evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

Merge branch 'fast-debian-check' of evolix/evocheck into master
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Benoît S. 2019-04-05 11:01:52 +02:00 committed by Gitea
parent 90bddc0535 bbb34c7df0
commit 84d197047a
1 changed files with 687 additions and 300 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

987
evocheck.sh
View file

@ -4,6 +4,8 @@
# Script to verify compliance of a Debian/OpenBSD server # Script to verify compliance of a Debian/OpenBSD server
# powered by Evolix # powered by Evolix
VERSION="0.14.0.beta2"
# Disable LANG* # Disable LANG*
export LANG=C export LANG=C
export LANGUAGE=C export LANGUAGE=C
@ -58,7 +60,6 @@ IS_BINDCHROOT=1
IS_REPVOLATILE=1 IS_REPVOLATILE=1
IS_AUTOIF=1 IS_AUTOIF=1
IS_INTERFACESGW=1 IS_INTERFACESGW=1
IS_TOOMUCHDEBIANSYSMAINT=1
IS_USERLOGROTATE=1 IS_USERLOGROTATE=1
IS_MODSECURITY=1 IS_MODSECURITY=1
IS_APACHECTL=1 IS_APACHECTL=1
@ -70,6 +71,7 @@ IS_KERNELUPTODATE=1
IS_UPTIME=1 IS_UPTIME=1
IS_MUNINRUNNING=1 IS_MUNINRUNNING=1
IS_BACKUPUPTODATE=1 IS_BACKUPUPTODATE=1
IS_ETCGIT=1
IS_GITPERMS=1 IS_GITPERMS=1
IS_NOTUPGRADED=1 IS_NOTUPGRADED=1
IS_TUNE2FS_M5=1 IS_TUNE2FS_M5=1
@ -107,6 +109,7 @@ IS_EVOACME_LIVELINKS=1
IS_APACHE_CONFENABLED=1 IS_APACHE_CONFENABLED=1
IS_MELTDOWN_SPECTRE=1 IS_MELTDOWN_SPECTRE=1
IS_OLD_HOME_DIR=1 IS_OLD_HOME_DIR=1
IS_LSBRELEASE=1
#Proper to OpenBSD #Proper to OpenBSD
IS_SOFTDEP=1 IS_SOFTDEP=1
@ -125,86 +128,247 @@ IS_NRPEDAEMON=1
IS_ALERTBOOT=1 IS_ALERTBOOT=1
IS_RSYNC=1 IS_RSYNC=1
# logging function # Default return code : 0 = no error
failed() { RC=0
check_name=$1
shift
check_comments=$@
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
else
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
}
# Source configuration file # Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf test -f /etc/evocheck.cf && . /etc/evocheck.cf
VERBOSE="${VERBOSE:-0}" # OS detection
DEBIAN_RELEASE=""
LSB_RELEASE_BIN=$(command -v lsb_release)
OPENBSD_RELEASE=""
# If --cron is passed, ignore some checks. if [ -e /etc/debian_version ]; then
if [ "$1" = "--cron" ]; then DEBIAN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
IS_KERNELUPTODATE=0 if [ -x "${LSB_RELEASE_BIN}" ]; then
IS_UPTIME=0 DEBIAN_RELEASE=$(${LSB_RELEASE_BIN} --codename --short)
else
case ${DEBIAN_VERSION} in
5) DEBIAN_RELEASE="lenny";;
6) DEBIAN_RELEASE="squeeze";;
7) DEBIAN_RELEASE="wheezy";;
8) DEBIAN_RELEASE="jessie";;
9) DEBIAN_RELEASE="stretch";;
esac
fi
elif [ "$(uname -s)" = "OpenBSD" ]; then
# use a better release name
OPENBSD_RELEASE=$(uname -r)
fi fi
# Functions # Functions
show_version() {
cat <<END
evocheck version ${VERSION}
Copyright 2009-2019 Evolix <info@evolix.fr>,
Romain Dessort <rdessort@evolix.fr>,
Benoit Série <bserie@evolix.fr>,
Gregory Colpart <reg@evolix.fr>,
Jérémy Lecour <jlecour@evolix.fr>,
Tristan Pilat <tpilat@evolix.fr>,
Victor Laborie <vlaborie@evolix.fr>
and others.
evocheck comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under certain conditions.
