From 9c4a40b585fd955e424841007d9266674b112d49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 20 Mar 2019 21:49:08 +0100 Subject: [PATCH 01/85] optimize OS/release/version detection --- evocheck.sh | 161 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 98 insertions(+), 63 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 4506260..6d00b38 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -125,6 +125,28 @@ IS_NRPEDAEMON=1 IS_ALERTBOOT=1 IS_RSYNC=1 +DEBIAN_RELEASE="" +OPENBSD_RELEASE="" + +if [ -e /etc/debian_version ]; then + DEBIAN_RELEASE=$(lsb_release -c -s) + DEBIAN_VERSION=$(cat /etc/debian_version |cut -d "." -f 1) +elif [ "$(uname -s)" = "OpenBSD" ]; then + # use a better release name + OPENBSD_RELEASE="OpenBSD" +fi + +# Source configuration file +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +VERBOSE="${VERBOSE:-0}" + +# If --cron is passed, ignore some checks. +if [ "$1" = "--cron" ]; then + IS_KERNELUPTODATE=0 + IS_UPTIME=0 +fi + # logging function failed() { check_name=$1 @@ -138,17 +160,6 @@ failed() { fi } -# Source configuration file -test -f /etc/evocheck.cf && . /etc/evocheck.cf - -VERBOSE="${VERBOSE:-0}" - -# If --cron is passed, ignore some checks. -if [ "$1" = "--cron" ]; then - IS_KERNELUPTODATE=0 - IS_UPTIME=0 -fi - # Functions is_pack_web(){ test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh @@ -164,46 +175,70 @@ is_installed(){ done } -is_debianversion(){ - [ $(lsb_release -c -s) = $1 ] && return 0 +is_debian() { + test -n "${DEBIAN_RELEASE}" +} +is_debian_lenny() { + test "${DEBIAN_VERSION}" = "5" +} +is_debian_squeeze() { + test "${DEBIAN_RELEASE}" = "squeeze" +} +is_debian_wheezy() { + test "${DEBIAN_RELEASE}" = "wheezy" +} +is_debian_jessie() { + test "${DEBIAN_RELEASE}" = "jessie" +} +is_debian_stretch() { + test "${DEBIAN_RELEASE}" = "stretch" +} +debian_release() { + printf "%s" "${DEBIAN_RELEASE}" +} +debian_version() { + printf "%s" "${DEBIAN_VERSION}" +} +is_openbsd() { + test -n "${OPENBSD_RELEASE}" } -is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc -is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc -is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall -is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall +is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc +is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc +is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall +is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall #----------------------------------------------------------- #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- -if [ -e /etc/debian_version ]; then +if is_debian; then if [ "$IS_DPKGWARNING" = 1 ]; then - is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ + is_debian_squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ /etc/apt/apt.conf | wc -l | grep -q ^2$ || failed "IS_DPKGWARNING" ) - is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ + is_debian_wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ ( test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING" ) test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" ) - is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") + is_debian_stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") fi if [ "$IS_UMASKSUDOERS" = 1 ]; then - is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || failed "IS_UMASKSUDOERS" ) + is_debian_squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || failed "IS_UMASKSUDOERS" ) fi # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) if [ "$IS_NRPEPOSTFIX" = 1 ]; then - is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || failed "IS_NRPEPOSTFIX" ) - is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || failed "IS_NRPEPOSTFIX" ) ) + is_debian_squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || failed "IS_NRPEPOSTFIX" ) + is_debian_squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || failed "IS_NRPEPOSTFIX" ) ) fi # Check if mod-security config file is present if [ "$IS_MODSECURITY" = 1 ]; then - is_debianversion squeeze && is_installed libapache-mod-security && \ + is_debian_squeeze && is_installed libapache-mod-security && \ (test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") - is_debianversion wheezy && is_installed libapache2-modsecurity && \ + is_debian_wheezy && is_installed libapache2-modsecurity && \ (test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") fi @@ -232,18 +267,18 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_APTITUDEONLY" = 1 ]; then - is_debianversion squeeze && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" - is_debianversion wheezy && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" + is_debian_squeeze && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" + is_debian_wheezy && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" fi if [ "$IS_APTITUDE" = 1 ]; then - is_debianversion jessie && test -e /usr/bin/aptitude && failed "IS_APTITUDE" - is_debianversion stretch && test -e /usr/bin/aptitude && failed "IS_APTITUDE" + is_debian_jessie && test -e /usr/bin/aptitude && failed "IS_APTITUDE" + is_debian_stretch && test -e /usr/bin/aptitude && failed "IS_APTITUDE" fi if [ "$IS_APTGETBAK" = 1 ]; then - is_debianversion jessie && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" - is_debianversion stretch && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" + is_debian_jessie && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" + is_debian_stretch && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" fi if [ "$IS_APTICRON" = 1 ]; then @@ -251,7 +286,7 @@ if [ -e /etc/debian_version ]; then test -e /etc/cron.d/apticron || status="fail" test -e /etc/cron.daily/apticron && status="fail" test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" - ( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && failed "IS_APTICRON" + ( is_debian_squeeze || is_debian_wheezy ) && test "$status" = "fail" && failed "IS_APTICRON" fi if [ "$IS_USRRO" = 1 ]; then @@ -272,7 +307,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_LISTCHANGESCONF" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then if is_installed apt-listchanges; then failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch" fi @@ -331,7 +366,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_NRPEPID" = 1 ]; then - is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || failed "IS_NRPEPID") + is_debian_squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || failed "IS_NRPEPID") fi if [ "$IS_GRSECPROCS" = 1 ]; then @@ -339,8 +374,8 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_APACHEMUNIN" = 1 ]; then - test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) ) - test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) ) + test -e /etc/apache2/apache2.conf && ( is_debian_stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) ) + test -e /etc/apache2/apache2.conf && ( is_debian_stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) ) fi # Verification mytop + Munin si MySQL @@ -388,7 +423,7 @@ if [ -e /etc/debian_version ]; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then squidconffile=/etc/squid*/squid.conf - is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf + is_debian_stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ @@ -418,7 +453,7 @@ if [ -e /etc/debian_version ]; then is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING') fi if [ "$IS_LOG2MAILAPACHE" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then conf=/etc/log2mail/config/apache else conf=/etc/log2mail/config/default @@ -463,10 +498,10 @@ if [ -e /etc/debian_version ]; then # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then - is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do + is_debian_stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) done - is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do + is_debian_stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) done fi @@ -510,7 +545,7 @@ if [ -e /etc/debian_version ]; then # Check if default Apache configuration file for munin is absent (or empty or commented). if [ "$IS_MUNINAPACHECONF" = 1 ]; then - if is_debianversion squeeze || is_debianversion wheezy; then + if is_debian_squeeze || is_debian_wheezy; then muninconf="/etc/apache2/conf.d/munin" else muninconf="/etc/apache2/conf-available/munin.conf" @@ -612,14 +647,14 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then (grep -q ^evolinux-sudo: /etc/group \ && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || failed "IS_EVOLINUXSUDOGROUP" fi fi if [ "$IS_USERINADMGROUP" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do groups $user |grep -q adm || failed "IS_USERINADMGROUP" done @@ -627,7 +662,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then - if (test -d /etc/apache2 && is_debianversion stretch); then + if (test -d /etc/apache2 && is_debian_stretch); then (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ && test -f /etc/apache2/ipaddr_whitelist.conf) || failed "IS_APACHE2EVOLINUXCONF" @@ -635,7 +670,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_BACKPORTSCONF" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then grep -qsE "^[^#].*backports" /etc/apt/sources.list \ && failed "IS_BACKPORTSCONF" if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then @@ -646,13 +681,13 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_BIND9MUNIN" = 1 ]; then - if is_debianversion stretch && is_installed bind9; then + if is_debian_stretch && is_installed bind9; then (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || failed "IS_BIND9MUNIN" fi fi if [ "$IS_BIND9LOGROTATE" = 1 ]; then - if is_debianversion stretch && is_installed bind9; then + if is_debian_stretch && is_installed bind9; then test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" fi fi @@ -669,7 +704,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then - if is_debianversion stretch; then + if is_debian_stretch; then (systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || failed "IS_LOG2MAILSYSTEMDUNIT" fi fi @@ -679,7 +714,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then + if is_debian_stretch && is_installed mariadb-server; then (test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || failed "IS_MARIADBEVOLINUXCONF" fi @@ -747,13 +782,13 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then + if is_debian_stretch && is_installed mariadb-server; then (systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || failed "IS_MARIADBSYSTEMDUNIT" fi fi if [ "$IS_MYSQLMUNIN" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then + if is_debian_stretch && is_installed mariadb-server; then for file in mysql_bytes mysql_queries mysql_slowqueries \ mysql_threads mysql_connections mysql_files_tables \ mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ @@ -770,7 +805,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MYSQLNRPE" = 1 ]; then - if is_debianversion stretch && is_installed mariadb-server; then + if is_debian_stretch && is_installed mariadb-server; then (test -f ~nagios/.my.cnf \ && [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \ && [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \ @@ -779,20 +814,20 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed php; then + if is_debian_stretch && is_installed php; then (test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || failed "IS_PHPEVOLINUXCONF" fi fi if [ "$IS_SQUIDLOGROTATE" = 1 ]; then - if is_debianversion stretch && is_installed squid; then + if is_debian_stretch && is_installed squid; then grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE" fi fi if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then - if is_debianversion stretch && is_installed squid; then + if is_debian_stretch && is_installed squid; then (grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ && test -f /etc/squid/evolinux-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-defaults.conf \ @@ -863,7 +898,7 @@ if [ -e /etc/debian_version ]; then # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debianversion jessie || is_debianversion stretch; then + if is_debian_jessie || is_debian_stretch; then if [ -f /etc/apache2/apache2.conf ]; then test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED" grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED" @@ -874,12 +909,12 @@ if [ -e /etc/debian_version ]; then if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debianversion stretch; then + if is_debian_stretch; then for vuln in meltdown spectre_v1 spectre_v2; do test -f /sys/devices/system/cpu/vulnerabilities/$vuln || failed "IS_MELTDOWN_SPECTRE" done # For Jessie this is quite complicated to verify and we need to use kernel config file - elif is_debianversion jessie; then + elif is_debian_jessie; then if grep -q BOOT_IMAGE= /proc/cmdline; then kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelVer=${kernelPath##*/vmlinuz-} @@ -912,7 +947,7 @@ if [ -e /etc/debian_version ]; then fi -if [ `uname -s` == "OpenBSD" ]; then +if is_openbsd; then if [ "$IS_SOFTDEP" = 1 ]; then grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP" @@ -1018,14 +1053,14 @@ if [ "$IS_USRSHARESCRIPTS" = 1 ]; then fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then - is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) - is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) + is_debian_stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) + is_debian_stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) fi if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then # Can be changed in evocheck.cf homeDir=${homeDir:-/home} - if ! is_debianversion stretch; then + if ! is_debian_stretch; then if [ -f /etc/sudoers.d/evolinux ]; then sudoers="/etc/sudoers.d/evolinux" else From 1b4b2a2ff89d3da19852b3fcaa3fbd113ace3291 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 21:55:42 +0100 Subject: [PATCH 02/85] workaround possibly missing lsb_release command --- evocheck.sh | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 6d00b38..ec814ac 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -126,11 +126,22 @@ IS_ALERTBOOT=1 IS_RSYNC=1 DEBIAN_RELEASE="" +LSB_RELEASE_BIN=$(command -v lsb_release) OPENBSD_RELEASE="" if [ -e /etc/debian_version ]; then - DEBIAN_RELEASE=$(lsb_release -c -s) - DEBIAN_VERSION=$(cat /etc/debian_version |cut -d "." -f 1) + DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) + if [ -x ${LSB_RELEASE_BIN} ]; then + DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) + else + case ${DEBIAN_VERSION} in + 5) DEBIAN_RELEASE="lenny";; + 6) DEBIAN_RELEASE="squeeze";; + 7) DEBIAN_RELEASE="wheezy";; + 8) DEBIAN_RELEASE="jessie";; + 9) DEBIAN_RELEASE="stretch";; + esac + fi elif [ "$(uname -s)" = "OpenBSD" ]; then # use a better release name OPENBSD_RELEASE="OpenBSD" @@ -179,7 +190,7 @@ is_debian() { test -n "${DEBIAN_RELEASE}" } is_debian_lenny() { - test "${DEBIAN_VERSION}" = "5" + test "${DEBIAN_VERSION}" = "lenny" } is_debian_squeeze() { test "${DEBIAN_RELEASE}" = "squeeze" From d3cb743f76f038d090b69cfc3bfed2414c527b98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 21:56:14 +0100 Subject: [PATCH 03/85] MINIFW_FILE for Debian Lenny --- evocheck.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/evocheck.sh b/evocheck.sh index ec814ac..8d47090 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -214,6 +214,7 @@ is_openbsd() { test -n "${OPENBSD_RELEASE}" } +is_debian_lenny && MINIFW_FILE=/etc/firewall.rc is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall From 36fa3af81501100e2c2f222195b7e45ef4479359 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 21:56:38 +0100 Subject: [PATCH 04/85] replace old-fashioned tests with functions --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 8d47090..431d1d6 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -495,8 +495,8 @@ if is_debian; then # Verification de la présence du depot volatile if [ "$IS_REPVOLATILE" = 1 ]; then - test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") - test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") + is_debian_lenny && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") + is_debian_squeeze && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") fi # /etc/network/interfaces should be present, we don't manage systemd-network yet From 720ea03b0cad04a90d070ecedc4c01442da93a96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 21:57:28 +0100 Subject: [PATCH 05/85] Add IS_LSBRELEASE check --- evocheck.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 431d1d6..1f45236 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -107,6 +107,7 @@ IS_EVOACME_LIVELINKS=1 IS_APACHE_CONFENABLED=1 IS_MELTDOWN_SPECTRE=1 IS_OLD_HOME_DIR=1 +IS_LSBRELEASE=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -226,6 +227,11 @@ is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall if is_debian; then + if [ "$IS_LSBRELEASE" = "1" ]; then + test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + test "$(${LSB_RELEASE_BIN} --release --short)" = "$(cat /etc/debian_version)" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + fi + if [ "$IS_DPKGWARNING" = 1 ]; then is_debian_squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ From 2c44db77a34f9dc7539c7497afe75264c859df6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 22:09:57 +0100 Subject: [PATCH 06/85] replace `` with $() --- evocheck.