Jérémy Lecour
7041505446
|
||
|---|---|---|
| linux | ||
| openbsd | ||
| .drone.yml | ||
| .gitignore | ||
| README.md | ||
README.md
Evocheck
It runs many compliance checks of the server with Evolix conventions. Non-compliance warnings are printed on standard output.
It supports Debian and OpenBSD systems.
Some checks can be disabled in the /etc/evocheck.cf config file.
Tests can be run with Vagrant and the provided VagrantFile.
How to contribute
Read the CONTRIBUTING.md file.
Try to respect the following conventions.
Use the verbose mode to explain errors
The failed function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :
test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"
If the test is in a loop and might yield multiple errors, It's better to print a single error in normal mode and every error in verbose mode.
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
Use existing predicates
There are a few predicate functions that help making conditionals.
For Debian versions : is_debian, is_debian_stretch, is_debian_jessie…
For packs : is_pack_web, is_pack_samba.
For installed packages : is_installed <package> [<package>].
Extract variables
It's better not to inline function calls inside tests. Instead of this :
test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"
… prefer that :
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
Verify assumptions
It's better to verify that a file, a directory or a command is present before using it, even if it's true in more than 99% of situations.
How to build the package for a new Debian release
Pre-tasks:
- Execute shellcheck on scripts
*.shand fix or disable the relevant checks. - Prepare
linux/CHANGELOGandopenbsd/CHANGELOGfor release. - Update version number is scripts :
sed -i 's/VERSION=".*"/VERSION="<MAJOR>.<MINOR>"/g' */evocheck*.sh
On the master branch, add the last stable version with a release tag.
git tag -s v<VERSION> -m 'New release'
git push --tags
Checkout the branch debian, merge the master branch.
git checkout debian
git merge master --no-ff
dch -v <VERSION>-1
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new
If the build is OK, you can now build the final package.
dch -D stretch -r
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>
Testing
Evocheck can be tested with Vagrant, if you don't have installed it yet :
apt install vagrant vagrant-libvirt
You can now start your Vagrant machine and connect to it :
vagrant up
vagrant ssh
sudo -i
Evocheck can be run with :
/usr/share/scripts/evocheck.sh
Deployment
Launch vagrant rsync-auto in a terminal to automatically synchronise your local code with the Vagrant VM :
vagrant rsync-auto
License
This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.