Evocheck is a Bash script to check the conformity of an Evolix server.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Mathieu Trossevin 442d1446b5
fix(check_nrpepid): bookworm should be checked like bullseye
3 weeks ago
linux fix(check_nrpepid): bookworm should be checked like bullseye 3 weeks ago
openbsd OpenBSD - check_mount: removed useless echo 1 month ago
.drone.yml prepare linux/openbsd split 9 months ago
.gitignore prepare linux/openbsd split 9 months ago
README.md README: Add pre-tasks for release 4 months ago

README.md

Evocheck

It runs many compliance checks of the server with Evolix conventions. Non-compliance warnings are printed on standard output.

It supports Debian and OpenBSD systems.

Some checks can be disabled in the /etc/evocheck.cf config file.

Tests can be run with Vagrant and the provided VagrantFile.

How to contribute

Read the CONTRIBUTING.md file.

Try to respect the following conventions.

Use the verbose mode to explain errors

The failed function takes a mandatory first argument for the check name and a secondary optional argument for the message to display in verbose mode. Example :

test -f /path/to/file || failed "IS_FILE_EXISTS" "Missing file \`/path/to/file'"

If the test is in a loop and might yield multiple errors, It's better to print a single error in normal mode and every error in verbose mode.

for user in $users; do
    if ! groups "$user" | grep -q adm; then
        failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
        test "${VERBOSE}" = 1 || break
    fi
done

In a single check with multiple conditions, the verbose message helps determine which condition failed. Example :

if [ "$last_upgrade" -eq 0 ]; then
    [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
    [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi

Use existing predicates

There are a few predicate functions that help making conditionals.

For Debian versions : is_debian, is_debian_stretch, is_debian_jessie… For packs : is_pack_web, is_pack_samba. For installed packages : is_installed <package> [<package>].

Extact variables

It's better not to inline function calls inside tests. Instead of this :

test "$(stat --format "%a" $MINIFW_FILE)" = "600" || failed "IS_MINIFWPERMS"

… prefer that :

actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"

Verify assumptions

It's better to verify that a file, a directory or a command is present before using it, even if it's true in more than 99% of situations.

How to build the package for a new Debian release

Pre-tasks:

  • Execute shellcheck on scripts *.sh and fix or disable the relevant checks.
  • Prepare linux/CHANGELOG and openbsd/CHANGELOG for release.
  • Update version number is scripts :
sed -i 's/VERSION=".*"/VERSION="<MAJOR>.<MINOR>"/g' */evocheck*.sh

On the master branch, add the last stable version with a release tag.

git tag -s v<VERSION> -m 'New release'
git push --tags

Checkout the branch debian, merge the master branch.

git checkout debian
git merge master --no-ff
dch -v <VERSION>-1
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-ignore-new

If the build is OK, you can now build the final package.

dch -D stretch -r
gbp buildpackage --git-debian-branch=debian --git-upstream-tree=master --git-export-dir=/tmp/build-area --git-tag --git-sign --git-keyid=<KEY>

Testing

Evocheck can be tested with Vagrant, if you don't have installed it yet :

apt install vagrant vagrant-libvirt

You can now start your Vagrant machine and connect to it :

vagrant up
vagrant ssh
sudo -i

Evocheck can be run with :

/usr/share/scripts/evocheck.sh

Deployment

Launch vagrant rsync-auto in a terminal to automatically synchronise your local code with the Vagrant VM :

vagrant rsync-auto

License

This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.