Merge branch 'master' into IS_NETWORKING_SERVICE

CHANGELOG

@@ -15,11 +15,22 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 
 ### Security
 
+## [22.06] 2022-06-03
+
+### Added
+
+* IS_AUTOIF: Ignore WireGuard interfaces
+* IS_NETWORKING_SERVICE: check if networking service is enabled
+
+### Changed
+
+* IS_DEBIANSECURITY: Fix Debian security repo for Bullseye, cf https://www.debian.org/releases/stable/errata
+
 ## [22.05] 2022-05-12
 
 ### Changed
 
-IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
+* IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
 
 ## [22.04.1] 2022-04-25
 

evocheck.sh

@@ -4,7 +4,7 @@
 # Script to verify compliance of a Debian/OpenBSD server
 # powered by Evolix
 
-VERSION="22.05"
+VERSION="22.06"
 readonly VERSION
 
 # base functions
@@ -236,11 +236,11 @@ check_debiansecurity() {
     if is_debian_bullseye; then
         # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
         # https://www.debian.org/security/
-        pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
+        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
     elif is_debian_buster; then
-        pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
+        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
     elif is_debian_stretch; then
-        pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
+        pattern="^deb  ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
     else
         pattern="^deb.*security"
     fi
@@ -363,7 +363,7 @@ check_alert5minifw() {
 }
 check_minifw() {
     /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
-        || failed "IS_MINIFW" "minifirewall seems not starded"
+        || failed "IS_MINIFW" "minifirewall seems not started"
 }
 check_minifw_includes() {
     if is_debian_bullseye; then
@@ -577,7 +577,7 @@ check_network_interfaces() {
 # Verify if all if are in auto
 check_autoif() {
     if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
+        interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
     else
         interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
     fi
@@ -1217,14 +1217,20 @@ check_usrsharescripts() {
     test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
 }
 check_sshpermitrootno() {
-    if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
-        if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
-            grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
-                || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
-        fi
+    sshd_args="-C addr=,user=,host=,laddr=,lport=0"
+    if is_debian_jessie || is_debian_stretch; then
+	# Noop, we'll use the default $sshd_args
+        :
+    elif is_debian_buster; then
+	sshd_args="${sshd_args},rdomain="
     else
-        grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
-            || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
+	# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
+        # -T doesn't require the additional -C.
+	sshd_args=
+    fi
+    # XXX: We want parameter expension here
+    if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
+       failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
     fi
 }
 check_evomaintenanceusers() {