See the GNU General Public License v3.0 for details.
END
}
show_help() {
cat <<END
evocheck is a script that verifies Evolix conventions on Debian/OpenBSD servers.
Usage: evocheck
or evocheck --cron
or evocheck --quiet
or evocheck --verbose
Options
--cron disable a few checks
-v, --verbose increase verbosity of checks
-q, --quiet nothing is printed on stdout nor stderr
-h, --help print this message and exit
--version print version and exit
END
}
is_debian() {
test -n "${DEBIAN_RELEASE}"
}
is_debian_lenny() {
test "${DEBIAN_RELEASE}" = "lenny"
}
is_debian_squeeze() {
test "${DEBIAN_RELEASE}" = "squeeze"
}
is_debian_wheezy() {
test "${DEBIAN_RELEASE}" = "wheezy"
}
is_debian_jessie() {
test "${DEBIAN_RELEASE}" = "jessie"
}
is_debian_stretch() {
test "${DEBIAN_RELEASE}" = "stretch"
}
debian_release() {
printf "%s" "${DEBIAN_RELEASE}"
}
debian_version() {
printf "%s" "${DEBIAN_VERSION}"
}
is_openbsd() {
test -n "${OPENBSD_RELEASE}"
}
is_pack_web(){ is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
} }
is_pack_samba(){ is_pack_samba(){
test -e /usr/share/scripts/add.pl test -e /usr/share/scripts/add.pl
} }
is_installed(){ is_installed(){
for pkg in $*; do for pkg in "$@"; do
dpkg -l $pkg 2>/dev/null | grep -q -E '^(i|h)i' || return 1 dpkg -l "$pkg" 2> /dev/null | grep -q -E '^(i|h)i' || return 1
done done
} }
is_debianversion(){ # logging
[ $(lsb_release -c -s) = $1 ] && return 0 failed() {
check_name=$1
shift
check_comments=$*
RC=1
if [ "${QUIET}" != 1 ]; then
if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then
printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1
else
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
fi
} }
is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc # Parse options
is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc # based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall while :; do
is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall case $1 in
-h|-\?|--help)
show_help
exit 0
;;
--version)
show_version
exit 0
;;
--cron)
IS_KERNELUPTODATE=0
IS_UPTIME=0
;;
-v|--verbose)
VERBOSE=1
;;
-q|--quiet)
QUIET=1
VERBOSE=0
;;
--)
# End of all options.
shift
break
;;
-?*|[[:alnum:]]*)
# ignore unknown options
if [ "${QUIET}" != 1 ]; then
printf 'WARN: Unknown option (ignored): %s\n' "$1" >&2
fi
;;
*)
# Default case: If no more options then break out of the loop.
break
;;
esac
shift
done
#----------------------------------------------------------- #-----------------------------------------------------------
#Vérifie si c'est une debian et fait les tests appropriés. #Vérifie si c'est une debian et fait les tests appropriés.
#----------------------------------------------------------- #-----------------------------------------------------------
if [ -e /etc/debian_version ]; then if is_debian; then
is_debian_lenny && MINIFW_FILE=/etc/firewall.rc
is_debian_squeeze && MINIFW_FILE=/etc/firewall.rc
is_debian_wheezy && MINIFW_FILE=/etc/firewall.rc
is_debian_jessie && MINIFW_FILE=/etc/default/minifirewall
is_debian_stretch && MINIFW_FILE=/etc/default/minifirewall
if [ "$IS_LSBRELEASE" = 1 ]; then
if [ -x "${LSB_RELEASE_BIN}" ]; then
## only the major version matters
lhs=$(${LSB_RELEASE_BIN} --release --short | cut -d "." -f 1)
rhs=$(cut -d "." -f 1 < /etc/debian_version)
test "$lhs" = "$rhs" || failed "IS_LSBRELEASE" "release is not consistent between lsb_release and /etc/debian_version"
else
failed "IS_LSBRELEASE" "lsb_release is missing or not executable"
fi
fi
if [ "$IS_DPKGWARNING" = 1 ]; then if [ "$IS_DPKGWARNING" = 1 ]; then
is_debianversion squeeze && ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && ( \ if is_debian_squeeze; then
grep -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" \ if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
/etc/apt/apt.conf | wc -l | grep -q ^2$ || failed "IS_DPKGWARNING" ) count=$(grep -c -E -i "(Pre-Invoke ..echo Are you sure to have rw on|Post-Invoke ..echo Dont forget to mount -o remount)" /etc/apt/apt.conf)
is_debianversion wheezy && ( ( [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ] ) && \ test "$count" = 2 || failed "IS_DPKGWARNING" "Pre/Post-Invoke are missing."
