Evocheck is a Bash script to check the conformity of an Evolix server.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jérémy Lecour 21e0c79570 it was a bad idea 1 month ago
.drone.yml Update .drone.yml for use evolix repository 7 months ago
.gitignore Added gitignore 4 months ago
CHANGELOG Release 19.11.2 1 month ago
CONTRIBUTING.md Update CONTRIBUTING.md 2 years ago
LICENSE Add LICENSE: GNU GENERAL PUBLIC LICENSE v3 11 months ago
README.md Add conventions to the README 8 months ago
Vagrantfile Fix shell error on vagrant provision and rm old config 11 months ago
evocheck.cf Annule un gros bug dans evomaintenance.cf ... 7 years ago
evocheck.sh it was a bad idea 1 month ago

README.md

Evocheck

It runs many compliance checks of the server with Evolix conventions. Non-compliance warnings are printed on standard output.

It supports Debian and OpenBSD systems.

Some checks can be disabled in the /etc/evocheck.cf config file.

Tests can be run with Vagrant and the provided VagrantFile.

How to contribute

Read the CONTRIBUTING.md file.

Try to respect the following conventions.

Use the verbose mode to explain errors

The failed function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :

test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"

If the test is in a loop and might yield multiple errors, It’s better to print a single error in normal mode and every error in verbose mode.

for user in $users; do
    if ! groups "$user" | grep -q adm; then
        failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
        test "${VERBOSE}" = 1 || break
    fi
done

In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :

if [ "$last_upgrade" -eq 0 ]; then
    [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
    [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi

Use existing predicates

There are a few predicate functions that help making conditionals.

For Debian versions : is_debian, is_debian_stretch, is_debian_jessie… For packs : is_pack_web, is_pack_samba. For installed packages : is_installed <package> [<package>].

Extact variables

It’s better not to inline function calls inside tests. Instead of this :

test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"

… prefer that :

actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"

Verify assumptions

It’s better to verify that a file, a directory or a command is present before using it, even if it’s true in more than 99% of situations.

How to build the package for a new Debian release

On the master branch, add the last stable version with a release tag.

git tag -s v<VERSION> -m 'New release'
git push --tags

Checkout the branch debian, merge the master branch.

git checkout debian
git merge master --no-ff
dch -v <VERSION>-1
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new

If the build is OK, you can now build the final package.

dch -D stretch -r
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>

Testing

Evocheck can be tested with Vagrant, if you don’t have installed it yet :

apt install vagrant vagrant-libvirt

You can now start your Vagrant machine and connect to it :

vagrant up
vagrant ssh
sudo -i

Evocheck can be run with :

/usr/share/scripts/evocheck.sh

Deployment

Launch vagrant rsync-auto in a terminal to automatically synchronise your local code with the Vagrant VM :

vagrant rsync-auto

License

This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.