Many improvements and bump to version 22.03. See CHANGELOG

2022-03-10 16:46:31 +01:00 · 2022-03-10 16:46:31 +01:00 · 3fcab1eeb3
parent 11d77659a0
commit 3fcab1eeb3
2 changed files with 288 additions and 134 deletions
--- a/31
+++ b/31
@ -7,6 +7,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ## [22.03] - 2022-03-10
 ### Added
 - check_evomaintenanceconf : check existence and rights of evomaintenance conf file
 - Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
 - Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
 - Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
 - Added check_etcgit to ensure that /etc is a git repository
 - Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
 - Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
 - Added check_evolix_user to ensure that evolix user does not exist
 - Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
 ### Changed
 - Overall improvement of evocheck : reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
 - Improved check_umasksudoers to have a more complete grep
 - Updated check_history to reflect the new HISTSIZE value
 - Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
 - Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
 ### Fixed
 - Fixed check_uptime : it didn't work at all, and tried to get uptime in the wrong way
 - Fixed check_evomaintenanceusers : sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
 ### Removed
 - Removed empty check_pfcustom
 ## [21.10] - 2021-10-07
 ### Fixed
--- a/evocheck.sh
+++ b/evocheck.sh
@ -3,67 +3,46 @@
 # EvoCheck
 # Script to verify compliance of an OpenBSD server powered by Evolix
-readonly VERSION="21.10"
+readonly VERSION="22.03"
-# Disable LANG*
+# base functions
-export LANG=C
+show_version() {
 export LANGUAGE=C
 # Default return code : 0 = no error
 RC=0
 # Verbose function
 verbose() {
    msg="${1:-$(cat /dev/stdin)}"
    [ "${VERBOSE}" -eq 1 ] && [ -n "${msg}" ] && echo "${msg}"
 }
 # Source configuration file
 test -f /etc/evocheck.cf && . /etc/evocheck.cf
 # Functions
 show_help() {
    cat <<END
-NAME:
+evocheck version ${VERSION}
   evocheck - a system configuration verification tool
-VERSION:
+Copyright 2009-2021 Evolix <info@evolix.fr>,
-   ${VERSION}
+                    Romain Dessort <rdessort@evolix.fr>,
                    Benoit Série <bserie@evolix.fr>,
                    Gregory Colpart <reg@evolix.fr>,
                    Jérémy Lecour <jlecour@evolix.fr>,
                    Tristan Pilat <tpilat@evolix.fr>,
                    Victor Laborie <vlaborie@evolix.fr>,
                    Jérémy Dubois <jdubois@evolix.fr>
                    and others.
-DESCRIPTION:
+evocheck comes with ABSOLUTELY NO WARRANTY.  This is free software,
-   A script that verifies Evolix conventions on OpenBSD servers
+and you are welcome to redistribute it under certain conditions.
-
+See the GNU General Public License v3.0 for details.
 AUTHORS:
   Benoit Serie <bserie@evolix.fr>
   Gregory Colpart <reg@evolix.fr>
   Jeremy Dubois <jdubois@evolix.fr>
   Jeremy Lecour <jlecour@evolix.fr>
   Ludovic Poujol <lpoujol@evolix.fr>
   Romain Dessort <rdessort@evolix.fr>
   Tristan Pilat <tpilat@evolix.fr>
   Victor Laborie <vlaborie@evolix.fr>
 USAGE: evocheck
   or  evocheck --cron 
   or  evocheck --quiet 
   or  evocheck --verbose 
 OPTIONS:
       --cron                  disable a few checks
   -v, --verbose               increase verbosity of checks
   -q, --quiet                 nothing is printed on stdout nor stderr
   -h, --help, --version       print this message and exit
 COPYRIGHT:
   evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
   and you are welcome to redistribute it under certain conditions.
   See the GNU General Public License v3.0 for details. 2009-2020
 END
 }
 show_help() {
    cat <<END
 evocheck is a script that verifies Evolix conventions on OpenBSD servers.