( test -e /etc/apt/apt.conf.d/80evolinux || failed "IS_DPKGWARNING" ) fi
test -e /etc/apt/apt.conf && failed "IS_DPKGWARNING" ) elif is_debian_wheezy; then
is_debianversion stretch && (test -e /etc/apt/apt.conf.d/z-evolinux.conf || failed "IS_DPKGWARNING") if [ "$IS_USRRO" = 1 ] || [ "$IS_TMPNOEXEC" = 1 ]; then
test -e /etc/apt/apt.conf.d/80evolinux \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/80evolinux is missing"
test -e /etc/apt/apt.conf \
&& failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing"
fi
elif is_debian_stretch; then
test -e /etc/apt/apt.conf.d/z-evolinux.conf \
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
fi
fi fi
if [ "$IS_UMASKSUDOERS" = 1 ]; then if [ "$IS_UMASKSUDOERS" = 1 ]; then
is_debianversion squeeze && ( grep -q ^Defaults.*umask=0077 /etc/sudoers || failed "IS_UMASKSUDOERS" ) if is_debian_squeeze; then
grep -q "^Defaults.*umask=0077" /etc/sudoers \
|| failed "IS_UMASKSUDOERS" "sudoers must set umask to 0077"
fi
fi fi
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix) # Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
if [ "$IS_NRPEPOSTFIX" = 1 ]; then if [ "$IS_NRPEPOSTFIX" = 1 ]; then
is_debianversion squeeze && is_installed postfix && ( grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg || failed "IS_NRPEPOSTFIX" ) if is_installed postfix; then
is_debianversion squeeze || ( is_installed postfix && ( test -e /etc/nagios/nrpe.cfg && grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.* || failed "IS_NRPEPOSTFIX" ) ) if is_debian_squeeze; then
grep -q "^command.*check_mailq -M postfix" /etc/nagios/nrpe.cfg \
|| failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -qr "^command.*check_mailq -M postfix" /etc/nagios/nrpe.*;
} || failed "IS_NRPEPOSTFIX" "NRPE \"check_mailq\" for postfix is missing"
fi
fi
fi fi
# Check if mod-security config file is present # Check if mod-security config file is present
if [ "$IS_MODSECURITY" = 1 ]; then if [ "$IS_MODSECURITY" = 1 ]; then
is_debianversion squeeze && is_installed libapache-mod-security && \ if is_debian_squeeze; then
(test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") if is_installed libapache-mod-security; then
is_debianversion wheezy && is_installed libapache2-modsecurity && \ test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
(test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY") fi
elif is_debian_wheezy; then
if is_installed libapache2-modsecurity; then
test -e /etc/apache2/conf.d/mod-security2.conf || failed "IS_MODSECURITY" "missing configuration file"
fi
fi
fi fi
if [ "$IS_CUSTOMSUDOERS" = 1 ]; then if [ "$IS_CUSTOMSUDOERS" = 1 ]; then
@ -212,11 +376,11 @@ if [ -e /etc/debian_version ]; then
fi fi
if [ "$IS_VARTMPFS" = 1 ]; then if [ "$IS_VARTMPFS" = 1 ]; then
df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" df /var/tmp | grep -q tmpfs || failed "IS_VARTMPFS" "/var/tmp is not a tmpfs"
fi fi
if [ "$IS_SERVEURBASE" = 1 ]; then if [ "$IS_SERVEURBASE" = 1 ]; then
is_installed serveur-base || failed "IS_SERVEURBASE" is_installed serveur-base || failed "IS_SERVEURBASE" "serveur-base package is not installed"
fi fi
if [ "$IS_LOGROTATECONF" = 1 ]; then if [ "$IS_LOGROTATECONF" = 1 ]; then
@ -224,26 +388,31 @@ if [ -e /etc/debian_version ]; then
fi fi
if [ "$IS_SYSLOGCONF" = 1 ]; then if [ "$IS_SYSLOGCONF" = 1 ]; then
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf || failed "IS_SYSLOGCONF" grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF"
fi fi
if [ "$IS_DEBIANSECURITY" = 1 ]; then if [ "$IS_DEBIANSECURITY" = 1 ]; then