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 1f45236..f2003ba 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -444,9 +444,9 @@ if is_debian; then is_debian_stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $(hostname -i) -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || failed "IS_SQUID" ) + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $(grep http_port $squidconffile | cut -f 2 -d " ")" $MINIFW_FILE || failed "IS_SQUID" ) fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then @@ -516,10 +516,10 @@ if is_debian; then # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then - is_debian_stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do + is_debian_stretch || for interface in $(/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "); do grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) done - is_debian_stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do + is_debian_stretch && for interface in $(/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "); do grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) done fi @@ -573,7 +573,7 @@ if is_debian; then # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then - is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) + is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" ") && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) fi # Verification si le système doit redémarrer suite màj kernel. From fa79f1d1a8f94d2eb4c199b2f4b1dcfcaa59bcde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:35:00 +0100 Subject: [PATCH 07/85] big cleanup * tests organization * shellcheck conventions * variables extractions * quotes and indentations --- evocheck.sh | 410 +++++++++++++++++++++++++++++++++++----------------- 1 file changed, 274 insertions(+), 136 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index f2003ba..0ea7519 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -233,31 +233,53 @@ if is_debian; then fi if [ "$IS_DPKGWARNING" = 1 ]; then - is_debian_squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ - grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ - /etc/apt/apt.conf | wc -l | grep -q ^2$ || failed "IS_DPKGWARNING" ) - is_debian_wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ - ( test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING" ) - test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" ) - is_debian_stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") + if is_debian_squeeze; then + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) + [ "$count" = "2" ] || failed "IS_DPKGWARNING" + fi + elif is_debian_wheezy; then + if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then + test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING" + test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" + fi + elif is_debian_stretch; then + (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") + fi fi if [ "$IS_UMASKSUDOERS" = 1 ]; then - is_debian_squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || failed "IS_UMASKSUDOERS" ) + if is_debian_squeeze; then + ( grep -q "^Defaults.*umask=0077" /etc/sudoers || failed "IS_UMASKSUDOERS" ) + fi fi # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) if [ "$IS_NRPEPOSTFIX" = 1 ]; then - is_debian_squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || failed "IS_NRPEPOSTFIX" ) - is_debian_squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || failed "IS_NRPEPOSTFIX" ) ) + if is_debian_squeeze; then + if is_installed postfix; then + grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ + || failed "IS_NRPEPOSTFIX" + fi + else + if is_installed postfix; then + test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* \ + || failed "IS_NRPEPOSTFIX" + fi + fi fi # Check if mod-security config file is present if [ "$IS_MODSECURITY" = 1 ]; then - is_debian_squeeze && is_installed libapache-mod-security && \ - (test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") - is_debian_wheezy && is_installed libapache2-modsecurity && \ - (test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") + if is_debian_squeeze; then + if is_installed libapache-mod-security; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" + fi + elif is_debian_wheezy; then + if is_installed libapache2-modsecurity; then + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" + fi + fi fi if [ "$IS_CUSTOMSUDOERS" = 1 ]; then @@ -277,26 +299,31 @@ if is_debian; then fi if [ "$IS_SYSLOGCONF" = 1 ]; then - grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || failed "IS_SYSLOGCONF" + grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \ + || failed "IS_SYSLOGCONF" fi if [ "$IS_DEBIANSECURITY" = 1 ]; then - grep -q "^deb.*security" /etc/apt/sources.list || failed "IS_DEBIANSECURITY" + grep -q "^deb.*security" /etc/apt/sources.list \ + || failed "IS_DEBIANSECURITY" fi if [ "$IS_APTITUDEONLY" = 1 ]; then - is_debian_squeeze && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" - is_debian_wheezy && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" + if is_debian_squeeze || is_debian_wheezy; then + test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" + fi fi if [ "$IS_APTITUDE" = 1 ]; then - is_debian_jessie && test -e /usr/bin/aptitude && failed "IS_APTITUDE" - is_debian_stretch && test -e /usr/bin/aptitude && failed "IS_APTITUDE" + if is_debian_jessie || is_debian_stretch; then + test -e /usr/bin/aptitude && failed "IS_APTITUDE" + fi fi if [ "$IS_APTGETBAK" = 1 ]; then - is_debian_jessie && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" - is_debian_stretch && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" + if is_debian_jessie || is_debian_stretch; then + test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" + fi fi if [ "$IS_APTICRON" = 1 ]; then @@ -304,7 +331,10 @@ if is_debian; then test -e /etc/cron.d/apticron || status="fail" test -e /etc/cron.daily/apticron && status="fail" test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" - ( is_debian_squeeze || is_debian_wheezy ) && test "$status" = "fail" && failed "IS_APTICRON" + + if is_debian_squeeze || is_debian_wheezy; then + test "$status" = "fail" && failed "IS_APTICRON" + fi fi if [ "$IS_USRRO" = 1 ]; then @@ -362,29 +392,36 @@ if is_debian; then fi if [ "$IS_ALERT5MINIFW" = 1 ]; then - grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || failed "IS_ALERT5MINIFW" + grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" fi if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then - /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || failed "IS_MINIFW" + /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \ + || failed "IS_MINIFW" fi if [ "$IS_NRPEPERMS" = 1 ]; then - test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || failed "IS_NRPEPERMS" + test -d /etc/nagios && ls -ld /etc/nagios | grep -q "drwxr-x---" \ + || failed "IS_NRPEPERMS" fi if [ "$IS_MINIFWPERMS" = 1 ]; then - ls -l "$MINIFW_FILE" | grep -q -- -rw------- || failed "IS_MINIFWPERMS" + ls -l "$MINIFW_FILE" | grep -q -- "-rw-------" \ + || failed "IS_MINIFWPERMS" fi if [ "$IS_NRPEDISKS" = 1 ]; then - NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) + NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" fi if [ "$IS_NRPEPID" = 1 ]; then - is_debian_squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || failed "IS_NRPEPID") + if ! is_debian_squeeze; then + test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg \ + || failed "IS_NRPEPID" + fi fi if [ "$IS_GRSECPROCS" = 1 ]; then @@ -392,8 +429,15 @@ if is_debian; then fi if [ "$IS_APACHEMUNIN" = 1 ]; then - test -e /etc/apache2/apache2.conf && ( is_debian_stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) ) - test -e /etc/apache2/apache2.conf && ( is_debian_stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) ) + if is_debian_stretch; then + if test -e /etc/apache2/apache2.conf; then + ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) + fi + else + if test -e /etc/apache2/apache2.conf; then + ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) + fi + fi fi # Verification mytop + Munin si MySQL @@ -420,17 +464,22 @@ if is_debian; then test -e /proc/mdstat && grep -q md /proc/mdstat && \ ( grep -q "^AUTOCHECK=true" /etc/default/mdadm \ && grep -q "^START_DAEMON=true" /etc/default/mdadm \ - && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || failed "IS_RAIDSOFT") + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf \ + || failed "IS_RAIDSOFT") fi # Verification du LogFormat de AWStats if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then - is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || failed "IS_AWSTATSLOGFORMAT" ) + if is_installed apache2.2-common; then + grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ + || failed "IS_AWSTATSLOGFORMAT" + fi fi # Verification de la présence de la config logrotate pour Munin if [ "$IS_MUNINLOGROTATE" = 1 ]; then - ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || failed "IS_MUNINLOGROTATE" + ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) \ + || failed "IS_MUNINLOGROTATE" fi # Verification de la présence de metche @@ -440,13 +489,18 @@ if is_debian; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then - squidconffile=/etc/squid*/squid.conf + squidconffile="/etc/squid*/squid.conf" is_debian_stretch && squidconffile=/etc/squid/evolinux-custom.conf - is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $(hostname -i) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $(grep http_port $squidconffile | cut -f 2 -d " ")" $MINIFW_FILE || failed "IS_SQUID" ) + + if is_pack_web && (is_installed squid || is_installed squid3); then + host=$(hostname -i) + http_port=$(grep http_port $squidconffile | cut -f 2 -d " ") + grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE \ + || failed "IS_SQUID" + fi fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then @@ -461,14 +515,19 @@ if is_debian; then # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf - is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ - && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ - && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || failed "IS_MODDEFLATE") + if is_installed apache2.2; then + test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f \ + || failed "IS_MODDEFLATE" + fi fi # Verification de la conf log2mail if [ "$IS_LOG2MAILRUNNING" = 1 ]; then - is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING') + if is_pack_web && is_installed log2mail; then + pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING' + fi fi if [ "$IS_LOG2MAILAPACHE" = 1 ]; then if is_debian_stretch; then @@ -476,21 +535,31 @@ if is_debian; then else conf=/etc/log2mail/config/default fi - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || failed "IS_LOG2MAILAPACHE" ) + if is_pack_web && is_installed log2mail; then + grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null \ + || failed "IS_LOG2MAILAPACHE" + fi fi if [ "$IS_LOG2MAILMYSQL" = 1 ]; then - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || failed "IS_LOG2MAILMYSQL" ) + if is_pack_web && is_installed log2mail; then + grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null \ + || failed "IS_LOG2MAILMYSQL" + fi fi if [ "$IS_LOG2MAILSQUID" = 1 ]; then - is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \ - /etc/log2mail/config/* 2>/dev/null || failed "IS_LOG2MAILSQUID" ) + if is_pack_web && is_installed log2mail; then + grep -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* 2>/dev/null \ + || failed "IS_LOG2MAILSQUID" + fi fi # Verification si bind est chroote if [ "$IS_BINDCHROOT" = 1 ]; then - if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then + if is_installed bind9 && netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then - if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then failed "IS_BINDCHROOT" fi else @@ -501,26 +570,35 @@ if is_debian; then # Verification de la présence du depot volatile if [ "$IS_REPVOLATILE" = 1 ]; then - is_debian_lenny && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") - is_debian_squeeze && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") + if is_debian_lenny; then + (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") + fi + if is_debian_squeeze; then + (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") + fi fi # /etc/network/interfaces should be present, we don't manage systemd-network yet if [ "$IS_NETWORK_INTERFACES" = 1 ]; then if ! test -f /etc/network/interfaces; then - failed "IS_NETWORK_INTERFACES" IS_AUTOIF=0 IS_INTERFACESGW=0 + failed "IS_NETWORK_INTERFACES" fi fi # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then - is_debian_stretch || for interface in $(/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "); do - grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) - done - is_debian_stretch && for interface in $(/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "); do - grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) + if is_debian_stretch; then + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " ") + else + interfaces=$(/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " ") + fi + for interface in $interfaces; do + if ! grep -q "^auto $interface" /etc/network/interfaces; then + failed "IS_AUTOIF" + break + fi done fi @@ -539,26 +617,32 @@ if is_debian; then # Verification de la presence du userlogrotate if [ "$IS_USERLOGROTATE" = 1 ]; then - is_pack_web && (test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE") + if is_pack_web; then + test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE" + fi fi # Verification de la syntaxe de la conf d'Apache if [ "$IS_APACHECTL" = 1 ]; then - is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || failed "IS_APACHECTL") + if is_installed apache2.2-common; then + /usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || failed "IS_APACHECTL" + fi fi # Check if there is regular files in Apache sites-enabled. if [ "$IS_APACHESYMLINK" = 1 ]; then - is_installed apache2.2-common && \ - (stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK") + if is_installed apache2.2-common; then + stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK" + fi fi # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). if [ "$IS_APACHEIPINALLOW" = 1 ]; then # Note: Replace "exit 1" by "print" in Perl code to debug it. - is_installed apache2.2-common && \ - (grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || failed "IS_APACHEIPINALLOW") + if is_installed apache2.2-common; then + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ | grep -iv "from all" | grep -iv "env=" | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || failed "IS_APACHEIPINALLOW" + fi fi # Check if default Apache configuration file for munin is absent (or empty or commented). @@ -568,48 +652,71 @@ if is_debian; then else muninconf="/etc/apache2/conf-available/munin.conf" fi - is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && failed "IS_MUNINAPACHECONF") + if is_installed apache2.2-common; then + test -e $muninconf && grep -vEq "^( |\t)*#" $muninconf && failed "IS_MUNINAPACHECONF" + fi fi # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then - is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" ") && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) + if is_pack_samba; then + grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" ") && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) + fi fi # Verification si le système doit redémarrer suite màj kernel. if [ "$IS_KERNELUPTODATE" = 1 ]; then - if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then - failed "IS_KERNELUPTODATE" + if is_installed linux-image*; then + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6)" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ $kernel_installed_at -gt $last_reboot_at ]; then + failed "IS_KERNELUPTODATE" + fi fi fi # Check if the server is running for more than a year. if [ "$IS_UPTIME" = 1 ]; then - if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then - failed "IS_UPTIME" + if is_installed linux-image*; then + limit=$(date -d "now - 2 year" +%s) + last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) + if [ $limit -gt $last_reboot_at ]; then + failed "IS_UPTIME" + fi fi fi # Check if munin-node running and RRD files are up to date. if [ "$IS_MUNINRUNNING" = 1 ]; then pgrep munin-node >/dev/null || failed "IS_MUNINRUNNING" - [ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && failed "IS_MUNINRUNNING" - grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && failed "IS_MUNINRUNNING" + + limit=$(date +"%s" -d "now - 10 minutes") + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ $limit -gt $updated_at ] && failed "IS_MUNINRUNNING" + + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ $limit -gt $updated_at ] && failed "IS_MUNINRUNNING" fi # Check if files in /home/backup/ are up-to-date if [ "$IS_BACKUPUPTODATE" = 1 ]; then - [ -d /home/backup/ ] && for file in /home/backup/*; do - if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then - failed "IS_BACKUPUPTODATE" - break; - fi - done + if [ -d /home/backup/ ]; then + for file in /home/backup/*; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" $file) + if [ $limit -gt $updated_at ]; then + failed "IS_BACKUPUPTODATE" + break; + fi + done + fi fi # Check if /etc/.git/ has read/write permissions for root only. if [ "$IS_GITPERMS" = 1 ]; then - test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || failed "IS_GITPERMS" + if test -d /etc/.git; then + [ "$(stat -c "%a" /etc/.git/)" = "700" ] || failed "IS_GITPERMS" + fi fi # Check if no package has been upgraded since $limit. @@ -625,7 +732,7 @@ if is_debian; then fi done if $upgraded; then - last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) + last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')") fi if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then @@ -673,14 +780,14 @@ if is_debian; then if [ "$IS_USERINADMGROUP" = 1 ]; then if is_debian_stretch; then - for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do + for user in $(grep "^evolinux-sudo:" /etc/group |awk -F: '{print $4}' |tr ',' ' '); do groups $user |grep -q adm || failed "IS_USERINADMGROUP" done fi fi if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then - if (test -d /etc/apache2 && is_debian_stretch); then + if is_debian_stretch && test -d /etc/apache2; then (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ && test -f /etc/apache2/ipaddr_whitelist.conf) || failed "IS_APACHE2EVOLINUXCONF" @@ -693,7 +800,7 @@ if is_debian; then && failed "IS_BACKPORTSCONF" if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ - || failed "IS_BACKPORTSCONF" + || failed "IS_BACKPORTSCONF" fi fi fi @@ -712,29 +819,37 @@ if is_debian; then if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then if lspci | grep -q 'NetXtreme II'; then - (is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || failed "IS_BROADCOMFIRMWARE" + (is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) \ + || failed "IS_BROADCOMFIRMWARE" fi fi if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then - lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || failed "IS_HARDWARERAIDTOOL") - lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL") + lspci | grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) \ + || failed "IS_HARDWARERAIDTOOL") + lspci | grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status \ + || failed "IS_HARDWARERAIDTOOL") fi if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then if is_debian_stretch; then - (systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || failed "IS_LOG2MAILSYSTEMDUNIT" + (systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) \ + || failed "IS_LOG2MAILSYSTEMDUNIT" fi fi if [ "$IS_LISTUPGRADE" = 1 ]; then - (test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || failed "IS_LISTUPGRADE" + (test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) \ + || failed "IS_LISTUPGRADE" fi if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then - if is_debian_stretch && is_installed mariadb-server; then - (test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ - && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || failed "IS_MARIADBEVOLINUXCONF" + if is_debian_stretch; then + if is_installed mariadb-server; then + (test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ + && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) \ + || failed "IS_MARIADBEVOLINUXCONF" + fi fi fi @@ -763,7 +878,9 @@ if is_debian; then for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then - if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" $file) + if [ -f $file ] && [ $limit -gt $updated_at ]; then failed "IS_MONGO_BACKUP" break fi @@ -801,7 +918,8 @@ if is_debian; then if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then if is_debian_stretch && is_installed mariadb-server; then - (systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || failed "IS_MARIADBSYSTEMDUNIT" + (systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) \ + || failed "IS_MARIADBSYSTEMDUNIT" fi fi @@ -825,16 +943,18 @@ if is_debian; then if [ "$IS_MYSQLNRPE" = 1 ]; then if is_debian_stretch && is_installed mariadb-server; then (test -f ~nagios/.my.cnf \ - && [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \ - && [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || failed "IS_MYSQLNRPE" + && [ "$(stat -c %U ~nagios/.my.cnf)" = "nagios" ] \ + && [ "$(stat -c %a ~nagios/.my.cnf)" = "600" ] \ + && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") \ + || failed "IS_MYSQLNRPE" fi fi if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then if is_debian_stretch && is_installed php; then (test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || failed "IS_PHPEVOLINUXCONF" + && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) \ + || failed "IS_PHPEVOLINUXCONF" fi fi @@ -852,15 +972,18 @@ if is_debian; then && test -f /etc/squid/evolinux-whitelist-custom.conf \ && test -f /etc/squid/evolinux-acl.conf \ && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf) || failed "IS_SQUIDEVOLINUXCONF" + && test -f /etc/squid/evolinux-custom.conf) \ + || failed "IS_SQUIDEVOLINUXCONF" fi fi if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then # Do it only if thereis blkid binary - if [ -x "$(which blkid)" ]; then + BLKID_BIN=$(command -v blkid) + if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - parts=$(blkid | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART \ + | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" done @@ -892,7 +1015,8 @@ if is_debian; then fi if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then - if [ -x "$(which evoacme)" ]; then + EVOACME_BIN=$(command -v evoacme) + if [ -x "$EVOACME_BIN" ]; then # Sometimes evoacme is installed but no certificates has been generated numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) if [ $numberOfLinks -gt 0 ]; then @@ -929,7 +1053,8 @@ if is_debian; then # /sys/devices/system/cpu/vulnerabilities/ if is_debian_stretch; then for vuln in meltdown spectre_v1 spectre_v2; do - test -f /sys/devices/system/cpu/vulnerabilities/$vuln || failed "IS_MELTDOWN_SPECTRE" + test -f /sys/devices/system/cpu/vulnerabilities/$vuln \ + || failed "IS_MELTDOWN_SPECTRE" done # For Jessie this is quite complicated to verify and we need to use kernel config file elif is_debian_jessie; then @@ -939,8 +1064,10 @@ if is_debian; then kernelConfig="config-${kernelVer}" # Sometimes autodetection of kernel config file fail, so we test if the file really exists. if [ -f /boot/$kernelConfig ]; then - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || failed "IS_MELTDOWN_SPECTRE" - grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || failed "IS_MELTDOWN_SPECTRE" + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig \ + || failed "IS_MELTDOWN_SPECTRE" + grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig \ + || failed "IS_MELTDOWN_SPECTRE" fi fi fi @@ -980,7 +1107,8 @@ if is_openbsd; then fi if [ "$IS_PKGMIRROR" = 1 ]; then - grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || failed "IS_PKGMIRROR" + grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \ + || failed "IS_PKGMIRROR" fi if [ "$IS_HISTORY" = 1 ]; then @@ -993,7 +1121,7 @@ if is_openbsd; then fi if [ "$IS_VIM" = 1 ]; then - which vim 2>1 >> /dev/null || failed "IS_VIM" + command -v vim > /dev/null 2>&1 || failed "IS_VIM" fi if [ "$IS_TTYC0SECURE" = 1 ]; then @@ -1026,7 +1154,7 @@ if is_openbsd; then fi # if [ "$IS_NRPEDISKS" = 1 ]; then -# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) +# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) # DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) # [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" # fi @@ -1038,11 +1166,13 @@ if is_openbsd; then # fi if [ "$IS_NRPEDAEMON" = 1 ]; then - grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || failed "IS_NREPEDAEMON" + grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \ + || failed "IS_NREPEDAEMON" fi if [ "$IS_ALERTBOOT" = 1 ]; then - grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || failed "IS_ALERTBOOT" + grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \ + || failed "IS_ALERTBOOT" fi if [ "$IS_RSYNC" = 1 ]; then @@ -1050,7 +1180,8 @@ if is_openbsd; then fi if [ "$IS_CRONPATH" = 1 ]; then - grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || failed "IS_CRONPATH" + grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \ + || failed "IS_CRONPATH" fi #TODO @@ -1059,33 +1190,32 @@ if is_openbsd; then fi if [ "$IS_TMP_1777" = 1 ]; then - ls -ld /tmp | grep -q drwxrwxrwt || failed "IS_TMP_1777" + ls -ld /tmp | grep -q "drwxrwxrwt" || failed "IS_TMP_1777" fi if [ "$IS_ROOT_0700" = 1 ]; then - ls -ld /root | grep -q drwx------ || failed "IS_ROOT_0700" + ls -ld /root | grep -q "drwx------" || failed "IS_ROOT_0700" fi if [ "$IS_USRSHARESCRIPTS" = 1 ]; then - ls -ld /usr/share/scripts | grep -q drwx------ || failed "IS_USRSHARESCRIPTS" + ls -ld /usr/share/scripts | grep -q "drwx------" || failed "IS_USRSHARESCRIPTS" fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then - is_debian_stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) - is_debian_stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) + if is_debian_stretch; then + grep -q ^PermitRoot /etc/ssh/sshd_config && grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ + || failed "IS_SSHPERMITROOTNO" + else + grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" + fi fi if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then # Can be changed in evocheck.cf homeDir=${homeDir:-/home} - if ! is_debian_stretch; then - if [ -f /etc/sudoers.d/evolinux ]; then - sudoers="/etc/sudoers.d/evolinux" - else - sudoers="/etc/sudoers" - fi - for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do - grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile + if is_debian_stretch; then + for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do + grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile if [ $? != 0 ]; then failed "IS_EVOMAINTENANCEUSERS" if [ "$VERBOSE" = 1 ]; then @@ -1096,8 +1226,14 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then fi done else - for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do - grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile + if [ -f /etc/sudoers.d/evolinux ]; then + sudoers="/etc/sudoers.d/evolinux" + else + sudoers="/etc/sudoers" + fi + users=$( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4) | tr "," "\n" | sort -u) + for i in $users; do + grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile if [ $? != 0 ]; then failed "IS_EVOMAINTENANCEUSERS" if [ "$VERBOSE" = 1 ]; then @@ -1113,23 +1249,25 @@ fi # Verification de la configuration d'evomaintenance if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then f=/etc/evomaintenance.cf + perms=$(stat -c "%a" $f) ( test -e $f \ - && test $(stat -c "%a" $f) = "600" \ - && grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \ - && grep "^PGDB" $f |grep -qv "your-db" \ - && grep "^PGTABLE" $f |grep -qv "your-table" \ - && grep "^PGHOST" $f |grep -qv "your-pg-host" \ - && grep "^FROM" $f |grep -qv "jdoe@example.com" \ - && grep "^FULLFROM" $f |grep -qv "John Doe " \ - && grep "^URGENCYFROM" $f |grep -qv "mama.doe@example.com" \ - && grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f |grep -qv "example.com" ) || failed "IS_EVOMAINTENANCECONF" + && test "$perms" = "600" \ + && grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com" ) \ + || failed "IS_EVOMAINTENANCECONF" fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do perms=$(stat -L -c "%a" $f) - if [ ${perms: -1} != "0" ]; then + if [ "${perms: -1}" != "0" ]; then failed "IS_PRIVKEYWOLRDREADABLE" break fi From 00311e8f0e83574b3638cbea07c7cd5ad270bfb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:43:42 +0100 Subject: [PATCH 08/85] quote --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 0ea7519..cad2fb6 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1203,7 +1203,7 @@ fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then if is_debian_stretch; then - grep -q ^PermitRoot /etc/ssh/sshd_config && grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ + grep -q "^PermitRoot" /etc/ssh/sshd_config && grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ || failed "IS_SSHPERMITROOTNO" else grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" From 38b0342d0c05704820277f8a7db86ded6eecc1df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:44:18 +0100 Subject: [PATCH 09/85] use `stat` instead of `ls -l | grep` --- evocheck.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index cad2fb6..e8ff9c6 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1190,15 +1190,21 @@ if is_openbsd; then fi if [ "$IS_TMP_1777" = 1 ]; then - ls -ld /tmp | grep -q "drwxrwxrwt" || failed "IS_TMP_1777" + actual=$(stat --format "%A" /tmp) + expected="drwxrwxrwt" + test "$expected" = "$actual" || failed "IS_TMP_1777" fi if [ "$IS_ROOT_0700" = 1 ]; then - ls -ld /root | grep -q "drwx------" || failed "IS_ROOT_0700" + actual=$(stat --format "%A" /root) + expected="drwx------" + test "$expected" = "$actual" || failed "IS_ROOT_0700" fi if [ "$IS_USRSHARESCRIPTS" = 1 ]; then - ls -ld /usr/share/scripts | grep -q "drwx------" || failed "IS_USRSHARESCRIPTS" + actual=$(stat --format "%A" /usr/share/scripts) + expected="drwx------" + test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then From 830db4743cf17e4abe706ff845218603c7786aca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:46:21 +0100 Subject: [PATCH 10/85] more quotes --- evocheck.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index e8ff9c6..80fcb0f 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1058,7 +1058,7 @@ if is_debian; then done # For Jessie this is quite complicated to verify and we need to use kernel config file elif is_debian_jessie; then - if grep -q BOOT_IMAGE= /proc/cmdline; then + if grep -q "BOOT_IMAGE=" /proc/cmdline; then kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelVer=${kernelPath##*/vmlinuz-} kernelConfig="config-${kernelVer}" @@ -1076,8 +1076,8 @@ if is_debian; then if [ "$IS_OLD_HOME_DIR" = 1 ]; then for dir in /home/*; do statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ - | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ - | grep UNKNOWN) + | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ + | grep "UNKNOWN") # There is at least one dir matching if [[ -n "$statResult" ]]; then failed "IS_OLD_HOME_DIR" @@ -1129,11 +1129,11 @@ if is_openbsd; then fi if [ "$IS_CUSTOMSYSLOG" = 1 ]; then - grep -q Evolix /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" + grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" fi if [ "$IS_NOINETD" = 1 ]; then - grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" + grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" fi if [ "$IS_SUDOMAINT" = 1 ]; then From ae12b37c7fe88b9b7cf4c164b5ad6d3e857fcd44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:52:18 +0100 Subject: [PATCH 11/85] add verbose comments for IS_BACKPORTSCONF --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 80fcb0f..2ed4d2e 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -797,10 +797,10 @@ if is_debian; then if [ "$IS_BACKPORTSCONF" = 1 ]; then if is_debian_stretch; then grep -qsE "^[^#].*backports" /etc/apt/sources.list \ - && failed "IS_BACKPORTSCONF" + && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ - || failed "IS_BACKPORTSCONF" + || failed "IS_BACKPORTSCONF" "backports must have preferences" fi fi fi From 0fc9d0921e0418e58539e075785dded7cbbe92b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:56:12 +0100 Subject: [PATCH 12/85] grep can count occurrences too --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 2ed4d2e..30c7e85 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -372,7 +372,8 @@ if is_debian; then fi if [ "$IS_CUSTOMCRONTAB" = 1 ]; then - grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && failed "IS_CUSTOMCRONTAB" + found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) + test "$found_lines" = "4" && failed "IS_CUSTOMCRONTAB" fi if [ "$IS_SSHALLOWUSERS" = 1 ]; then From 057cb7026ad9cd8e51af82aa5120b756cebdea84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 21 Mar 2019 23:56:21 +0100 Subject: [PATCH 13/85] even more quotes --- evocheck.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 30c7e85..0fabae7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -389,11 +389,11 @@ if is_debian; then fi if [ "$IS_ALERT5BOOT" = 1 ]; then - grep -q ^date /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" fi if [ "$IS_ALERT5MINIFW" = 1 ]; then - grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 \ + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" fi @@ -426,7 +426,7 @@ if is_debian; then fi if [ "$IS_GRSECPROCS" = 1 ]; then - uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" ) + uname -a | grep -q grsec && ( grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" ) fi if [ "$IS_APACHEMUNIN" = 1 ]; then @@ -774,7 +774,7 @@ if is_debian; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if is_debian_stretch; then - (grep -q ^evolinux-sudo: /etc/group \ + (grep -q "^evolinux-sudo:" /etc/group \ && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || failed "IS_EVOLINUXSUDOGROUP" fi fi From 9dcdd8202e9285880b0bf1f1ac78bc84353c6615 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:00:49 +0100 Subject: [PATCH 14/85] more permissions check with `stat` --- evocheck.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0fabae7..6766c6e 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -403,13 +403,17 @@ if is_debian; then fi if [ "$IS_NRPEPERMS" = 1 ]; then - test -d /etc/nagios && ls -ld /etc/nagios | grep -q "drwxr-x---" \ - || failed "IS_NRPEPERMS" + if test -d /etc/nagios; then + actual=$(stat --format "%A" /etc/nagios) + expected="drwxr-x---" + test "$expected" = "$actual" || failed "IS_NRPEPERMS" + fi fi if [ "$IS_MINIFWPERMS" = 1 ]; then - ls -l "$MINIFW_FILE" | grep -q -- "-rw-------" \ - || failed "IS_MINIFWPERMS" + actual=$(stat --format "%A" $MINIFW_FILE) + expected="-rw-------" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi if [ "$IS_NRPEDISKS" = 1 ]; then From 3e14210a0b7671ea816da5821e649ecf620d75fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:00:57 +0100 Subject: [PATCH 15/85] extract if --- evocheck.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 6766c6e..8bafc17 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -430,7 +430,9 @@ if is_debian; then fi if [ "$IS_GRSECPROCS" = 1 ]; then - uname -a | grep -q grsec && ( grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" ) + if uname -a | grep -q grsec; then + grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" + fi fi if [ "$IS_APACHEMUNIN" = 1 ]; then From 99ddd1a05ca8e098a08652ac0e218ac4dd52f0e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:02:51 +0100 Subject: [PATCH 16/85] better test ordering --- evocheck.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 8bafc17..7718e58 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -256,13 +256,11 @@ if is_debian; then # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) if [ "$IS_NRPEPOSTFIX" = 1 ]; then - if is_debian_squeeze; then - if is_installed postfix; then + if is_installed postfix; then + if is_debian_squeeze; then grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ || failed "IS_NRPEPOSTFIX" - fi - else - if is_installed postfix; then + else test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* \ || failed "IS_NRPEPOSTFIX" fi From 367756d6b2fbed2325012812f71fbc4a1e817051 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:04:01 +0100 Subject: [PATCH 17/85] variables extraction --- evocheck.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 7718e58..f197365 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -229,7 +229,10 @@ if is_debian; then if [ "$IS_LSBRELEASE" = "1" ]; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" - test "$(${LSB_RELEASE_BIN} --release --short)" = "$(cat /etc/debian_version)" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + + lhs=$(${LSB_RELEASE_BIN} --release --short) + rhs=$(cat /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" fi if [ "$IS_DPKGWARNING" = 1 ]; then @@ -720,7 +723,9 @@ if is_debian; then # Check if /etc/.git/ has read/write permissions for root only. if [ "$IS_GITPERMS" = 1 ]; then if test -d /etc/.git; then - [ "$(stat -c "%a" /etc/.git/)" = "700" ] || failed "IS_GITPERMS" + expected="700" + actual=$(stat -c "%a" /etc/.git/) + [ "$expected" = "$actual" ] || failed "IS_GITPERMS" fi fi From 419ecbc10f998193ae595d098f8f903b65eab3a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:30:44 +0100 Subject: [PATCH 18/85] fix conditions grouping --- evocheck.sh | 65 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index f197365..89d5798 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -439,11 +439,18 @@ if is_debian; then if [ "$IS_APACHEMUNIN" = 1 ]; then if is_debian_stretch; then if test -e /etc/apache2/apache2.conf; then - ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) + (test -h /etc/apache2/mods-enabled/status.load \ + && test -h /etc/munin/plugins/apache_accesses \ + && test -h /etc/munin/plugins/apache_processes \ + && test -h /etc/munin/plugins/apache_volume) \ + || failed "IS_APACHEMUNIN" "mising munin plugins for Apache" fi else if test -e /etc/apache2/apache2.conf; then - ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) + (grep --quiet --no-messages --extended-regexp "^env.url.