 Usage: evocheck
  or   evocheck --cron
  or   evocheck --quiet
  or   evocheck --verbose
 Options
     --cron                  disable a few checks
 -v, --verbose               increase verbosity of checks
 -q, --quiet                 nothing is printed on stdout nor stderr
 -h, --help                  print this message and exit
     --version               print version and exit
 END
 }
 is_installed(){
    for pkg in "$@"; do
 	pkg_info | grep -q $pkg || return 1
@ -71,6 +50,7 @@ is_installed(){
 }
 # logging
 failed() {
    check_name=$1
    shift
@ -86,41 +66,31 @@ failed() {
    fi
 }
-
+# check functions
 # If --cron is passed, ignore some checks.
 if [ "$1" = "--cron" ]; then
    IS_KERNELUPTODATE=0
    IS_UPTIME=0
 fi
 check_umasksudoers(){
-    grep -E -qr "umask=0077" /etc/sudoers* || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
+    grep -Rq "^Defaults.*umask=0077" /etc/sudoers* || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
 }
 check_tmpnoexec(){
    mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
 }
 check_softdep(){
    if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then
        failed "IS_SOFTDEP" "All partitions should have the softdep option"
    fi
 }
 check_noatime(){
    if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
        failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
    fi
 }
 check_tmoutprofile(){
    if [ -f /etc/skel/.profile ]; then
-        grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "In order to fix, add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
+        grep -q TMOUT= /etc/skel/.profile /root/.profile || failed "IS_TMOUTPROFILE" "Add 'export TMOUT=36000' to both /etc/skel/.profile and /root/.profile files"
    else
        failed "IS_TMOUTPROFILE" "File /etc/skel/.profile does not exist. Both /etc/skel/.profile and /root/.profile should contain at least 'export TMOUT=36000'"
    fi
 }
 check_raidok(){
    egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
    RESULT=$?
@ -132,7 +102,6 @@ check_raidok(){
        fi
    fi
 }
 check_evobackup(){
    if [ -f /etc/daily.local ]; then
        grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
@ -140,7 +109,6 @@ check_evobackup(){
        failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
    fi
 }
 check_uptodate(){
    if [ $(command -v syspatch) ]; then
        if syspatch -c | egrep "." 1> /dev/null 2>&1; then
@ -148,13 +116,12 @@ check_uptodate(){
        fi
    fi
 }
 check_uptime(){
-    if [ $(uptime | cut -d" " -f 4) -gt 365 ]; then
+    let "uptime = $(date +"%s") - $(sysctl -n kern.boottime)"
-        failed "IS_UPTIME" "The server is running for more than a year!"
+    if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
        failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
    fi
 }
 check_backupuptodate(){
    backup_dir="/home/backup"
    if [ -d "${backup_dir}" ]; then
@ -175,11 +142,14 @@ check_backupuptodate(){
        failed "IS_BACKUPUPTODATE" "${backup_dir}/ is missing"
    fi
 }
-
+check_gitperms() {
-check_gitperms(){
+    GIT_DIR="/etc/.git"
-    test -d /etc/.git && [ "$(stat -f %p /etc/.git/)" = "40700" ] || failed "IS_GITPERMS" "The directiry /etc/.git sould be in 700"
+    if test -d $GIT_DIR; then
        expected="40700"
        actual=$(stat -f "%p" $GIT_DIR)
        [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be 700"
    fi
 }
 check_carpadvbase(){
    if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
        bad_advbase=0
@ -193,7 +163,6 @@ check_carpadvbase(){
        fi
    fi
 }
 check_carppreempt(){
    if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
        preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
@ -207,7 +176,6 @@ check_carppreempt(){
        fi
    fi
 }
 check_rebootmail(){
    if [ -f /etc/rc.local ]; then
        grep -qE '^date \| mail -s "boot/reboot of' /etc/rc.local || failed "IS_REBOOTMAIL" "Make sure the line 'date | mail -s \"boot/reboot of \$hostname' is present in the /etc/rc.local file!"
@ -215,111 +183,106 @@ check_rebootmail(){
        failed "IS_REBOOTMAIL" "Make sure /etc/rc.local exist and 'date | mail -s \"boot/reboot of \$hostname' is present!"