grep -q "^deb.*security" /etc/apt/sources.list || failed "IS_DEBIANSECURITY" grep -q "^deb.*security" /etc/apt/sources.list \
|| failed "IS_DEBIANSECURITY"
fi fi
if [ "$IS_APTITUDEONLY" = 1 ]; then if [ "$IS_APTITUDEONLY" = 1 ]; then
is_debianversion squeeze && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" if is_debian_squeeze || is_debian_wheezy; then
is_debianversion wheezy && test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY" test -e /usr/bin/apt-get && failed "IS_APTITUDEONLY"
fi
fi fi
if [ "$IS_APTITUDE" = 1 ]; then if [ "$IS_APTITUDE" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/aptitude && failed "IS_APTITUDE" if is_debian_jessie || is_debian_stretch; then
is_debianversion stretch && test -e /usr/bin/aptitude && failed "IS_APTITUDE" test -e /usr/bin/aptitude && failed "IS_APTITUDE"
fi
fi fi
if [ "$IS_APTGETBAK" = 1 ]; then if [ "$IS_APTGETBAK" = 1 ]; then
is_debianversion jessie && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" if is_debian_jessie || is_debian_stretch; then
is_debianversion stretch && test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK"
fi
fi fi
if [ "$IS_APTICRON" = 1 ]; then if [ "$IS_APTICRON" = 1 ]; then
@ -251,7 +420,10 @@ if [ -e /etc/debian_version ]; then
test -e /etc/cron.d/apticron || status="fail" test -e /etc/cron.d/apticron || status="fail"
test -e /etc/cron.daily/apticron && status="fail" test -e /etc/cron.daily/apticron && status="fail"
test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail" test "$status" = "fail" || test -e /usr/bin/apt-get.bak || status="fail"
( is_debianversion squeeze || is_debianversion wheezy ) && test "$status" = "fail" && failed "IS_APTICRON"
if is_debian_squeeze || is_debian_wheezy; then
test "$status" = "fail" && failed "IS_APTICRON"
fi
fi fi
if [ "$IS_USRRO" = 1 ]; then if [ "$IS_USRRO" = 1 ]; then
@ -264,22 +436,23 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_MOUNT_FSTAB" = 1 ]; then if [ "$IS_MOUNT_FSTAB" = 1 ]; then
# Test if lsblk available, if not skip this test... # Test if lsblk available, if not skip this test...
if test -x "$(command -v lsblk)"; then LSBLK_BIN=$(command -v lsblk)
for mountPoint in $(lsblk -o MOUNTPOINT -l -n | grep '/'); do if test -x "${LSBLK_BIN}"; then
for mountPoint in $(${LSBLK_BIN} -o MOUNTPOINT -l -n | grep '/'); do
grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB" grep -Eq "$mountPoint\W" /etc/fstab || failed "IS_MOUNT_FSTAB"
done done
fi fi
fi fi
if [ "$IS_LISTCHANGESCONF" = 1 ]; then if [ "$IS_LISTCHANGESCONF" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
if is_installed apt-listchanges; then if is_installed apt-listchanges; then
failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch" failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch"
fi fi
else else
if [ -e "/etc/apt/listchanges.conf" ]; then if [ -e "/etc/apt/listchanges.conf" ]; then
lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf) lines=$(grep -cE "(which=both|confirm=1)" /etc/apt/listchanges.conf)
if [ $lines != 2 ]; then if [ "$lines" != 2 ]; then
failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect" failed "IS_LISTCHANGESCONF" "apt-listchanges config is incorrect"
fi fi
else else
@ -289,7 +462,8 @@ if [ -e /etc/debian_version ]; then
fi fi
if [ "$IS_CUSTOMCRONTAB" = 1 ]; then if [ "$IS_CUSTOMCRONTAB" = 1 ]; then
grep -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab | wc -l | grep -q ^4$ && failed "IS_CUSTOMCRONTAB" found_lines=$(grep -c -E "^(17 \*|25 6|47 6|52 6)" /etc/crontab)
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB"
fi fi
if [ "$IS_SSHALLOWUSERS" = 1 ]; then if [ "$IS_SSHALLOWUSERS" = 1 ]; then