*/server-status-[[:alnum:]]{4,}" /etc/munin/plugin-conf.d/munin-node \ + && (grep --quiet --no-messages --extended-regexp "/server-status-[[:alnum:]]{4,}" /etc/apache2/apache2.conf \ + || grep --quiet --no-messages --extended-regexp "/server-status-[[:alnum:]]{4,}" /etc/apache2/mods-enabled/status.conf)) \ + || failed "IS_APACHEMUNIN" "server status is not properly configured" fi fi fi @@ -469,11 +476,12 @@ if is_debian; then # Verification de la configuration du raid soft (mdadm) if [ "$IS_RAIDSOFT" = 1 ]; then - test -e /proc/mdstat && grep -q md /proc/mdstat && \ - ( grep -q "^AUTOCHECK=true" /etc/default/mdadm \ - && grep -q "^START_DAEMON=true" /etc/default/mdadm \ - && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf \ - || failed "IS_RAIDSOFT") + if test -e /proc/mdstat && grep -q md /proc/mdstat; then + (grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + && grep -q "^START_DAEMON=true" /etc/default/mdadm \ + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf) \ + || failed "IS_RAIDSOFT" + fi fi # Verification du LogFormat de AWStats @@ -486,7 +494,7 @@ if is_debian; then # Verification de la présence de la config logrotate pour Munin if [ "$IS_MUNINLOGROTATE" = 1 ]; then - ( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) \ + (test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin) \ || failed "IS_MUNINLOGROTATE" fi @@ -503,10 +511,10 @@ if is_debian; then if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) http_port=$(grep http_port $squidconffile | cut -f 2 -d " ") - grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + (grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE) \ || failed "IS_SQUID" fi fi @@ -524,9 +532,9 @@ if is_debian; then if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf if is_installed apache2.2; then - test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ - && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f \ + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f) \ || failed "IS_MODDEFLATE" fi fi @@ -634,7 +642,7 @@ if is_debian; then # Verification de la syntaxe de la conf d'Apache if [ "$IS_APACHECTL" = 1 ]; then if is_installed apache2.2-common; then - /usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || failed "IS_APACHECTL" + /usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL" fi fi @@ -649,7 +657,8 @@ if is_debian; then if [ "$IS_APACHEIPINALLOW" = 1 ]; then # Note: Replace "exit 1" by "print" in Perl code to debug it. if is_installed apache2.2-common; then - grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ | grep -iv "from all" | grep -iv "env=" | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || failed "IS_APACHEIPINALLOW" + (grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ | grep -iv "from all" | grep -iv "env=" | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)') \ + || failed "IS_APACHEIPINALLOW" fi fi @@ -784,14 +793,15 @@ if is_debian; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if is_debian_stretch; then (grep -q "^evolinux-sudo:" /etc/group \ - && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || failed "IS_EVOLINUXSUDOGROUP" + && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) \ + || failed "IS_EVOLINUXSUDOGROUP" fi fi if [ "$IS_USERINADMGROUP" = 1 ]; then if is_debian_stretch; then for user in $(grep "^evolinux-sudo:" /etc/group |awk -F: '{print $4}' |tr ',' ' '); do - groups $user |grep -q adm || failed "IS_USERINADMGROUP" + groups $user | grep -q adm || failed "IS_USERINADMGROUP" done fi fi @@ -800,7 +810,8 @@ if is_debian; then if is_debian_stretch && test -d /etc/apache2; then (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf) || failed "IS_APACHE2EVOLINUXCONF" + && test -f /etc/apache2/ipaddr_whitelist.conf) \ + || failed "IS_APACHE2EVOLINUXCONF" fi fi @@ -817,7 +828,8 @@ if is_debian; then if [ "$IS_BIND9MUNIN" = 1 ]; then if is_debian_stretch && is_installed bind9; then - (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || failed "IS_BIND9MUNIN" + (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) \ + || failed "IS_BIND9MUNIN" fi fi @@ -835,10 +847,14 @@ if is_debian; then fi if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then - lspci | grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) \ - || failed "IS_HARDWARERAIDTOOL") - lspci | grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status \ - || failed "IS_HARDWARERAIDTOOL") + if lspci | grep -q 'MegaRAID SAS'; then + is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) \ + || failed "IS_HARDWARERAIDTOOL" + fi + if lspci | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status \ + || failed "IS_HARDWARERAIDTOOL" + fi fi if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then @@ -1219,8 +1235,9 @@ fi if [ "$IS_SSHPERMITROOTNO" = 1 ]; then if is_debian_stretch; then - grep -q "^PermitRoot" /etc/ssh/sshd_config && grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \ - || failed "IS_SSHPERMITROOTNO" + if grep -q "^PermitRoot" /etc/ssh/sshd_config; then + grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" + fi else grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" fi From e525141ae4448338d094033465a88bf7e52f4c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 00:31:11 +0100 Subject: [PATCH 19/85] move VERBOSE block to log comment --- evocheck.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 89d5798..b6f3a13 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1017,11 +1017,7 @@ if is_debian; then # If there is no duplicate, uniq will have no output # So, if $tmpOutput is not null, there is a duplicate if [ -n "$tmpOutput" ]; then - failed "IS_DUPLICATE_FS_LABEL" - if [ "$VERBOSE" = 1 ]; then - echo "Duplicate labels:" - echo -e "$tmpOutput\n" - fi + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $tmpOutput" fi rm $tmpFile fi From c3b4efd71e5f8a9701671520996fe8df5b454a9a Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 14:06:46 +0100 Subject: [PATCH 20/85] fix debian version detection for IS_LSBRELEASE --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index b6f3a13..9756d83 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -230,8 +230,8 @@ if is_debian; then if [ "$IS_LSBRELEASE" = "1" ]; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" - lhs=$(${LSB_RELEASE_BIN} --release --short) - rhs=$(cat /etc/debian_version) + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cat /etc/debian_version | cut -d "." -f 1) test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" fi From 2ad82591f3312ad757cdfb501c9257a7754e6925 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 14:07:47 +0100 Subject: [PATCH 21/85] test if it's a file, to ignore directories --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 9756d83..03df65d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -721,8 +721,8 @@ if is_debian; then for file in /home/backup/*; do limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" $file) - if [ $limit -gt $updated_at ]; then - failed "IS_BACKUPUPTODATE" + if [ -f "$file" ] && [ $limit -gt $updated_at ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" break; fi done From 9b31ab030ed93b4b356d213105e3c78fde6ce094 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 14:08:31 +0100 Subject: [PATCH 22/85] fix "is_debian_lenny" --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 03df65d..ed93474 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -191,7 +191,7 @@ is_debian() { test -n "${DEBIAN_RELEASE}" } is_debian_lenny() { - test "${DEBIAN_VERSION}" = "lenny" + test "${DEBIAN_RELEASE}" = "lenny" } is_debian_squeeze() { test "${DEBIAN_RELEASE}" = "squeeze" From 366fc03237ec8fcd7892e9b9b78495c384f552ff Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 14:08:46 +0100 Subject: [PATCH 23/85] print duplicate labels on a single line --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index ed93474..2f77cc2 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1017,7 +1017,8 @@ if is_debian; then # If there is no duplicate, uniq will have no output # So, if $tmpOutput is not null, there is a duplicate if [ -n "$tmpOutput" ]; then - failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $tmpOutput" + labels=$(echo -n $tmpOutput | tr '\n' ' ') + failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi rm $tmpFile fi From 3353096ebedfbd9909d376ce7875aca28549619d Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 14:09:09 +0100 Subject: [PATCH 24/85] don't use a sub shell for IS_REPVOLATILE --- evocheck.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 2f77cc2..2916db9 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -587,10 +587,12 @@ if is_debian; then # Verification de la présence du depot volatile if [ "$IS_REPVOLATILE" = 1 ]; then if is_debian_lenny; then - (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") + grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \ + || failed "IS_REPVOLATILE" fi if is_debian_squeeze; then - (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") + grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \ + || failed "IS_REPVOLATILE" fi fi From d51c64d410708449778a5f5de3198287f1c51882 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 18:16:53 +0100 Subject: [PATCH 25/85] reorganize IS_APACHEMUNIN --- evocheck.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 2916db9..87d09b4 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -437,20 +437,20 @@ if is_debian; then fi if [ "$IS_APACHEMUNIN" = 1 ]; then - if is_debian_stretch; then - if test -e /etc/apache2/apache2.conf; then - (test -h /etc/apache2/mods-enabled/status.load \ + if test -e /etc/apache2/apache2.conf; then + if is_debian_stretch; then + { test -h /etc/apache2/mods-enabled/status.load \ && test -h /etc/munin/plugins/apache_accesses \ && test -h /etc/munin/plugins/apache_processes \ - && test -h /etc/munin/plugins/apache_volume) \ + && test -h /etc/munin/plugins/apache_volume; } \ || failed "IS_APACHEMUNIN" "mising munin plugins for Apache" - fi - else - if test -e /etc/apache2/apache2.conf; then - (grep --quiet --no-messages --extended-regexp "^env.url.*/server-status-[[:alnum:]]{4,}" /etc/munin/plugin-conf.d/munin-node \ - && (grep --quiet --no-messages --extended-regexp "/server-status-[[:alnum:]]{4,}" /etc/apache2/apache2.conf \ - || grep --quiet --no-messages --extended-regexp "/server-status-[[:alnum:]]{4,}" /etc/apache2/mods-enabled/status.conf)) \ - || failed "IS_APACHEMUNIN" "server status is not properly configured" + else + pattern="/server-status-[[:alnum:]]{4,}" + { grep -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d/munin-node \ + && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ + || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; + }; + } || failed "IS_APACHEMUNIN" "server status is not properly configured" fi fi fi From a4c1629912fdda507c63de272b5864952cc00005 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 18:37:26 +0100 Subject: [PATCH 26/85] verbose comments for RAID checks --- evocheck.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 87d09b4..c03a824 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -851,11 +851,10 @@ if is_debian; then if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then if lspci | grep -q 'MegaRAID SAS'; then is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) \ - || failed "IS_HARDWARERAIDTOOL" + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" fi if lspci | grep -q 'Hewlett-Packard Company Smart Array'; then - is_installed cciss-vol-status \ - || failed "IS_HARDWARERAIDTOOL" + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" fi fi From fc3d2e28cf78c4caa8e417000f45609fc19a5a2b Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Fri, 22 Mar 2019 18:37:53 +0100 Subject: [PATCH 27/85] APACHEMUNIN: muunin config can be in other files --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index c03a824..551ad4b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -446,7 +446,7 @@ if is_debian; then || failed "IS_APACHEMUNIN" "mising munin plugins for Apache" else pattern="/server-status-[[:alnum:]]{4,}" - { grep -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d/munin-node \ + { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ && { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \ || grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf; }; From 2267b7961823d9abf29d1813c03908377615d759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 07:42:04 +0100 Subject: [PATCH 28/85] remove unused IS_TOOMUCHDEBIANSYSMAINT --- evocheck.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 551ad4b..4933884 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -58,7 +58,6 @@ IS_BINDCHROOT=1 IS_REPVOLATILE=1 IS_AUTOIF=1 IS_INTERFACESGW=1 -IS_TOOMUCHDEBIANSYSMAINT=1 IS_USERLOGROTATE=1 IS_MODSECURITY=1 IS_APACHECTL=1 From 9658e531adb463d0c4c68a8ca66a99fcae7b929f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 07:47:12 +0100 Subject: [PATCH 29/85] quotes --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 4933884..770bc80 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -901,12 +901,12 @@ if is_debian; then # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}/*/*.{json,bson}"; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" $file) - if [ -f $file ] && [ $limit -gt $updated_at ]; then + if [ -f "$file" ] && [ $limit -gt $updated_at ]; then failed "IS_MONGO_BACKUP" break fi From 0afdfbf3a1eef488c855b5339dd70db569a95203 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:01:42 +0100 Subject: [PATCH 30/85] Use braces instead for command grouping. It avoids subshells --- evocheck.sh | 119 ++++++++++++++++++++++++++++------------------------ 1 file changed, 65 insertions(+), 54 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 770bc80..6a48b17 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -246,13 +246,13 @@ if is_debian; then test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" fi elif is_debian_stretch; then - (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") + test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING" fi fi if [ "$IS_UMASKSUDOERS" = 1 ]; then if is_debian_squeeze; then - ( grep -q "^Defaults.*umask=0077" /etc/sudoers || failed "IS_UMASKSUDOERS" ) + grep -q "^Defaults.*umask=0077" /etc/sudoers || failed "IS_UMASKSUDOERS" fi fi @@ -476,10 +476,10 @@ if is_debian; then # Verification de la configuration du raid soft (mdadm) if [ "$IS_RAIDSOFT" = 1 ]; then if test -e /proc/mdstat && grep -q md /proc/mdstat; then - (grep -q "^AUTOCHECK=true" /etc/default/mdadm \ + { grep -q "^AUTOCHECK=true" /etc/default/mdadm \ && grep -q "^START_DAEMON=true" /etc/default/mdadm \ - && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf) \ - || failed "IS_RAIDSOFT" + && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf; + } || failed "IS_RAIDSOFT" fi fi @@ -493,8 +493,9 @@ if is_debian; then # Verification de la présence de la config logrotate pour Munin if [ "$IS_MUNINLOGROTATE" = 1 ]; then - (test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin) \ - || failed "IS_MUNINLOGROTATE" + { test -e /etc/logrotate.d/munin-node \ + && test -e /etc/logrotate.d/munin; + } || failed "IS_MUNINLOGROTATE" fi # Verification de la présence de metche @@ -509,12 +510,12 @@ if is_debian; then if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) - http_port=$(grep http_port $squidconffile | cut -f 2 -d " ") - (grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ") + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" $MINIFW_FILE \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE) \ - || failed "IS_SQUID" + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE; + } || failed "IS_SQUID" fi fi @@ -531,10 +532,10 @@ if is_debian; then if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf if is_installed apache2.2; then - (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ + { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ && grep -q "AddOutputFilterByType DEFLATE text/css" $f \ - && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f) \ - || failed "IS_MODDEFLATE" + && grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f; + } || failed "IS_MODDEFLATE" fi fi @@ -658,7 +659,10 @@ if is_debian; then if [ "$IS_APACHEIPINALLOW" = 1 ]; then # Note: Replace "exit 1" by "print" in Perl code to debug it. if is_installed apache2.2-common; then - (grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ | grep -iv "from all" | grep -iv "env=" | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)') \ + grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \ + | grep -iv "from all" \ + | grep -iv "env=" \ + | perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \ || failed "IS_APACHEIPINALLOW" fi fi @@ -793,9 +797,9 @@ if is_debian; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if is_debian_stretch; then - (grep -q "^evolinux-sudo:" /etc/group \ - && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) \ - || failed "IS_EVOLINUXSUDOGROUP" + { grep -q "^evolinux-sudo:" /etc/group \ + && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux; + } || failed "IS_EVOLINUXSUDOGROUP" fi fi @@ -809,10 +813,10 @@ if is_debian; then if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then if is_debian_stretch && test -d /etc/apache2; then - (test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ + { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf) \ - || failed "IS_APACHE2EVOLINUXCONF" + && test -f /etc/apache2/ipaddr_whitelist.conf; + } || failed "IS_APACHE2EVOLINUXCONF" fi fi @@ -829,8 +833,9 @@ if is_debian; then if [ "$IS_BIND9MUNIN" = 1 ]; then if is_debian_stretch && is_installed bind9; then - (test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) \ - || failed "IS_BIND9MUNIN" + { test -L /etc/munin/plugins/bind9 \ + && test -e /etc/munin/plugin-conf.d/bind9; + } || failed "IS_BIND9MUNIN" fi fi @@ -842,8 +847,9 @@ if is_debian; then if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then if lspci | grep -q 'NetXtreme II'; then - (is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) \ - || failed "IS_BROADCOMFIRMWARE" + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" fi fi @@ -859,22 +865,25 @@ if is_debian; then if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then if is_debian_stretch; then - (systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) \ - || failed "IS_LOG2MAILSYSTEMDUNIT" + { systemctl -q is-active log2mail.service \ + && test -f /etc/systemd/system/log2mail.service \ + && ! test -f /etc/init.d/log2mail; + } || failed "IS_LOG2MAILSYSTEMDUNIT" fi fi if [ "$IS_LISTUPGRADE" = 1 ]; then - (test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) \ - || failed "IS_LISTUPGRADE" + { test -f /etc/cron.d/listupgrade \ + && test -x /usr/share/scripts/listupgrade.sh; + } || failed "IS_LISTUPGRADE" fi if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then if is_debian_stretch; then if is_installed mariadb-server; then - (test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ - && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) \ - || failed "IS_MARIADBEVOLINUXCONF" + { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ + && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; + } || failed "IS_MARIADBEVOLINUXCONF" fi fi fi @@ -944,8 +953,9 @@ if is_debian; then if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then if is_debian_stretch && is_installed mariadb-server; then - (systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) \ - || failed "IS_MARIADBSYSTEMDUNIT" + { systemctl -q is-active mariadb.service \ + && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf; + } || failed "IS_MARIADBSYSTEMDUNIT" fi fi @@ -968,19 +978,19 @@ if is_debian; then if [ "$IS_MYSQLNRPE" = 1 ]; then if is_debian_stretch && is_installed mariadb-server; then - (test -f ~nagios/.my.cnf \ + { test -f ~nagios/.my.cnf \ && [ "$(stat -c %U ~nagios/.my.cnf)" = "nagios" ] \ && [ "$(stat -c %a ~nagios/.my.cnf)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") \ - || failed "IS_MYSQLNRPE" + && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf"; + } || failed "IS_MYSQLNRPE" fi fi if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then if is_debian_stretch && is_installed php; then - (test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) \ - || failed "IS_PHPEVOLINUXCONF" + { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini; + } || failed "IS_PHPEVOLINUXCONF" fi fi @@ -992,14 +1002,14 @@ if is_debian; then if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then if is_debian_stretch && is_installed squid; then - (grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ + { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ && test -f /etc/squid/evolinux-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-custom.conf \ && test -f /etc/squid/evolinux-acl.conf \ && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf) \ - || failed "IS_SQUIDEVOLINUXCONF" + && test -f /etc/squid/evolinux-custom.conf; + } || failed "IS_SQUIDEVOLINUXCONF" fi fi @@ -1136,11 +1146,11 @@ if is_openbsd; then if [ "$IS_HISTORY" = 1 ]; then f=/root/.profile - grep -q "^HISTFILE=\$HOME/.histfile" $f \ + { grep -q "^HISTFILE=\$HOME/.histfile" $f \ && grep -q "^export HISTFILE" $f \ && grep -q "^HISTSIZE=1000" $f \ - && grep -q "^export HISTSIZE" $f \ - || failed "IS_HISTORY" + && grep -q "^export HISTSIZE" $f; + } || failed "IS_HISTORY" fi if [ "$IS_VIM" = 1 ]; then @@ -1161,9 +1171,9 @@ if is_openbsd; then if [ "$IS_SUDOMAINT" = 1 ]; then f=/etc/sudoers - grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ - && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \ - || failed "IS_SUDOMAINT" + { grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ + && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f; + } || failed "IS_SUDOMAINT" fi if [ "$IS_POSTGRESQL" = 1 ]; then @@ -1171,9 +1181,10 @@ if is_openbsd; then fi if [ "$IS_NRPE" = 1 ]; then - ( pkg info | grep -qE "nagios-plugins-[0-9.]" \ + { pkg info | grep -qE "nagios-plugins-[0-9.]" \ && pkg info | grep -q nagios-plugins-ntp \ - && pkg info | grep -q nrpe ) || failed "IS_NRPE" + && pkg info | grep -q nrpe; + } || failed "IS_NRPE" fi # if [ "$IS_NRPEDISKS" = 1 ]; then @@ -1280,7 +1291,7 @@ fi if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then f=/etc/evomaintenance.cf perms=$(stat -c "%a" $f) - ( test -e $f \ + { test -e $f \ && test "$perms" = "600" \ && grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ && grep "^PGDB" $f | grep -qv "your-db" \ @@ -1290,8 +1301,8 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then && grep "^FULLFROM" $f | grep -qv "John Doe " \ && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com" ) \ - || failed "IS_EVOMAINTENANCECONF" + && grep "^REALM" $f | grep -qv "example.com"; + } || failed "IS_EVOMAINTENANCECONF" fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then From 7cb7a47be7be626dac9ba0efddfb7310537fb7bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:02:04 +0100 Subject: [PATCH 31/85] improve readability --- evocheck.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 6a48b17..aacad32 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -505,9 +505,11 @@ if is_debian; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then - squidconffile="/etc/squid*/squid.conf" - is_debian_stretch && squidconffile=/etc/squid/evolinux-custom.conf - + if is_debian_stretch; then + squidconffile="/etc/squid/evolinux-custom.conf" + else + squidconffile="/etc/squid*/squid.conf" + fi if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ") @@ -1018,8 +1020,7 @@ if is_debian; then BLKID_BIN=$(command -v blkid) if [ -x "$BLKID_BIN" ]; then tmpFile=$(mktemp -p /tmp) - parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART \ - | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) + parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" done From 3b8617b20c47ff23f976d4e90d41c6bdb6cd4bfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:04:35 +0100 Subject: [PATCH 32/85] use `grep -s` instead of redirecting stderr --- evocheck.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index aacad32..c9a1d13 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -554,19 +554,19 @@ if is_debian; then conf=/etc/log2mail/config/default fi if is_pack_web && is_installed log2mail; then - grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null \ + grep -s -q "^file = /var/log/apache2/error.log" $conf \ || failed "IS_LOG2MAILAPACHE" fi fi if [ "$IS_LOG2MAILMYSQL" = 1 ]; then if is_pack_web && is_installed log2mail; then - grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null \ + grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \ || failed "IS_LOG2MAILMYSQL" fi fi if [ "$IS_LOG2MAILSQUID" = 1 ]; then if is_pack_web && is_installed log2mail; then - grep -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* 2>/dev/null \ + grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \ || failed "IS_LOG2MAILSQUID" fi fi From c2fda32d0d41c922e65484f1e07e66dfca966bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:12:30 +0100 Subject: [PATCH 33/85] extract main conditional --- evocheck.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index c9a1d13..16380f8 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -684,7 +684,10 @@ if is_debian; then # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then if is_pack_samba; then - grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" ") && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) + if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then + priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") + test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" + fi fi fi From 8aadbed4de3ca3ffb386d031467d1cb5ad231ad6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:13:18 +0100 Subject: [PATCH 34/85] Don't limit to Lenny This test doesn't seem to be limited to Lenny, so we should check for all backports --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 16380f8..40ff905 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -685,7 +685,7 @@ if is_debian; then if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then if is_pack_samba; then if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then - priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") + priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=.*-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" fi fi From a01b53111d9eacbfad03bea57cb2a13728ce07ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:29:25 +0100 Subject: [PATCH 35/85] OpenBSD version detection --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 40ff905..aac6581 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -144,7 +144,7 @@ if [ -e /etc/debian_version ]; then fi elif [ "$(uname -s)" = "OpenBSD" ]; then # use a better release name - OPENBSD_RELEASE="OpenBSD" + OPENBSD_RELEASE=$(uname -r) fi # Source configuration file From 76354bed48535ee5c97570e0f0ffafa98c7cd719 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:29:45 +0100 Subject: [PATCH 36/85] extract variable --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index aac6581..0706d70 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -810,7 +810,8 @@ if is_debian; then if [ "$IS_USERINADMGROUP" = 1 ]; then if is_debian_stretch; then - for user in $(grep "^evolinux-sudo:" /etc/group |awk -F: '{print $4}' |tr ',' ' '); do + users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') + for user in $users; do groups $user | grep -q adm || failed "IS_USERINADMGROUP" done fi From 5b9d41de0c6bdad9659d66b15c8fde63853161fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:29:54 +0100 Subject: [PATCH 37/85] wording --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 0706d70..33ef7fa 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -904,7 +904,7 @@ if is_debian; then if [ "$IS_POSTGRES_BACKUP" = 1 ]; then if is_installed "postgresql-9*"; then - # If you use something like barman, you should deactivate this check + # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" From cfb4602bedcb9833c04bd047695e46cbf639f530 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:30:08 +0100 Subject: [PATCH 38/85] extract variable --- evocheck.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 33ef7fa..0870bbb 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -984,10 +984,11 @@ if is_debian; then if [ "$IS_MYSQLNRPE" = 1 ]; then if is_debian_stretch && is_installed mariadb-server; then - { test -f ~nagios/.my.cnf \ - && [ "$(stat -c %U ~nagios/.my.cnf)" = "nagios" ] \ - && [ "$(stat -c %a ~nagios/.my.cnf)" = "600" ] \ - && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf"; + nagios_file="~nagios/.my.cnf" + { test -f $nagios_file \ + && [ "$(stat -c %U $nagios_file)" = "nagios" ] \ + && [ "$(stat -c %a $nagios_file)" = "600" ] \ + && grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file"; } || failed "IS_MYSQLNRPE" fi fi From 4a7069311416a41e82a4820d67668a1c02f11b19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:30:23 +0100 Subject: [PATCH 39/85] conditional readability --- evocheck.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0870bbb..0760914 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -802,9 +802,9 @@ if is_debian; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if is_debian_stretch; then - { grep -q "^evolinux-sudo:" /etc/group \ - && grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux; - } || failed "IS_EVOLINUXSUDOGROUP" + if grep -q "^evolinux-sudo:" /etc/group; then + grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux || failed "IS_EVOLINUXSUDOGROUP" + fi fi fi From 8957b19a96d17aa685e65e2b11a71d72ec1d4c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 20:39:42 +0100 Subject: [PATCH 40/85] reorganize IS_EVOMAINTENANCEUSERS --- evocheck.sh | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0760914..6dd4873 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1261,17 +1261,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then # Can be changed in evocheck.cf homeDir=${homeDir:-/home} if is_debian_stretch; then - for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do - grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile - if [ $? != 0 ]; then - failed "IS_EVOMAINTENANCEUSERS" - if [ "$VERBOSE" = 1 ]; then - echo "$i doesn't have evomaintenance trap!" - else - break - fi - fi - done + users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') else if [ -f /etc/sudoers.d/evolinux ]; then sudoers="/etc/sudoers.d/evolinux" @@ -1279,18 +1269,15 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then sudoers="/etc/sudoers" fi users=$( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4) | tr "," "\n" | sort -u) - for i in $users; do - grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile - if [ $? != 0 ]; then - failed "IS_EVOMAINTENANCEUSERS" - if [ "$VERBOSE" = 1 ]; then - echo "$i doesn't have evomaintenance trap!" - else - break - fi - fi - done fi + for user in $users; do + grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${user}/.*profile + if [ $? != 0 ]; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have evomaintenance trap" + ## let's print an error for each user + # break + fi + done fi # Verification de la configuration d'evomaintenance From 55f720972b103c7ddc72117612b4b7f745707238 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 21:55:47 +0100 Subject: [PATCH 41/85] add a lot of verbose output --- evocheck.sh | 85 +++++++++++++++++++++++++++-------------------------- 1 file changed, 44 insertions(+), 41 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 6dd4873..0bdd405 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -228,7 +228,7 @@ if is_debian; then if [ "$IS_LSBRELEASE" = "1" ]; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" - + ## only the major version matters lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) rhs=$(cat /etc/debian_version | cut -d "." -f 1) test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" @@ -238,21 +238,25 @@ if is_debian; then if is_debian_squeeze; then if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) - [ "$count" = "2" ] || failed "IS_DPKGWARNING" + [ "$count" = "2" ] || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." fi elif is_debian_wheezy; then if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then - test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING" - test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" + test -e /etc/apt/apt.conf.d/80evolinux \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing" + test -e /etc/apt/apt.conf \ + && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" fi elif is_debian_stretch; then - test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING" + test -e /etc/apt/apt.conf.d/z-evolinux.conf \ + || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" fi fi if [ "$IS_UMASKSUDOERS" = 1 ]; then if is_debian_squeeze; then - grep -q "^Defaults.*umask=0077" /etc/sudoers || failed "IS_UMASKSUDOERS" + grep -q "^Defaults.*umask=0077" /etc/sudoers \ + || failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077" fi fi @@ -261,10 +265,10 @@ if is_debian; then if is_installed postfix; then if is_debian_squeeze; then grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ - || failed "IS_NRPEPOSTFIX" + || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" else test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* \ - || failed "IS_NRPEPOSTFIX" + || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" fi fi fi @@ -273,11 +277,11 @@ if is_debian; then if [ "$IS_MODSECURITY" = 1 ]; then if is_debian_squeeze; then if is_installed libapache-mod-security; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" fi elif is_debian_wheezy; then if is_installed libapache2-modsecurity; then - test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" + test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file" fi fi fi @@ -287,11 +291,11 @@ if is_debian; then fi if [ "$IS_VARTMPFS" = 1 ]; then - df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" + df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs" fi if [ "$IS_SERVEURBASE" = 1 ]; then - is_installed serveur-base || failed "IS_SERVEURBASE" + is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed" fi if [ "$IS_LOGROTATECONF" = 1 ]; then @@ -777,9 +781,9 @@ if is_debian; then fi # Check install_date if the system never received an upgrade if [ $last_upgrade -eq 0 ]; then - [ $install_date -lt $limit ] && failed "IS_NOTUPGRADED" + [ $install_date -lt $limit ] && failed "IS_NOTUPGRADED" "The system has never been updated" else - [ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED" + [ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" fi fi @@ -803,7 +807,8 @@ if is_debian; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if is_debian_stretch; then if grep -q "^evolinux-sudo:" /etc/group; then - grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux || failed "IS_EVOLINUXSUDOGROUP" + grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" fi fi fi @@ -812,7 +817,7 @@ if is_debian; then if is_debian_stretch; then users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') for user in $users; do - groups $user | grep -q adm || failed "IS_USERINADMGROUP" + groups $user | grep -q adm || failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" done fi fi @@ -898,7 +903,7 @@ if is_debian; then if (is_installed "mysql-server" || is_installed "mariadb-server"); then # You could change the default path in /etc/evocheck.cf SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} - test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" + test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})" fi fi @@ -907,7 +912,7 @@ if is_debian; then # If you use something like barman, you should disable this check # You could change the default path in /etc/evocheck.cf POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} - test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" + test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})" fi fi @@ -922,13 +927,13 @@ if is_debian; then limit=$(date +"%s" -d "now - 2 day") updated_at=$(stat -c "%Y" $file) if [ -f "$file" ] && [ $limit -gt $updated_at ]; then - failed "IS_MONGO_BACKUP" + failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" break fi fi done else - failed "IS_MONGO_BACKUP" + failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})" fi fi fi @@ -937,7 +942,7 @@ if is_debian; then if is_installed slapd; then # You could change the default path in /etc/evocheck.cf LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} - test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" + test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})" fi fi @@ -945,7 +950,7 @@ if is_debian; then if is_installed redis-server; then # You could change the default path in /etc/evocheck.cf REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} - test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" + test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})" fi fi @@ -953,7 +958,7 @@ if is_debian; then if is_installed elasticsearch; then # You could change the default path in /etc/evocheck.cf ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"} - test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" + test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})" fi fi @@ -975,7 +980,7 @@ if is_debian; then mysql_sorts mysql_tmp_tables; do if [[ ! -L /etc/munin/plugins/$file ]]; then - failed "IS_MYSQLMUNIN" + failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing" break fi done @@ -1047,9 +1052,9 @@ if is_debian; then if [ "$IS_EVOACME_CRON" = 1 ]; then if [ -f "/usr/local/sbin/evoacme" ]; then # Old cron file, should be deleted - test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" + test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme" # evoacme cron file should be present - test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" + test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing" fi fi @@ -1067,7 +1072,7 @@ if is_debian; then lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) if [[ "$actualCertDate" != "$lastCertDate" ]]; then - failed "IS_EVOACME_LIVELINKS" + failed "IS_EVOACME_LIVELINKS" "Certificate '$liveDir' hasn't been updated" break fi done @@ -1104,27 +1109,24 @@ if is_debian; then # Sometimes autodetection of kernel config file fail, so we test if the file really exists. if [ -f /boot/$kernelConfig ]; then grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig \ - || failed "IS_MELTDOWN_SPECTRE" + || failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched" grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig \ - || failed "IS_MELTDOWN_SPECTRE" + || failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched" fi fi fi fi if [ "$IS_OLD_HOME_DIR" = 1 ]; then - for dir in /home/*; do + homeDir=${homeDir:-/home} + for dir in $homeDir/*; do statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ | grep "UNKNOWN") # There is at least one dir matching if [[ -n "$statResult" ]]; then - failed "IS_OLD_HOME_DIR" - if [[ "$VERBOSE" == 1 ]]; then - echo "$statResult" - else - break - fi + failed "IS_OLD_HOME_DIR" "$statResult" + break fi done fi @@ -1183,14 +1185,14 @@ if is_openbsd; then fi if [ "$IS_POSTGRESQL" = 1 ]; then - pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" + pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed" fi if [ "$IS_NRPE" = 1 ]; then { pkg info | grep -qE "nagios-plugins-[0-9.]" \ && pkg info | grep -q nagios-plugins-ntp \ && pkg info | grep -q nrpe; - } || failed "IS_NRPE" + } || failed "IS_NRPE" "NRPE is not installed" fi # if [ "$IS_NRPEDISKS" = 1 ]; then @@ -1295,15 +1297,16 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ && grep "^REALM" $f | grep -qv "example.com"; - } || failed "IS_EVOMAINTENANCECONF" + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do perms=$(stat -L -c "%a" $f) if [ "${perms: -1}" != "0" ]; then - failed "IS_PRIVKEYWOLRDREADABLE" - break + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + ## let's print an error for each key + # break fi done fi From 0fe664f571d50e3f517ae02d99e2ab1f98152df4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:42:03 +0100 Subject: [PATCH 42/85] rework the EVOACME check --- evocheck.sh | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0bdd405..345c8ef 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1063,17 +1063,20 @@ if is_debian; then if [ -x "$EVOACME_BIN" ]; then # Sometimes evoacme is installed but no certificates has been generated numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) - if [ $numberOfLinks -gt 0 ]; then + if [ "$numberOfLinks" -gt "0" ]; then for live in /etc/letsencrypt/*/live; do - actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11) - actualCertDate=$(cut -d'/' -f5 <<< $actualLink) - liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9) - certDir=${liveDir%%/live} - lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) - lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) - if [[ "$actualCertDate" != "$lastCertDate" ]]; then - failed "IS_EVOACME_LIVELINKS" "Certificate '$liveDir' hasn't been updated" - break + actualLink=$(readlink -f "$live") + actualVersion=$(basename "$actualLink") + + certDir=$(dirname "$live") + certName=$(basename "$certDir") + lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) + lastVersion=$(basename "$lastCertDir") + + if [[ "$lastVersion" != "$actualVersion" ]]; then + failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated" + ## let's print an error for each certificate + # break fi done fi From c073f5ca8704405640b99604e4a88e846df11fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:43:19 +0100 Subject: [PATCH 43/85] homeDir is useless here --- evocheck.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 345c8ef..4911aaa 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1263,8 +1263,6 @@ if [ "$IS_SSHPERMITROOTNO" = 1 ]; then fi if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then - # Can be changed in evocheck.cf - homeDir=${homeDir:-/home} if is_debian_stretch; then users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') else @@ -1276,9 +1274,8 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then users=$( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4) | tr "," "\n" | sort -u) fi for user in $users; do - grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${user}/.*profile - if [ $? != 0 ]; then - failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have evomaintenance trap" + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" ~${user}/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" ## let's print an error for each user # break fi From 3a484cf6940cd7be2218d48d8d99b47095fb2e58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:43:38 +0100 Subject: [PATCH 44/85] add quotes --- evocheck.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 4911aaa..b279ae2 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1100,7 +1100,7 @@ if is_debian; then # /sys/devices/system/cpu/vulnerabilities/ if is_debian_stretch; then for vuln in meltdown spectre_v1 spectre_v2; do - test -f /sys/devices/system/cpu/vulnerabilities/$vuln \ + test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ || failed "IS_MELTDOWN_SPECTRE" done # For Jessie this is quite complicated to verify and we need to use kernel config file @@ -1110,10 +1110,10 @@ if is_debian; then kernelVer=${kernelPath##*/vmlinuz-} kernelConfig="config-${kernelVer}" # Sometimes autodetection of kernel config file fail, so we test if the file really exists. - if [ -f /boot/$kernelConfig ]; then - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig \ + if [ -f "/boot/${kernelConfig}" ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \ || failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched" - grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig \ + grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \ || failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched" fi fi @@ -1122,7 +1122,7 @@ if is_debian; then if [ "$IS_OLD_HOME_DIR" = 1 ]; then homeDir=${homeDir:-/home} - for dir in $homeDir/*; do + for dir in "$homeDir"/*; do statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ | grep "UNKNOWN") @@ -1302,7 +1302,7 @@ fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do - perms=$(stat -L -c "%a" $f) + perms=$(stat -L -c "%a" "$f") if [ "${perms: -1}" != "0" ]; then failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" ## let's print an error for each key From a8178598e9447f2512aceca1210154858a88b975 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:44:15 +0100 Subject: [PATCH 45/85] use braces instead of parenthesis --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index b279ae2..8265644 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1271,7 +1271,8 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then else sudoers="/etc/sudoers" fi - users=$( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4) | tr "," "\n" | sort -u) + # combine users from User_Alias and sudo group + users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) fi for user in $users; do if ! grep -qs "^trap.*sudo.*evomaintenance.sh" ~${user}/.*profile; then From 4f8a9ceecc087543c094e7aa1d3f13cc6f8a0b3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:45:45 +0100 Subject: [PATCH 46/85] fix quotes --- evocheck.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 8265644..0bca172 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -921,12 +921,12 @@ if is_debian; then # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}/*/*.{json,bson}"; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") - updated_at=$(stat -c "%Y" $file) - if [ -f "$file" ] && [ $limit -gt $updated_at ]; then + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days" break fi From ae0b3ae2f12a16094e539fd94bd371f231b1b11e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 22:56:19 +0100 Subject: [PATCH 47/85] Use bc (instead of python) to have a rounded percentage --- evocheck.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0bca172..3dd0066 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -797,8 +797,9 @@ if is_debian; then continue fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") - percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))") - if [ "$percentage" -lt 5 ]; then + # Use bc to have a rounded percentage + percentage=$(echo "scale=0; ${reservedBlockCount} * 100 / ${blockCount}" | bc) + if [ "$percentage" -lt "5" ]; then failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks!" fi done From 82548772408f5798ce81b6b5dd2e7d8e3bab5f2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:52:06 +0100 Subject: [PATCH 48/85] Add IS_ETCGIT to check for /etc.git Git repository --- evocheck.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 3dd0066..0f1b1f9 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -69,6 +69,7 @@ IS_KERNELUPTODATE=1 IS_UPTIME=1 IS_MUNINRUNNING=1 IS_BACKUPUPTODATE=1 +IS_ETCGIT=1 IS_GITPERMS=1 IS_NOTUPGRADED=1 IS_TUNE2FS_M5=1 @@ -743,6 +744,10 @@ if is_debian; then fi fi + if [ "$IS_ETCGIT" = 1 ]; then + (cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository" + fi + # Check if /etc/.git/ has read/write permissions for root only. if [ "$IS_GITPERMS" = 1 ]; then if test -d /etc/.git; then From 9861e226146fc447ac987851a835ba16a12e56cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:53:13 +0100 Subject: [PATCH 49/85] test command return value directly --- evocheck.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0f1b1f9..b5b9253 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -762,8 +762,7 @@ if is_debian; then last_upgrade=0 upgraded=false for log in /var/log/dpkg.log*; do - zgrep -qsm1 upgrade "$log" - if [ $? -eq 0 ]; then + if zgrep -qsm1 upgrade "$log"; then # There is at least one upgrade upgraded=true break From 1c0f00c47351f60a08adc7048fb20b876f4038bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:56:46 +0100 Subject: [PATCH 50/85] quotes --- evocheck.sh | 56 ++++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index b5b9253..707fd8b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -132,7 +132,7 @@ OPENBSD_RELEASE="" if [ -e /etc/debian_version ]; then DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version) - if [ -x ${LSB_RELEASE_BIN} ]; then + if [ -x "${LSB_RELEASE_BIN}" ]; then DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short) else case ${DEBIAN_VERSION} in @@ -163,7 +163,7 @@ fi failed() { check_name=$1 shift - check_comments=$@ + check_comments=$* if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 @@ -182,8 +182,8 @@ is_pack_samba(){ } is_installed(){ - for pkg in $*; do - dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1 + for pkg in "$@"; do + dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1 done } @@ -227,7 +227,7 @@ is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall if is_debian; then - if [ "$IS_LSBRELEASE" = "1" ]; then + if [ "$IS_LSBRELEASE" = 1 ]; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" ## only the major version matters lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) @@ -239,7 +239,7 @@ if is_debian; then if is_debian_squeeze; then if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf) - [ "$count" = "2" ] || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." + test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing." fi elif is_debian_wheezy; then if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then @@ -367,7 +367,7 @@ if is_debian; then else if [ -e "/etc/apt/listchanges.conf" ]; then lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) - if [ $lines != 2 ]; then + if [ "$lines" != 2 ]; then failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" fi else @@ -378,7 +378,7 @@ if is_debian; then if [ "$IS_CUSTOMCRONTAB" = 1 ]; then found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab) - test "$found_lines" = "4" && failed "IS_CUSTOMCRONTAB" + test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" fi if [ "$IS_SSHALLOWUSERS" = 1 ]; then @@ -630,14 +630,14 @@ if is_debian; then # Network conf verification if [ "$IS_INTERFACESGW" = 1 ]; then number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) - test $number -gt 1 && failed "IS_INTERFACESGW" + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway" number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) - test $number -gt 1 && failed "IS_INTERFACESGW" + test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway" fi # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - ls /etc/cron* |grep -q "evobackup" || failed "IS_EVOBACKUP" + find /etc/cron* -name '*evobackup*' > /dev/null || failed "IS_EVOBACKUP" fi # Verification de la presence du userlogrotate @@ -682,7 +682,7 @@ if is_debian; then muninconf="/etc/apache2/conf-available/munin.conf" fi if is_installed apache2.2-common; then - test -e $muninconf && grep -vEq "^( |\t)*#" $muninconf && failed "IS_MUNINAPACHECONF" + test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF" fi fi @@ -691,7 +691,7 @@ if is_debian; then if is_pack_samba; then if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=.*-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") - test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" + test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" fi fi fi @@ -701,7 +701,7 @@ if is_debian; then if is_installed linux-image*; then kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6)" +%s) last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) - if [ $kernel_installed_at -gt $last_reboot_at ]; then + if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then failed "IS_KERNELUPTODATE" fi fi @@ -712,7 +712,7 @@ if is_debian; then if is_installed linux-image*; then limit=$(date -d "now - 2 year" +%s) last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) - if [ $limit -gt $last_reboot_at ]; then + if [ "$limit" -gt "$last_reboot_at" ]; then failed "IS_UPTIME" fi fi @@ -724,10 +724,10 @@ if is_debian; then limit=$(date +"%s" -d "now - 10 minutes") updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) - [ $limit -gt $updated_at ] && failed "IS_MUNINRUNNING" + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) - grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ $limit -gt $updated_at ] && failed "IS_MUNINRUNNING" + grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" fi # Check if files in /home/backup/ are up-to-date @@ -735,8 +735,8 @@ if is_debian; then if [ -d /home/backup/ ]; then for file in /home/backup/*; do limit=$(date +"%s" -d "now - 2 day") - updated_at=$(stat -c "%Y" $file) - if [ -f "$file" ] && [ $limit -gt $updated_at ]; then + updated_at=$(stat -c "%Y" "$file") + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then failed "IS_BACKUPUPTODATE" "$file has not been backed up" break; fi @@ -784,10 +784,10 @@ if is_debian; then install_date=$(stat -c %Z /var/log/installer) fi # Check install_date if the system never received an upgrade - if [ $last_upgrade -eq 0 ]; then - [ $install_date -lt $limit ] && failed "IS_NOTUPGRADED" "The system has never been updated" + if [ "$last_upgrade" -eq 0 ]; then + [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated" else - [ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" + [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long" fi fi @@ -797,13 +797,13 @@ if is_debian; then for part in $parts; do blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") # If buggy partition, skip it. - if [ -z $blockCount ]; then + if [ -z "$blockCount" ]; then continue fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") # Use bc to have a rounded percentage percentage=$(echo "scale=0; ${reservedBlockCount} * 100 / ${blockCount}" | bc) - if [ "$percentage" -lt "5" ]; then + if [ "$percentage" -lt 5 ]; then failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks!" fi done @@ -822,7 +822,7 @@ if is_debian; then if is_debian_stretch; then users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') for user in $users; do - groups $user | grep -q adm || failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + groups "$user" | grep -q adm || failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" done fi fi @@ -1046,7 +1046,7 @@ if is_debian; then labels=$(echo -n $tmpOutput | tr '\n' ' ') failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi - rm $tmpFile + rm "$tmpFile" fi fi @@ -1068,7 +1068,7 @@ if is_debian; then if [ -x "$EVOACME_BIN" ]; then # Sometimes evoacme is installed but no certificates has been generated numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) - if [ "$numberOfLinks" -gt "0" ]; then + if [ "$numberOfLinks" -gt 0 ]; then for live in /etc/letsencrypt/*/live; do actualLink=$(readlink -f "$live") actualVersion=$(basename "$actualLink") @@ -1309,7 +1309,7 @@ fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then for f in /etc/ssl/private/*; do perms=$(stat -L -c "%a" "$f") - if [ "${perms: -1}" != "0" ]; then + if [ "${perms: -1}" != 0 ]; then failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" ## let's print an error for each key # break From fa53e1a29344543430afad17f47876fb1c6f82b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:58:36 +0100 Subject: [PATCH 51/85] command grouping with braces --- evocheck.sh | 44 +++++++++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 707fd8b..d0dfaf6 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -268,8 +268,9 @@ if is_debian; then grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \ || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" else - test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* \ - || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" + { test -e /etc/nagios/nrpe.cfg \ + && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*; + } || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing" fi fi fi @@ -429,14 +430,17 @@ if is_debian; then if [ "$IS_NRPEPID" = 1 ]; then if ! is_debian_squeeze; then - test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg \ - || failed "IS_NRPEPID" + { test -e /etc/nagios/nrpe.cfg \ + && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg; + } || failed "IS_NRPEPID" fi fi if [ "$IS_GRSECPROCS" = 1 ]; then if uname -a | grep -q grsec; then - grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" + { grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \ + && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root"; + } || failed "IS_GRSECPROCS" fi fi @@ -517,11 +521,11 @@ if is_debian; then fi if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) - http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ") - { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" $MINIFW_FILE; + http_port=$(grep "http_port" "$squidconffile" | cut -f 2 -d " ") + { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE"; } || failed "IS_SQUID" fi fi @@ -578,15 +582,17 @@ if is_debian; then # Verification si bind est chroote if [ "$IS_BINDCHROOT" = 1 ]; then - if is_installed bind9 && netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then - if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then - md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') - md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') - if [ "$md5_original" != "$md5_chrooted" ]; then - failed "IS_BINDCHROOT" + if is_installed bind9; then + if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then + if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then + md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ') + md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ') + if [ "$md5_original" != "$md5_chrooted" ]; then + failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary" + fi + else + failed "IS_BINDCHROOT" "bind process is not chrooted" fi - else - failed "IS_BINDCHROOT" fi fi fi @@ -871,7 +877,7 @@ if is_debian; then if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then if lspci | grep -q 'MegaRAID SAS'; then - is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) \ + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" fi if lspci | grep -q 'Hewlett-Packard Company Smart Array'; then From 97b13b2a6014f2fed4adc93f69a7a937f79c2a18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:59:09 +0100 Subject: [PATCH 52/85] `cut < file` instead of `cat file | cut` --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index d0dfaf6..4f2a9ce 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -231,7 +231,7 @@ if is_debian; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" ## only the major version matters lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) - rhs=$(cat /etc/debian_version | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" fi From 8f46b6c8111ce14035a1ffb241b17fc93f8a6e27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:59:25 +0100 Subject: [PATCH 53/85] variable extraction --- evocheck.