linux | ||
openbsd | ||
.drone.yml | ||
.gitignore | ||
LICENSE | ||
README.md |
Evocheck
It runs many compliance checks of the server with Evolix conventions. Non-compliance warnings are printed on standard output.
It supports Debian and OpenBSD systems.
Some checks can be disabled in the /etc/evocheck.cf
config file.
Tests can be run with Vagrant and the provided VagrantFile
.
How to contribute
- Write your commits English
- Always do a Merge Request
- Try to respect the following conventions:
Use the verbose mode to explain errors
The failed
function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :
test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"
If the test is in a loop and might yield multiple errors, It's better to print a single error in normal mode and every error in verbose mode.
for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done
In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :
if [ "$last_upgrade" -eq 0 ]; then
[ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
Use existing predicates
There are a few predicate functions that help making conditionals.
For Debian versions : is_debian
, is_debian_stretch
, is_debian_jessie
…
For packs : is_pack_web
, is_pack_samba
.
For installed packages : is_installed <package> [<package>]
.
Extract variables
It's better not to inline function calls inside tests. Instead of this :
test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"
… prefer that :
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
Verify assumptions
It's better to verify that a file, a directory or a command is present before using it, even if it's true in more than 99% of situations.
How to build the package for a new Debian release
Pre-tasks:
- Execute shellcheck on scripts
*.sh
and fix or disable the relevant checks. - Prepare
linux/CHANGELOG
andopenbsd/CHANGELOG
for release. - Update version number is scripts :
sed -i 's/VERSION=".*"/VERSION="<MAJOR>.<MINOR>"/g' */evocheck*.sh
On the master branch, add the last stable version with a release tag.
git tag -s v<VERSION> -m 'New release'
git push --tags
Checkout the branch debian, merge the master branch.
git checkout debian
git merge master --no-ff
dch -v <VERSION>-1
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new
If the build is OK, you can now build the final package.
dch -D stretch -r
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>
Testing
Evocheck can be tested with Vagrant, if you don't have installed it yet :
apt install vagrant vagrant-libvirt
You can now start your Vagrant machine and connect to it :
vagrant up
vagrant ssh
sudo -i
Evocheck can be run with :
/usr/share/scripts/evocheck.sh
Deployment
Launch vagrant rsync-auto in a terminal to automatically synchronise your local code with the Vagrant VM :
vagrant rsync-auto
License
This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.