@ -301,46 +475,86 @@ if [ -e /etc/debian_version ]; then
fi fi
if [ "$IS_TMOUTPROFILE" = 1 ]; then if [ "$IS_TMOUTPROFILE" = 1 ]; then
grep -q TMOUT= /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set"
fi fi
if [ "$IS_ALERT5BOOT" = 1 ]; then if [ "$IS_ALERT5BOOT" = 1 ]; then
grep -q ^date /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script"
else
failed "IS_ALERT5BOOT" "alert5 init script is missing"
fi
fi fi
if [ "$IS_ALERT5MINIFW" = 1 ]; then if [ "$IS_ALERT5MINIFW" = 1 ]; then
grep -q ^/etc/init.d/minifirewall /etc/rc2.d/S*alert5 || failed "IS_ALERT5MINIFW" if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then
grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \
|| failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script"
else
failed "IS_ALERT5MINIFW" "alert5 init script is missing"
fi
fi fi
if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then if [ "$IS_ALERT5MINIFW" = 1 ] && [ "$IS_MINIFW" = 1 ]; then
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" || failed "IS_MINIFW" /sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW"
fi fi
if [ "$IS_NRPEPERMS" = 1 ]; then if [ "$IS_NRPEPERMS" = 1 ]; then
test -d /etc/nagios && ls -ld /etc/nagios | grep -q drwxr-x--- || failed "IS_NRPEPERMS" if [ -d /etc/nagios ]; then
actual=$(stat --format "%a" /etc/nagios)
expected="750"
test "$expected" = "$actual" || failed "IS_NRPEPERMS"
fi
fi fi
if [ "$IS_MINIFWPERMS" = 1 ]; then if [ "$IS_MINIFWPERMS" = 1 ]; then
ls -l "$MINIFW_FILE" | grep -q -- -rw------- || failed "IS_MINIFWPERMS" if [ -f "$MINIFW_FILE" ]; then
actual=$(stat --format "%a" $MINIFW_FILE)
expected="600"
test "$expected" = "$actual" || failed "IS_MINIFWPERMS"
fi
fi fi
if [ "$IS_NRPEDISKS" = 1 ]; then if [ "$IS_NRPEDISKS" = 1 ]; then
NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) NRPEDISKS=$(grep command.check_disk /etc/nagios/nrpe.cfg | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) DFDISKS=$(df -Pl | grep -c -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)")
[ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS"
fi fi
if [ "$IS_NRPEPID" = 1 ]; then if [ "$IS_NRPEPID" = 1 ]; then
is_debianversion squeeze || (test -e /etc/nagios/nrpe.cfg && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg || failed "IS_NRPEPID") if ! is_debian_squeeze; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID"
fi
fi fi
if [ "$IS_GRSECPROCS" = 1 ]; then if [ "$IS_GRSECPROCS" = 1 ]; then
uname -a | grep -q grsec && ( grep -q ^command.check_total_procs..sudo /etc/nagios/nrpe.cfg && grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root" || failed "IS_GRSECPROCS" ) if uname -a | grep -q grsec; then
{ grep -q "^command.check_total_procs..sudo" /etc/nagios/nrpe.cfg \
&& grep -A1 "^\[processes\]" /etc/munin/plugin-conf.d/munin-node | grep -q "^user root";
} || failed "IS_GRSECPROCS"
fi
fi fi
if [ "$IS_APACHEMUNIN" = 1 ]; then if [ "$IS_APACHEMUNIN" = 1 ]; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch || ( grep -E -q "^env.url.*/server-status-[[:alnum:]]{4}" /etc/munin/plugin-conf.d/munin-node && grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf || grep -E -q "/server-status-[[:alnum:]]{4}" /etc/apache2/apache2.conf /etc/apache2/mods-enabled/status.conf 2>/dev/null || failed "IS_APACHEMUNIN" ) ) if test -e /etc/apache2/apache2.conf; then
test -e /etc/apache2/apache2.conf && ( is_debianversion stretch && ( test -h /etc/apache2/mods-enabled/status.load && test -h /etc/munin/plugins/apache_accesses && test -h /etc/munin/plugins/apache_processes && test -h /etc/munin/plugins/apache_accesses || failed "IS_APACHEMUNIN" ) ) if is_debian_stretch; then