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 4f2a9ce..144820f 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -353,8 +353,9 @@ if is_debian; then if [ "$IS_MOUNT_FSTAB" = 1 ]; then # Test if lsblk available, if not skip this test... - if test -x "$(command -v lsblk)"; then - for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do + LSBLK_BIN=$(command -v lsblk) + if test -x "${LSBLK_BIN}"; then + for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB" done fi From 92754deef054f3e8f8a27dc71742d886e921b7d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Fri, 22 Mar 2019 23:59:55 +0100 Subject: [PATCH 54/85] whitespaces --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 144820f..3894b5d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -622,9 +622,9 @@ if is_debian; then # Verify if all if are in auto if [ "$IS_AUTOIF" = 1 ]; then if is_debian_stretch; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " ") + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else - interfaces=$(/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " ") + interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ") fi for interface in $interfaces; do if ! grep -q "^auto $interface" /etc/network/interfaces; then From 3591e265c818ce722bf0db366f322d16934e26cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 00:00:14 +0100 Subject: [PATCH 55/85] `grep -c` instead of `grep | wc -l` --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 3894b5d..4dc0fe7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -425,8 +425,8 @@ if is_debian; then if [ "$IS_NRPEDISKS" = 1 ]; then NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) - DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) - [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" + DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)") + test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" fi if [ "$IS_NRPEPID" = 1 ]; then From a7bfbe0a199470fec021c82aa83f70505f4f6364 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 00:00:44 +0100 Subject: [PATCH 56/85] `awk` instead of `tr | cut` --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 4dc0fe7..4d25f87 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -706,7 +706,7 @@ if is_debian; then # Verification si le système doit redémarrer suite màj kernel. if [ "$IS_KERNELUPTODATE" = 1 ]; then if is_installed linux-image*; then - kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6)" +%s) + kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then failed "IS_KERNELUPTODATE" From 2fdc3338fd7cc9acfb8992175c0ccc93f396aa5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 00:13:04 +0100 Subject: [PATCH 57/85] Disable a few shellcheck style warnings --- evocheck.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 4d25f87..cd8d04d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -149,6 +149,7 @@ elif [ "$(uname -s)" = "OpenBSD" ]; then fi # Source configuration file +# shellcheck disable=SC1091 test -f /etc/evocheck.cf && . /etc/evocheck.cf VERBOSE="${VERBOSE:-0}" @@ -706,6 +707,7 @@ if is_debian; then # Verification si le système doit redémarrer suite màj kernel. if [ "$IS_KERNELUPTODATE" = 1 ]; then if is_installed linux-image*; then + # shellcheck disable=SC2012 kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s) last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then @@ -878,6 +880,7 @@ if is_debian; then if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then if lspci | grep -q 'MegaRAID SAS'; then + # shellcheck disable=SC2015 is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" fi @@ -1050,6 +1053,7 @@ if is_debian; then # If there is no duplicate, uniq will have no output # So, if $tmpOutput is not null, there is a duplicate if [ -n "$tmpOutput" ]; then + # shellcheck disable=SC2086 labels=$(echo -n $tmpOutput | tr '\n' ' ') failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi @@ -1082,6 +1086,7 @@ if is_debian; then certDir=$(dirname "$live") certName=$(basename "$certDir") + # shellcheck disable=SC2012 lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1) lastVersion=$(basename "$lastCertDir") @@ -1287,6 +1292,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) fi for user in $users; do + # shellcheck disable=SC2086 if ! grep -qs "^trap.*sudo.*evomaintenance.sh" ~${user}/.*profile; then failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" ## let's print an error for each user From 7702a8dd84ca1bb3a4af2fa3aaa475cf5bdf8564 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 00:42:05 +0100 Subject: [PATCH 58/85] Add options parsing (verbose/quiet/cron/help/version) --- evocheck.sh | 159 +++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 119 insertions(+), 40 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index cd8d04d..d62befd 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,6 +4,8 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix +VERSION="0.14.0.beta1" + # Disable LANG* export LANG=C export LANGUAGE=C @@ -126,6 +128,14 @@ IS_NRPEDAEMON=1 IS_ALERTBOOT=1 IS_RSYNC=1 +# Default return code : 0 = no error +RC=0 + +# Source configuration file +# shellcheck disable=SC1091 +test -f /etc/evocheck.cf && . /etc/evocheck.cf + +# OS detection DEBIAN_RELEASE="" LSB_RELEASE_BIN=$(command -v lsb_release) OPENBSD_RELEASE="" @@ -148,44 +158,42 @@ elif [ "$(uname -s)" = "OpenBSD" ]; then OPENBSD_RELEASE=$(uname -r) fi -# Source configuration file -# shellcheck disable=SC1091 -test -f /etc/evocheck.cf && . /etc/evocheck.cf - -VERBOSE="${VERBOSE:-0}" - -# If --cron is passed, ignore some checks. -if [ "$1" = "--cron" ]; then - IS_KERNELUPTODATE=0 - IS_UPTIME=0 -fi - -# logging function -failed() { - check_name=$1 - shift - check_comments=$* - - if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then - printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 - else - printf "%s FAILED!\n" "${check_name}" 2>&1 - fi -} - # Functions -is_pack_web(){ - test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh -} -is_pack_samba(){ - test -e /usr/share/scripts/add.pl -} +show_version() { + cat < /dev/null | grep -q -E '^(i|h)i' || return 1 - done +Copyright 2009-2019 Evolix , + Romain Dessort , + Benoit Série , + Gregory Colpart , + Jérémy Lecour , + Tristan Pilat , + Victor Laborie + and others. + +evocheck comes with ABSOLUTELY NO WARRANTY. This is free software, +and you are welcome to redistribute it under certain conditions. +See the GNU General Public License v3.0 for details. +END +} +show_help() { + cat < /dev/null | grep -q -E '^(i|h)i' || return 1 + done +} + +# logging +failed() { + check_name=$1 + shift + check_comments=$* + + RC=1 + if [ "${QUIET}" = 0 ]; then + if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 + else + printf "%s FAILED!\n" "${check_name}" 2>&1 + fi + fi +} + +# Parse options +# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a +while :; do + case $1 in + -h|-\?|--help) + show_help + exit 0 + ;; + --version) + show_version + exit 0 + ;; + --cron) + IS_KERNELUPTODATE=0 + IS_UPTIME=0 + ;; + -v|--verbose) + VERBOSE=1 + ;; + -q|--quiet) + QUIET=1 + VERBOSE=0 + ;; + --) + # End of all options. + shift + break + ;; + -?*|[[:alnum:]]*) + # ignore unknown options + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + ;; + *) + # Default case: If no more options then break out of the loop. + break + ;; + esac + + shift +done #----------------------------------------------------------- #Vérifie si c'est une debian et fait les tests appropriés. @@ -228,6 +299,12 @@ is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall if is_debian; then + is_debian_lenny && MINIFW_FILE=/etc/firewall.rc + is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc + is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc + is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall + is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall + if [ "$IS_LSBRELEASE" = 1 ]; then test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" ## only the major version matters @@ -1329,3 +1406,5 @@ if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then fi done fi + +exit ${RC} From df9af8061d119c9202b6e52f32171b855828ae07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 00:59:48 +0100 Subject: [PATCH 59/85] log if not QUIET --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index d62befd..be3975e 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -243,7 +243,7 @@ failed() { check_comments=$* RC=1 - if [ "${QUIET}" = 0 ]; then + if [ "${QUIET}" != 1 ]; then if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 else From 48cbf6385fd703d44aee6cbc7c91d676b2b381f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:01:38 +0100 Subject: [PATCH 60/85] improve reserved blocks math bc(1) round to the lower integer, so we add 1 to always be around the ceiling. --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index be3975e..01fb3f3 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -888,9 +888,9 @@ if is_debian; then fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") # Use bc to have a rounded percentage - percentage=$(echo "scale=0; ${reservedBlockCount} * 100 / ${blockCount}" | bc) + percentage=$(echo "(${reservedBlockCount} * 100 / ${blockCount}) + 1" | bc) if [ "$percentage" -lt 5 ]; then - failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks!" + failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks (${percentage}%)" fi done fi From 3598154e4a9efe258f10e60f8a58a72dba6e700d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:10:29 +0100 Subject: [PATCH 61/85] find user's home directory via getent(1) --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 01fb3f3..64092c9 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1369,8 +1369,8 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u) fi for user in $users; do - # shellcheck disable=SC2086 - if ! grep -qs "^trap.*sudo.*evomaintenance.sh" ~${user}/.*profile; then + user_home=$(getent passwd "$user" | cut -d: -f6) + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" ## let's print an error for each user # break From 140a5d1a845f9f4d8511196ad512f0095a7bc6e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:13:09 +0100 Subject: [PATCH 62/85] typo --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 64092c9..fd51315 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -190,7 +190,7 @@ Usage: evocheck Options --cron disable a few checks -v, --verbose increase verbosity of checks - -q, --quiet nothing is printed on stadard outputs + -q, --quiet nothing is printed on stdout nor stderr --help print this message and exit --version print version and exit END From 8980ca7b69ae56c8bb84f3e3f33b22d90fd6a4a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:15:00 +0100 Subject: [PATCH 63/85] document -h for help option --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index fd51315..561f683 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -191,7 +191,7 @@ Options --cron disable a few checks -v, --verbose increase verbosity of checks -q, --quiet nothing is printed on stdout nor stderr - --help print this message and exit + -h, --help print this message and exit --version print version and exit END } From c9acd916715afb8ae3a58b5a0b746a51d7431b3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:21:40 +0100 Subject: [PATCH 64/85] Break the loop unless in verbose mode --- evocheck.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 561f683..08d8275 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -824,7 +824,7 @@ if is_debian; then updated_at=$(stat -c "%Y" "$file") if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then failed "IS_BACKUPUPTODATE" "$file has not been backed up" - break; + test "${VERBOSE}" = 1 || break; fi done fi @@ -1073,7 +1073,7 @@ if is_debian; then if [[ ! -L /etc/munin/plugins/$file ]]; then failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing" - break + test "${VERBOSE}" = 1 || break fi done fi @@ -1169,8 +1169,7 @@ if is_debian; then if [[ "$lastVersion" != "$actualVersion" ]]; then failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated" - ## let's print an error for each certificate - # break + test "${VERBOSE}" = 1 || break fi done fi @@ -1223,7 +1222,7 @@ if is_debian; then # There is at least one dir matching if [[ -n "$statResult" ]]; then failed "IS_OLD_HOME_DIR" "$statResult" - break + test "${VERBOSE}" = 1 || break fi done fi @@ -1372,8 +1371,7 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then user_home=$(getent passwd "$user" | cut -d: -f6) if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" - ## let's print an error for each user - # break + test "${VERBOSE}" = 1 || break fi done fi @@ -1401,8 +1399,7 @@ if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then perms=$(stat -L -c "%a" "$f") if [ "${perms: -1}" != 0 ]; then failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" - ## let's print an error for each key - # break + test "${VERBOSE}" = 1 || break fi done fi From f377df3370f35a680def048c50955b273dfc05bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:35:26 +0100 Subject: [PATCH 65/85] fix evobakup scripts detection find returns with 0 even if nothing is found, so we use the number of occurences --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 08d8275..43c7a5b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -722,7 +722,8 @@ if is_debian; then # Verification de la mise en place d'evobackup if [ "$IS_EVOBACKUP" = 1 ]; then - find /etc/cron* -name '*evobackup*' > /dev/null || failed "IS_EVOBACKUP" + evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l) + test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP" fi # Verification de la presence du userlogrotate From 4daaf99e3621d1919727e3b2f35b4d074a8f1cf4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:54:04 +0100 Subject: [PATCH 66/85] split IS_EVOMAINTENANCECONF in 3 checks --- evocheck.sh | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 43c7a5b..3c74011 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1380,19 +1380,23 @@ fi # Verification de la configuration d'evomaintenance if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then f=/etc/evomaintenance.cf - perms=$(stat -c "%a" $f) - { test -e $f \ - && test "$perms" = "600" \ - && grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ - && grep "^PGDB" $f | grep -qv "your-db" \ - && grep "^PGTABLE" $f | grep -qv "your-table" \ - && grep "^PGHOST" $f | grep -qv "your-pg-host" \ - && grep "^FROM" $f | grep -qv "jdoe@example.com" \ - && grep "^FULLFROM" $f | grep -qv "John Doe " \ - && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ - && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ - && grep "^REALM" $f | grep -qv "example.com"; - } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + if [ -e "$f" ]; then + perms=$(stat -c "%a" $f) + test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)" + + { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \ + && grep "^PGDB" $f | grep -qv "your-db" \ + && grep "^PGTABLE" $f | grep -qv "your-table" \ + && grep "^PGHOST" $f | grep -qv "your-pg-host" \ + && grep "^FROM" $f | grep -qv "jdoe@example.com" \ + && grep "^FULLFROM" $f | grep -qv "John Doe " \ + && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \ + && grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \ + && grep "^REALM" $f | grep -qv "example.com"; + } || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured" + else + failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing" + fi fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then From 8f255fa392b52b7a0bc8fa8aa6c819eef0172dcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 01:54:30 +0100 Subject: [PATCH 67/85] IS_EVOMAINTENANCEUSERS search trap only in active users home --- evocheck.