LOGFILE="/var/log/evobackup.log" +# Store pid and logs in a file named after this program's name +PROGNAME=$(basename $0) +PIDFILE="/var/run/${PROGNAME}.pid" +LOGFILE="/var/log/${PROGNAME}.log" -## Enable/Disable tasks +# Enable/Disable tasks LOCAL_TASKS=${LOCAL_TASKS:-1} SYNC_TASKS=${SYNC_TASKS:-1} @@ -145,6 +146,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then # You can comment or uncomment sections below to customize the backup ## OpenLDAP : example with slapcat + # slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak + # slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak # slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak ## MySQL @@ -403,6 +406,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then --exclude "/var/log/evobackup*" \ --exclude "/var/run" \ --exclude "/var/spool/postfix" \ + --exclude "/var/spool/smtpd" \ --exclude "/var/spool/squid" \ --exclude "/var/state" \ --exclude "lxc/*/rootfs/usr/doc" \