    fi
 }
 check_pfenabled(){
    if pfctl -si | grep Disabled 1> /dev/null 2>&1; then
        failed "IS_PFENABLED" "PF is disabled! Make sure pf=NO is absent from /etc/rc.conf.local and carefully run pfctl -e"
    fi
 }
 check_pfcustom(){
 }
 check_wheel(){
    if [ -f /etc/sudoers ]; then
        grep -qE "^%wheel.*$" /etc/sudoers || failed "IS_WHEEL" ""
    fi
 }
 check_pkgmirror(){
    grep -qE "^https://cdn\.openbsd\.org/pub/OpenBSD" /etc/installurl || failed "IS_PKGMIRROR" "Check whether the right repo is present in the /etc/installurl file"
 }
 check_history(){
    file=/root/.profile
-    grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=10000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=10000' are present in /root/.profile"
+    grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
 }
 check_vim(){
    if ! is_installed vim; then
        failed "IS_VIM" "vim is not installed! Please add with pkg_add vim"
    fi
 }
 check_ttyc0secure(){
    grep -Eqv "^ttyC0.*secure$" /etc/ttys || failed "IS_TTYC0SECURE" "First tty should be secured"
 }
 check_customsyslog(){
    grep -q EvoBSD /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" ""
 }
 check_sudomaint(){
    file=/etc/sudoers
    grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
    && grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
    || failed "IS_SUDOMAINT" ""
 }
 check_nrpe(){
    if ! is_installed monitoring-plugins || ! is_installed nrpe; then
        failed "IS_NRPE" "nrpe and/or monitoring-plugins are not installed! Please add with pkg_add nrpe monitoring-plugins"
    fi 
 }
 check_rsync(){
    if ! is_installed rsync; then
        failed "IS_RSYNC" "rsync is not installed! Please add with pkg_add rsync"
    fi
 }
 check_cronpath(){
    grep -q "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/share/scripts" /var/cron/tabs/root || failed "IS_CRONPATH" ""
 }
-
+check_tmp_1777(){
-check_tmp1777(){
+    actual=$(stat -f "%p" /tmp)
-    ls -ld /tmp | grep -q drwxrwxrwt || failed "IS_TMP_1777" ""
+    expected="41777"
    test "$expected" = "$actual" || failed "IS_TMP_1777" "/tmp must be 1777"
 }
-
+check_root_0700(){
-check_root0700(){
+    actual=$(stat -f "%p" /root)
-    ls -ld /root | grep -q drwx------ || failed "IS_ROOT_0700" ""
+    expected="40700"
    test "$expected" = "$actual" || failed "IS_ROOT_0700" "/root must be 700"
 }
 check_usrsharescripts(){
-    ls -ld /usr/share/scripts | grep -q drwx------ || failed "IS_USRSHARESCRIPTS" ""
+    actual=$(stat -f "%p" /usr/share/scripts)
    expected="40700"
    test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be 700"
 }
 check_sshpermitrootno() {
-    grep -qE ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" "" )
+    if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
        grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
            || failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
    fi
 }
 check_evomaintenanceusers(){
-    # Can be changed in evocheck.cf
+    users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
-    homeDir=${homeDir:-/home}
+    for user in $users; do
-    sudoers="/etc/sudoers"
+        user_home=$(getent passwd "$user" | cut -d: -f6)
-    for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do
+        if [ -n "$user_home" ] && [ -d "$user_home" ]; then
-        grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile
+            if ! grep -qs "^trap.*doas.*evomaintenance.sh" "${user_home}"/.*profile; then
-        if [ $? != 0 ]; then
+                echo "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
-            failed "IS_EVOMAINTENANCEUSERS" "$i doesn't have evomaintenance trap!"
+                test "${VERBOSE}" = 1 || break
            fi
        fi
-    done 
+    done
 }
 check_evomaintenanceconf(){
-    file=/etc/evomaintenance.cf
+    f=/etc/evomaintenance.cf
-    ( test -e $file \
+    if [ -e "$f" ]; then
-    && test $(stat -f %p $file) = "100600" \
+        perms=$(stat -f "%p" $f)
-    && grep "^export PGPASSWORD" $file |grep -qv "your-passwd" \
+        test "$perms" = "100600" || echo "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 100600)"
    && grep "^PGDB" $file |grep -qv "your-db" \
    && grep "^PGTABLE" $file |grep -qv "your-table" \
    && grep "^PGHOST" $file |grep -qv "your-pg-host" \
    && grep "^FROM" $file |grep -qv "jdoe@example.com" \
    && grep "^FULLFROM" $file |grep -qv "John Doe <jdoe@example.com>" \
    && grep "^URGENCYFROM" $file |grep -qv "mama.doe@example.com" \
    && grep "^URGENCYTEL" $file |grep -qv "06.00.00.00.00" \
    && grep "^REALM" $file |grep -qv "example.com" ) || failed "IS_EVOMAINTENANCECONF" ""
 }
        { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
            && grep "^PGDB" $f | grep -qv "your-db" \
            && grep "^PGTABLE" $f | grep -qv "your-table" \
            && grep "^PGHOST" $f | grep -qv "your-pg-host" \
            && grep "^FROM" $f | grep -qv "jdoe@example.com" \
            && grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
            && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
            && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
            && grep "^REALM" $f | grep -qv "example.com"
        } || echo "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
    else
        echo "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
    fi
 }
 check_sync(){
    if ifconfig carp | grep carp 1> /dev/null 2>&1; then
        sync_script=/usr/share/scripts/sync.sh
@ -328,7 +291,6 @@ check_sync(){
        fi
    fi
 }
 check_defaultroute(){
    if [ -f /etc/mygate ]; then
        file_route=$(cat /etc/mygate)
@ -340,7 +302,6 @@ check_defaultroute(){
        failed "IS_DEFAULTROUTE" "The file /etc/mygate does not exist. Make sure you have the same default route in this file as the one currently in use."