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 3c74011..a0ea289 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1370,9 +1370,11 @@ if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then fi for user in $users; do user_home=$(getent passwd "$user" | cut -d: -f6) - if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then - failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" - test "${VERBOSE}" = 1 || break + if [ -n "$user_home" ] && [ -d "$user_home" ]; then + if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then + failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap" + test "${VERBOSE}" = 1 || break + fi fi done fi From 83379f6787e7ab28cfa98a0cb984bc133fe7a013 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 02:06:55 +0100 Subject: [PATCH 68/85] fix excessive quoting it breaks globbing --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index a0ea289..379d3fc 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -600,7 +600,8 @@ if is_debian; then fi if is_pack_web && (is_installed squid || is_installed squid3); then host=$(hostname -i) - http_port=$(grep "http_port" "$squidconffile" | cut -f 2 -d " ") + # shellcheck disable=SC2086 + http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ") { grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \ From 3979b71831e438c34ca6c695d8d6f7debc77d085 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 09:17:43 +0100 Subject: [PATCH 69/85] Check for files before going further Some non conventional servers might have important files or programs missing. --- evocheck.sh | 81 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 55 insertions(+), 26 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 379d3fc..09ae844 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -306,11 +306,14 @@ if is_debian; then is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall if [ "$IS_LSBRELEASE" = 1 ]; then - test -x "${LSB_RELEASE_BIN}" || failed "IS_LSBRELEASE" "lsb_release is missing or not executable" - ## only the major version matters - lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) - rhs=$(cut -d "." -f 1 < /etc/debian_version) - test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + if [ -x "${LSB_RELEASE_BIN}" ]; then + ## only the major version matters + lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1) + rhs=$(cut -d "." -f 1 < /etc/debian_version) + test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version" + else + failed "IS_LSBRELEASE" "lsb_release is missing or not executable" + fi fi if [ "$IS_DPKGWARNING" = 1 ]; then @@ -470,16 +473,24 @@ if is_debian; then fi if [ "$IS_TMOUTPROFILE" = 1 ]; then - grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" + grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" fi if [ "$IS_ALERT5BOOT" = 1 ]; then - grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ]; then - grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ - || failed "IS_ALERT5MINIFW" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi fi if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then @@ -488,7 +499,7 @@ if is_debian; then fi if [ "$IS_NRPEPERMS" = 1 ]; then - if test -d /etc/nagios; then + if [ -d /etc/nagios ]; then actual=$(stat --format "%A" /etc/nagios) expected="drwxr-x---" test "$expected" = "$actual" || failed "IS_NRPEPERMS" @@ -496,9 +507,11 @@ if is_debian; then fi if [ "$IS_MINIFWPERMS" = 1 ]; then - actual=$(stat --format "%A" $MINIFW_FILE) - expected="-rw-------" - test "$expected" = "$actual" || failed "IS_MINIFWPERMS" + if [ -f "$MINIFW_FILE" ]; then + actual=$(stat --format "%A" $MINIFW_FILE) + expected="-rw-------" + test "$expected" = "$actual" || failed "IS_MINIFWPERMS" + fi fi if [ "$IS_NRPEDISKS" = 1 ]; then @@ -808,14 +821,27 @@ if is_debian; then # Check if munin-node running and RRD files are up to date. if [ "$IS_MUNINRUNNING" = 1 ]; then - pgrep munin-node >/dev/null || failed "IS_MUNINRUNNING" + if ! pgrep munin-node >/dev/null; then + failed "IS_MUNINRUNNING" "Munin is not running" + elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then + limit=$(date +"%s" -d "now - 10 minutes") - limit=$(date +"%s" -d "now - 10 minutes") - updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) - [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" + if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then + updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1) + [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)" + fi - updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) - grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" + if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then + updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) + grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" + fi + else + failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)" + fi fi # Check if files in /home/backup/ are up-to-date @@ -1403,13 +1429,16 @@ if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then fi if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then - for f in /etc/ssl/private/*; do - perms=$(stat -L -c "%a" "$f") - if [ "${perms: -1}" != 0 ]; then - failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" - test "${VERBOSE}" = 1 || break - fi - done + # a simple globbing fails if directory is empty + if [ -n "$(ls -A /etc/ssl/private/)" ]; then + for f in /etc/ssl/private/*; do + perms=$(stat -L -c "%a" "$f") + if [ "${perms: -1}" != 0 ]; then + failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable" + test "${VERBOSE}" = 1 || break + fi + done + fi fi exit ${RC} From 9cd5e1c3251ff7df76c1f93903ee9e9f6c112945 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 10:32:29 +0100 Subject: [PATCH 70/85] improve backup detection --- evocheck.sh | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 09ae844..29b461b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -847,14 +847,21 @@ if is_debian; then # Check if files in /home/backup/ are up-to-date if [ "$IS_BACKUPUPTODATE" = 1 ]; then if [ -d /home/backup/ ]; then - for file in /home/backup/*; do - limit=$(date +"%s" -d "now - 2 day") - updated_at=$(stat -c "%Y" "$file") - if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then - failed "IS_BACKUPUPTODATE" "$file has not been backed up" - test "${VERBOSE}" = 1 || break; - fi - done + if [ -n "$(ls -A /home/backup/)" ]; then + for file in /home/backup/*; do + limit=$(date +"%s" -d "now - 2 day") + updated_at=$(stat -c "%Y" "$file") + + if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then + failed "IS_BACKUPUPTODATE" "$file has not been backed up" + test "${VERBOSE}" = 1 || break; + fi + done + else + failed "IS_BACKUPUPTODATE" "/home/backup/ is empty" + fi + else + failed "IS_BACKUPUPTODATE" "/home/backup/ is missing" fi fi From e2fb5ae837dde1661fa6726020e9c82d0dcc257d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 10:32:53 +0100 Subject: [PATCH 71/85] fail if `lspci` is missing --- evocheck.sh | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 29b461b..e660ef2 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -983,21 +983,31 @@ if is_debian; then fi if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then - if lspci | grep -q 'NetXtreme II'; then - { is_installed firmware-bnx2 \ - && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; - } || failed "IS_BROADCOMFIRMWARE" + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then + { is_installed firmware-bnx2 \ + && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list; + } || failed "IS_BROADCOMFIRMWARE" + fi + else + failed "IS_BROADCOMFIRMWARE" "lspci is missing" fi fi if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then - if lspci | grep -q 'MegaRAID SAS'; then - # shellcheck disable=SC2015 - is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ - || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" - fi - if lspci | grep -q 'Hewlett-Packard Company Smart Array'; then - is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + LSPCI_BIN=$(command -v lspci) + if [ -x "${LSPCI_BIN}" ]; then + if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then + # shellcheck disable=SC2015 + is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \ + || failed "IS_HARDWARERAIDTOOL" "Mega tools not found" + fi + if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then + is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed" + fi + else + failed "IS_HARDWARERAIDTOOL" "lspci is missing" fi fi From 4136b310c13fcd6d3c6e38fa856b9ac388eeb6fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sat, 23 Mar 2019 21:09:36 +0100 Subject: [PATCH 72/85] fallback to python if bc(1) is missing --- evocheck.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index e660ef2..2aa9802 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -914,6 +914,7 @@ if is_debian; then # Check if reserved blocks for root is at least 5% on every mounted partitions. if [ "$IS_TUNE2FS_M5" = 1 ]; then + BC_BIN=$(command -v bc) parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') for part in $parts; do blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") @@ -922,8 +923,13 @@ if is_debian; then continue fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") - # Use bc to have a rounded percentage - percentage=$(echo "(${reservedBlockCount} * 100 / ${blockCount}) + 1" | bc) + if [ -x "$BC_BIN" ]; then + # Use bc to have a rounded percentage + percentage=$(echo "(${reservedBlockCount} * 100 / ${blockCount}) + 1" | $BC_BIN) + else + # fallback to python + percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))") + fi if [ "$percentage" -lt 5 ]; then failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks (${percentage}%)" fi From a7abd80f9326b8583eae4c78980b526a2cf05037 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:10:47 +0100 Subject: [PATCH 73/85] Use awk to have a rounded percentage python is slow bash supports only integer arithmetics "bc" can't round to the ceiling --- evocheck.sh | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 2aa9802..8156a88 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -914,7 +914,7 @@ if is_debian; then # Check if reserved blocks for root is at least 5% on every mounted partitions. if [ "$IS_TUNE2FS_M5" = 1 ]; then - BC_BIN=$(command -v bc) + min=5 parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') for part in $parts; do blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") @@ -923,15 +923,12 @@ if is_debian; then continue fi reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") - if [ -x "$BC_BIN" ]; then - # Use bc to have a rounded percentage - percentage=$(echo "(${reservedBlockCount} * 100 / ${blockCount}) + 1" | $BC_BIN) - else - # fallback to python - percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))") - fi - if [ "$percentage" -lt 5 ]; then - failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks (${percentage}%)" + # Use awk to have a rounded percentage + # python is slow, bash is unable and bc rounds weirdly + percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }") + + if [ "$percentage" -lt "${min}" ]; then + failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)" fi done fi From 809146de52d03aa22abf28fbafa78be266e97882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:27:16 +0100 Subject: [PATCH 74/85] systemd network configuration is not supported yet --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 8156a88..fbecd6b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -707,7 +707,7 @@ if is_debian; then if ! test -f /etc/network/interfaces; then IS_AUTOIF=0 IS_INTERFACESGW=0 - failed "IS_NETWORK_INTERFACES" + failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet" fi fi From f4b1c96be0c5a67b174b0177d0ba29557300066c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:35:28 +0100 Subject: [PATCH 75/85] verbose mode for AUTOIF --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index fbecd6b..65f0a01 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -720,8 +720,8 @@ if is_debian; then fi for interface in $interfaces; do if ! grep -q "^auto $interface" /etc/network/interfaces; then - failed "IS_AUTOIF" - break + failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto" + test "${VERBOSE}" = 1 || break fi done fi From 3838f07c3beec96de22a79a34398865d6b8d77af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:50:51 +0100 Subject: [PATCH 76/85] awstats must be installed to check its configuration --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 65f0a01..5cc4e0c 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -586,7 +586,7 @@ if is_debian; then # Verification du LogFormat de AWStats if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then - if is_installed apache2.2-common; then + if is_installed apache2.2-common awstats; then grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \ || failed "IS_AWSTATSLOGFORMAT" fi From 4547705b4590883da3db36af3bfae37aa537d1bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:52:32 +0100 Subject: [PATCH 77/85] skip test if munin is not setup in cron mode --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 5cc4e0c..9b139b3 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -835,7 +835,7 @@ if is_debian; then if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1) - grep -q "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" + grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes" else failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)" fi From decb3fbb0cda939b522b8b012a535ea6805f8753 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Sun, 24 Mar 2019 21:56:20 +0100 Subject: [PATCH 78/85] bump version --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 9b139b3..d1cb0ed 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="0.14.0.beta1" +VERSION="0.14.0.beta2" # Disable LANG* export LANG=C From e9cee7c4c00706deaea83339c5542e7a0824606c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Mar 2019 10:04:40 +0100 Subject: [PATCH 79/85] report if blkid is missing --- evocheck.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index d1cb0ed..13df04a 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1183,6 +1183,8 @@ if is_debian; then failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi rm "$tmpFile" + else + failed "IS_DUPLICATE_FS_LABEL" "blkid not found" fi fi From 774796e19004f375cb94d8501fcc4c2819249d62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Wed, 3 Apr 2019 21:25:57 +0200 Subject: [PATCH 80/85] fix lenny test --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index f2003ba..ea1fd94 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -191,7 +191,7 @@ is_debian() { test -n "${DEBIAN_RELEASE}" } is_debian_lenny() { - test "${DEBIAN_VERSION}" = "lenny" + test "${DEBIAN_RELEASE}" = "lenny" } is_debian_squeeze() { test "${DEBIAN_RELEASE}" = "squeeze" From 7dab67e30336e2c726730dbec4d9e3666715e0e5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 4 Apr 2019 18:25:10 +0200 Subject: [PATCH 81/85] fix typo --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 13df04a..190d8f3 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -543,7 +543,7 @@ if is_debian; then && test -h /etc/munin/plugins/apache_accesses \ && test -h /etc/munin/plugins/apache_processes \ && test -h /etc/munin/plugins/apache_volume; } \ - || failed "IS_APACHEMUNIN" "mising munin plugins for Apache" + || failed "IS_APACHEMUNIN" "missing munin plugins for Apache" else pattern="/server-status-[[:alnum:]]{4,}" { grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \ From 0fa12b0cfd18e1497b30ed5a28b06703af699eca Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 4 Apr 2019 18:28:49 +0200 Subject: [PATCH 82/85] use octal representation of permissions --- evocheck.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 190d8f3..3f6b7e2 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -500,16 +500,16 @@ if is_debian; then if [ "$IS_NRPEPERMS" = 1 ]; then if [ -d /etc/nagios ]; then - actual=$(stat --format "%A" /etc/nagios) - expected="drwxr-x---" + actual=$(stat --format "%a" /etc/nagios) + expected="750" test "$expected" = "$actual" || failed "IS_NRPEPERMS" fi fi if [ "$IS_MINIFWPERMS" = 1 ]; then if [ -f "$MINIFW_FILE" ]; then - actual=$(stat --format "%A" $MINIFW_FILE) - expected="-rw-------" + actual=$(stat --format "%a" $MINIFW_FILE) + expected="600" test "$expected" = "$actual" || failed "IS_MINIFWPERMS" fi fi @@ -1378,20 +1378,20 @@ if is_openbsd; then fi if [ "$IS_TMP_1777" = 1 ]; then - actual=$(stat --format "%A" /tmp) - expected="drwxrwxrwt" + actual=$(stat --format "%a" /tmp) + expected="1777" test "$expected" = "$actual" || failed "IS_TMP_1777" fi if [ "$IS_ROOT_0700" = 1 ]; then - actual=$(stat --format "%A" /root) - expected="drwx------" + actual=$(stat --format "%a" /root) + expected="700" test "$expected" = "$actual" || failed "IS_ROOT_0700" fi if [ "$IS_USRSHARESCRIPTS" = 1 ]; then - actual=$(stat --format "%A" /usr/share/scripts) - expected="drwx------" + actual=$(stat --format "%a" /usr/share/scripts) + expected="700" test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" fi From 4d952b1013e388cc11e1697fdc23e7f0a42cecd5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 4 Apr 2019 18:30:46 +0200 Subject: [PATCH 83/85] limit Samba check to lenny --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 3f6b7e2..16b7aab 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -788,9 +788,9 @@ if is_debian; then # Verification de la priorité du package samba si les backports sont utilisés if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then - if is_pack_samba; then + if is_debian_lenny && is_pack_samba; then if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then - priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=.*-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") + priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ") test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY" fi fi From 53b86b991fef23f466e826084f81c0911eb03bdf Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 4 Apr 2019 18:32:43 +0200 Subject: [PATCH 84/85] add a break --- evocheck.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 16b7aab..3af1efa 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -946,7 +946,10 @@ if is_debian; then if is_debian_stretch; then users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') for user in $users; do - groups "$user" | grep -q adm || failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + if ! groups "$user" | grep -q adm; then + failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group" + test "${VERBOSE}" = 1 || break + fi done fi fi From 9e50962b17e50d215c746e2414e7b7d96c713826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= Date: Thu, 4 Apr 2019 20:52:13 +0200 Subject: [PATCH 85/85] do not print warnings in quiet mode --- evocheck.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 3af1efa..5c694c9 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -282,7 +282,9 @@ while :; do ;; -?*|[[:alnum:]]*) # ignore unknown options - printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + if [ "${QUIET}" != 1 ]; then + printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2 + fi ;; *) # Default case: If no more options then break out of the loop.