Evocheck

It runs many compliance checks of the server with Evolix conventions. Non-compliance warnings are printed on standard output.

It supports Debian and OpenBSD systems.

Some checks can be disabled in the /etc/evocheck.cf config file.

Tests can be run with Vagrant and the provided VagrantFile.

How to contribute

Read the CONTRIBUTING.md file.

Try to respect the following conventions.

Use the verbose mode to explain errors

The failed function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :

test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"

If the test is in a loop and might yield multiple errors, It's better to print a single error in normal mode and every error in verbose mode.

for user in $users; do
    if ! groups "$user" | grep -q adm; then
        failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
        test "${VERBOSE}" = 1 || break
    fi
done

In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :

if [ "$last_upgrade" -eq 0 ]; then
    [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
    [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi

Use existing predicates

There are a few predicate functions that help making conditionals.

For Debian versions : is_debian, is_debian_stretch, is_debian_jessie… For packs : is_pack_web, is_pack_samba. For installed packages : is_installed <package> [<package>].

Extact variables

It's better not to inline function calls inside tests. Instead of this :

test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"

… prefer that :

actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"

Verify assumptions

It's better to verify that a file, a directory or a command is present before using it, even if it's true in more than 99% of situations.

How to build the package for a new Debian release

Pre-tasks:

• Execute shellcheck on scripts *.sh and fix or disable the relevant checks.
• Prepare linux/CHANGELOG and openbsd/CHANGELOG for release.
• Update version number is scripts :

sed -i 's/VERSION=".*"/VERSION="<MAJOR>.<MINOR>"/g' */evocheck*.sh

On the master branch, add the last stable version with a release tag.

git tag -s v<VERSION> -m 'New release'
git push --tags

Checkout the branch debian, merge the master branch.

git checkout debian
git merge master --no-ff
dch -v <VERSION>-1
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new

If the build is OK, you can now build the final package.

dch -D stretch -r
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>

Testing

Evocheck can be tested with Vagrant, if you don't have installed it yet :

apt install vagrant vagrant-libvirt

You can now start your Vagrant machine and connect to it :

vagrant up
vagrant ssh
sudo -i

Evocheck can be run with :

/usr/share/scripts/evocheck.sh

Deployment

Launch vagrant rsync-auto in a terminal to automatically synchronise your local code with the Vagrant VM :

vagrant rsync-auto

License

This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.