    fi
 }
 check_ntp(){
    if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
        if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then
@ -350,13 +311,11 @@ check_ntp(){
        failed "IS_NTP" "The configuration in /etc/ntpd.conf is not compliant. It should contains \"server ntp.evolix.net\"."
    fi
 }
 check_openvpncronlog(){
    if /etc/rc.d/openvpn check > /dev/null 2>&1; then
        grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
    fi
 }
 check_carpadvskew(){
    if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
        for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
@ -379,7 +338,152 @@ check_carpadvskew(){
        done
    fi
 }
 check_nrpeopensmtpd() {
    grep -Rq "^command.*check_mailq.pl -M opensmtpd" /etc/nrpe.* || failed "IS_NRPE_OPENSMTPD" "NRPE \"check_mailq\" is not configured for opensmtpd."
 }
 check_sshallowusers() {
    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config || failed "IS_SSHALLOWUSERS" "Missing AllowUsers or AllowGroups directive in sshd_config"
 }
 check_evobackup_exclude_mount() {
    excludes_file=$(mktemp)
    trap "rm -f ${excludes_file}" 0
    for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
        grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
        not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
        for mount in ${not_excluded}; do
            failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
        done
    done
    rm -rf "${excludes_file}"
 }
 check_etcgit() {
    export GIT_DIR="/etc/.git" GIT_WORK_TREE="/etc"
    git rev-parse --is-inside-work-tree > /dev/null 2>&1 || failed "IS_ETCGIT" "/etc is not a git repository"
 }
 check_evolinuxsudogroup() {
    if grep -q "^evolinux-sudo:" /etc/group; then
        grep -qE "^%evolinux-sudo ALL ?= ?\(ALL\) SETENV: ALL" /etc/sudoers || failed "IS_EVOLINUXSUDOGROUP" "Missing evolinux-sudo directive in sudoers file"
    fi
 }
 check_bind9munin() {
    if is_installed isc-bind; then
        { test -L /etc/munin/plugins/bind9 \
            && test -e /etc/munin/plugin-conf.d/bind9;
        } || failed "IS_BIND9MUNIN" "missing bind plugin for munin"
    fi
 }
 check_evolix_user() {
    grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
 }
 download_versions() {
    local file
    file=${1:-}
    ## The file is supposed to list programs : each on a line, then its latest version number
    ## Examples:
    # evoacme 21.06
    # evomaintenance 0.6.4
    versions_url="https://upgrades.evolix.org/versions-openbsd"
    # fetch timeout, in seconds
    timeout=10
    if command -v curl > /dev/null; then
        curl -k --max-time ${timeout} --fail --silent --output "${versions_file}" "${versions_url}"
        # "-k" required until OpenBSD 6.8
    elif command -v wget > /dev/null; then
        wget --timeout=${timeout} --quiet "${versions_url}" -O "${versions_file}"
    elif command -v GET; then
        GET -t ${timeout}s "${versions_url}" > "${versions_file}"
    else
        failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET"
    fi
    test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}"
 }
 get_command() {
    local program
    program=${1:-}
    case "${program}" in
        ## Special cases where the program name is different than the command name
        evocheck) echo "${0}" ;;
        evomaintenance) command -v "evomaintenance.sh" ;;
        motd-carp-state) command -v "motd-carp-state.sh" ;;
        ## General case, where the program name is the same as the command name
        *) command -v "${program}" ;;
    esac
 }
 get_version() {
    local program
    local command
    program=${1:-}
    command=${2:-}
    case "${program}" in
        ## Special case if `command --version => 'command` is not the standard way to get the version
        # my_command)
        #    /path/to/my_command --get-version 
        #    ;;
        motd-carp-state)
            grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2
            ;;
        ## General case to get the version
