evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

add a lot of verbose output

Browse source
This commit is contained in:
Jérémy Lecour 2019-03-22 21:55:47 +01:00
parent 8957b19a96
commit 55f720972b
1 changed files with 44 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
evocheck.sh
View file

@ -228,7 +228,7 @@ if is_debian; then
if [ "$IS_LSBRELEASE" = "1" ]; then
test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cat /etc/debian_version | cut -d "." -f 1)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
@ -238,21 +238,25 @@ if is_debian; then
if is_debian_squeeze; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
[ "$count" = "2" ] || failed "IS_DPKGWARNING"
[ "$count" = "2" ] || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
fi
elif is_debian_wheezy; then
if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING"
test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING"
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING"
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
fi
if [ "$IS_UMASKSUDOERS" = 1 ]; then
if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers || failed "IS_UMASKSUDOERS"
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
fi
@ -261,10 +265,10 @@ if is_debian; then
if is_installed postfix; then
if is_debian_squeeze; then
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX"
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* \
|| failed "IS_NRPEPOSTFIX"
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
fi
@ -273,11 +277,11 @@ if is_debian; then
if [ "$IS_MODSECURITY" = 1 ]; then
if is_debian_squeeze; then
if is_installed libapache-mod-security; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY"
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY"
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
fi
@ -287,11 +291,11 @@ if is_debian; then
fi
if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS"
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi
if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || failed "IS_SERVEURBASE"
is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
fi
if [ "$IS_LOGROTATECONF" = 1 ]; then
@ -777,9 +781,9 @@ if is_debian; then
fi
# Check install_date if the system never received an upgrade
if [ $last_upgrade -eq 0 ]; then
[ $install_date -lt $limit ] && failed "IS_NOTUPGRADED"
[ $install_date -lt $limit ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else
[ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED"
[ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi
fi
@ -803,7 +807,8 @@ if is_debian; then
if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if is_debian_stretch; then
if grep -q "^evolinux-sudo:" /etc/group; then
grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux || failed "IS_EVOLINUXSUDOGROUP"
grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP"
fi
fi
fi
@ -812,7 +817,7 @@ if is_debian; then
if is_debian_stretch; then
users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
for user in $users; do
groups $user | grep -q adm || failed "IS_USERINADMGROUP"
groups $user | grep -q adm || failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
done
fi
fi
@ -898,7 +903,7 @@ if is_debian; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP"
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
fi
fi
@ -907,7 +912,7 @@ if is_debian; then
# If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP"
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
fi
fi
@ -922,13 +927,13 @@ if is_debian; then
limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" $file)
if [ -f "$file" ] && [ $limit -gt $updated_at ]; then
failed "IS_MONGO_BACKUP"
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break
fi
fi
done
else
failed "IS_MONGO_BACKUP"
failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})"
fi
fi
fi
@ -937,7 +942,7 @@ if is_debian; then
if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP"
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})"
fi
fi
@ -945,7 +950,7 @@ if is_debian; then
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP"
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})"
fi
fi
@ -953,7 +958,7 @@ if is_debian; then
if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP"
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})"
fi
fi
@ -975,7 +980,7 @@ if is_debian; then
mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then
failed "IS_MYSQLMUNIN"
failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing"
break
fi
done
@ -1047,9 +1052,9 @@ if is_debian; then
if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON"
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme"
# evoacme cron file should be present
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON"
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing"
fi
fi
@ -1067,7 +1072,7 @@ if is_debian; then
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1)
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir)
if [[ "$actualCertDate" != "$lastCertDate" ]]; then
failed "IS_EVOACME_LIVELINKS"
failed "IS_EVOACME_LIVELINKS" "Certificate '$liveDir' hasn't been updated"
break
fi
done
@ -1104,27 +1109,24 @@ if is_debian; then
# Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f /boot/$kernelConfig ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig \
|| failed "IS_MELTDOWN_SPECTRE"
|| failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched"
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig \
|| failed "IS_MELTDOWN_SPECTRE"
|| failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched"
fi
fi
fi
fi
if [ "$IS_OLD_HOME_DIR" = 1 ]; then
for dir in /home/*; do
homeDir=${homeDir:-/home}
for dir in $homeDir/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep "UNKNOWN")
# There is at least one dir matching
if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR"
if [[ "$VERBOSE" == 1 ]]; then
echo "$statResult"
else
break
fi
failed "IS_OLD_HOME_DIR" "$statResult"
break
fi
done
fi
@ -1183,14 +1185,14 @@ if is_openbsd; then
fi
if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL"
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi
if [ "$IS_NRPE" = 1 ]; then
{ pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe;
} || failed "IS_NRPE"
} || failed "IS_NRPE" "NRPE is not installed"
fi
# if [ "$IS_NRPEDISKS" = 1 ]; then
@ -1295,15 +1297,16 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
&& grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f | grep -qv "example.com";
} || failed "IS_EVOMAINTENANCECONF"
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
fi
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
for f in /etc/ssl/private/*; do
perms=$(stat -L -c "%a" $f)
if [ "${perms: -1}" != "0" ]; then
failed "IS_PRIVKEYWOLRDREADABLE"
break
failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable"
## let's print an error for each key
# break
fi
done
fi