evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

IS_SSHALLOWUSERS: also scan /etc/ssh/sshd_config.d

Browse source
This commit is contained in:
Jérémy Lecour 2021-10-09 11:12:04 +02:00 committed by Jérémy Lecour
parent c145c54201
commit 564bc4b610
2 changed files with 16 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG
View file

@ -5,6 +5,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Added ### Added
* IS_SSHALLOWUSERS: also scan /etc/ssh/sshd_config.d
### Changed ### Changed
### Deprecated ### Deprecated

17
evocheck.sh
View file

@ -245,7 +245,7 @@ check_debiansecurity() {
fi fi
source_file="/etc/apt/sources.list" source_file="/etc/apt/sources.list"
grep -q "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository" grep -qE "${pattern}" "${source_file}" || failed "IS_DEBIANSECURITY" "missing debian security repository"
} }
check_aptitudeonly() { check_aptitudeonly() {
if is_debian_squeeze || is_debian_wheezy; then if is_debian_squeeze || is_debian_wheezy; then
@ -316,7 +316,7 @@ check_customcrontab() {
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab" test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
} }
check_sshallowusers() { check_sshallowusers() {
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \ grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config" || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
} }
check_diskperf() { check_diskperf() {
@ -1354,6 +1354,15 @@ check_lxc_container_resolv_conf() {
fi fi
} }
check_version_minifw() {
expected_version="21.10"
actual_version=$(/etc/init.d/minifirewall version)
if dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then
failed "IS_VERSION_MINIFW" "minifirewall version ${expected_version} expected, but ${expected_version} found"
fi
}
main() { main() {
# Default return code : 0 = no error # Default return code : 0 = no error
RC=0 RC=0
@ -1408,7 +1417,8 @@ main() {
test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw test "${IS_ALERT5MINIFW:=1}" = 1 && test "${IS_MINIFW:=1}" = 1 && check_minifw
test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms test "${IS_NRPEPERMS:=1}" = 1 && check_nrpeperms
test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms test "${IS_MINIFWPERMS:=1}" = 1 && check_minifwperms
test "${IS_MINIFWINCLUDES:=1}" = 1 && check_minifw_includes # Enable when minifirewall is released
test "${IS_MINIFWINCLUDES:=0}" = 1 && check_minifw_includes
test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks test "${IS_NRPEDISKS:=0}" = 1 && check_nrpedisks
test "${IS_NRPEPID:=1}" = 1 && check_nrpepid test "${IS_NRPEPID:=1}" = 1 && check_nrpepid
test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs test "${IS_GRSECPROCS:=1}" = 1 && check_grsecprocs
@ -1482,6 +1492,7 @@ main() {
test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_VERSION_MINIFW:=1}" = 1 && check_version_minifw
fi fi
#----------------------------------------------------------- #-----------------------------------------------------------