        *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
    esac
 }
 check_version() {
    local program
    local expected_version
    program=${1:-}
    expected_version=${2:-}
    command=$(get_command "${program}")
    if [ -n "${command}" ]; then
        actual_version=$(get_version "${program}" "${command}")
        # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}"
        if [ -z "${actual_version}" ]; then
            failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}"
        elif [ "${actual_version}" = "${expected_version}" ]; then
            : # Version check OK ; to check first because of the way the check works
        elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${actual_version}" ]; then
            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}"
        elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${expected_version}" ]; then
            failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
        fi
    fi
 }
 add_to_path() {
    local new_path
    new_path=${1:-}
    echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}"
 }
 check_versions() {
    versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
    trap "rm -f ${versions_file}" 0
    download_versions "${versions_file}"
    add_to_path "/usr/share/scripts"
    grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
        local program
        local version
        program=$(echo "${line}" | cut -d ' ' -f 1)
        version=$(echo "${line}" | cut -d ' ' -f 2)
        if [ -n "${program}" ]; then
            if [ -n "${version}" ]; then
                check_version "${program}" "${version}"
            else
                failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}"
            fi
        fi
    done
    rm -f "${versions_file}"
 }
 main() {
    # Default return code : 0 = no error
@ -400,7 +504,6 @@ main() {
    test "${IS_CARPPREEMPT:=1}" = 1 && check_carppreempt
    test "${IS_REBOOTMAIL:=1}" = 1 && check_rebootmail
    test "${IS_PFENABLED:=1}" = 1 && check_pfenabled
    test "${IS_PFCUSTOM:=1}" = 1 && check_pfcustom
    test "${IS_WHEEL:=1}" = 1 && check_wheel
    test "${IS_PKGMIRROR:=1}" = 1 && check_pkgmirror
    test "${IS_HISTORY:=1}" = 1 && check_history
@ -411,8 +514,8 @@ main() {
    test "${IS_NRPE:=1}" = 1 && check_nrpe
    test "${IS_RSYNC:=1}" = 1 && check_rsync
    test "${IS_CRONPATH:=1}" = 1 && check_cronpath
-    test "${IS_TMP_1777:=1}" = 1 && check_tmp1777
+    test "${IS_TMP_1777:=1}" = 1 && check_tmp_1777
-    test "${IS_ROOT_0700:=1}" = 1 && check_root0700
+    test "${IS_ROOT_0700:=1}" = 1 && check_root_0700
    test "${IS_USRSHARESCRIPTS:=1}" = 1 && check_usrsharescripts
    test "${IS_SSHPERMITROOTNO:=1}" = 1 && check_sshpermitrootno
    test "${IS_EVOMAINTENANCEUSERS:=1}" = 1 && check_evomaintenanceusers
@ -422,17 +525,37 @@ main() {
    test "${IS_NTP:=1}" = 1 && check_ntp
    test "${IS_OPENVPNCRONLOG:=1}" = 1 && check_openvpncronlog
    test "${IS_CARPADVSKEW:=1}" = 1 && check_carpadvskew
    test "${IS_NRPE_OPENSMTPD:=1}" = 1 && check_nrpeopensmtpd
    test "${IS_SSHALLOWUSERS:=1}" = 1 && check_sshallowusers
    test "${IS_EVOBACKUP_EXCLUDE_MOUNT:=1}" = 1 && check_evobackup_exclude_mount
    test "${IS_ETCGIT:=1}" = 1 && check_etcgit
    test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
    test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
    test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
    test "${IS_VERSIONS_CHECK:=1}" = 1 && check_versions
    exit ${RC}
 }
 # Disable LANG*
 export LANG=C
 export LANGUAGE=C
 # Source configuration file
 test -f /etc/evocheck.cf && . /etc/evocheck.cf
 # Parse options
 # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
 while :; do
    case $1 in
-        -h|-\?|--help|--version)
+        -h|-\?|--help)
            show_help
            exit 0
            ;;
        --version)
            show_version
            exit 0
            ;;
        --cron)
            IS_KERNELUPTODATE=0
            IS_UPTIME=0