{ test -h /etc/apache2/mods-enabled/status.load \
&& test -h /etc/munin/plugins/apache_accesses \
&& test -h /etc/munin/plugins/apache_processes \
&& test -h /etc/munin/plugins/apache_volume; } \
|| failed "IS_APACHEMUNIN" "missing munin plugins for Apache"
else
pattern="/server-status-[[:alnum:]]{4,}"
{ grep -r -q -s -E "^env.url.*${pattern}" /etc/munin/plugin-conf.d \
&& { grep -q -s -E "${pattern}" /etc/apache2/apache2.conf \
|| grep -q -s -E "${pattern}" /etc/apache2/mods-enabled/status.conf;
};
} || failed "IS_APACHEMUNIN" "server status is not properly configured"
fi
fi
fi fi
# Verification mytop + Munin si MySQL # Verification mytop + Munin si MySQL
@ -364,20 +578,27 @@ if [ -e /etc/debian_version ]; then
# Verification de la configuration du raid soft (mdadm) # Verification de la configuration du raid soft (mdadm)
if [ "$IS_RAIDSOFT" = 1 ]; then if [ "$IS_RAIDSOFT" = 1 ]; then
test -e /proc/mdstat && grep -q md /proc/mdstat && \ if test -e /proc/mdstat && grep -q md /proc/mdstat; then
( grep -q "^AUTOCHECK=true" /etc/default/mdadm \ { grep -q "^AUTOCHECK=true" /etc/default/mdadm \
&& grep -q "^START_DAEMON=true" /etc/default/mdadm \ && grep -q "^START_DAEMON=true" /etc/default/mdadm \
&& grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf || failed "IS_RAIDSOFT") && grep -qv "^MAILADDR ___MAIL___" /etc/mdadm/mdadm.conf;
} || failed "IS_RAIDSOFT"
fi
fi fi
# Verification du LogFormat de AWStats # Verification du LogFormat de AWStats
if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then if [ "$IS_AWSTATSLOGFORMAT" = 1 ]; then
is_installed apache2.2-common && ( grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local || failed "IS_AWSTATSLOGFORMAT" ) if is_installed apache2.2-common awstats; then
grep -qE '^LogFormat=1' /etc/awstats/awstats.conf.local \
|| failed "IS_AWSTATSLOGFORMAT"
fi
fi fi
# Verification de la présence de la config logrotate pour Munin # Verification de la présence de la config logrotate pour Munin
if [ "$IS_MUNINLOGROTATE" = 1 ]; then if [ "$IS_MUNINLOGROTATE" = 1 ]; then
( test -e /etc/logrotate.d/munin-node && test -e /etc/logrotate.d/munin ) || failed "IS_MUNINLOGROTATE" { test -e /etc/logrotate.d/munin-node \
&& test -e /etc/logrotate.d/munin;
} || failed "IS_MUNINLOGROTATE"
fi fi
# Verification de la présence de metche # Verification de la présence de metche
@ -387,13 +608,21 @@ if [ -e /etc/debian_version ]; then
# Verification de l'activation de Squid dans le cas d'un pack mail # Verification de l'activation de Squid dans le cas d'un pack mail
if [ "$IS_SQUID" = 1 ]; then if [ "$IS_SQUID" = 1 ]; then
squidconffile=/etc/squid*/squid.conf if is_debian_stretch; then
is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf squidconffile="/etc/squid/evolinux-custom.conf"
is_pack_web && ( is_installed squid || is_installed squid3 \ else
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ squidconffile="/etc/squid*/squid.conf"
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ fi
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ if is_pack_web && (is_installed squid || is_installed squid3); then
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || failed "IS_SQUID" ) host=$(hostname -i)
# shellcheck disable=SC2086
http_port=$(grep "http_port" $squidconffile | cut -f 2 -d " ")
{ grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d $host -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" "$MINIFW_FILE" \
&& grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* $http_port" "$MINIFW_FILE";
} || failed "IS_SQUID"
fi
fi fi
if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then
@ -408,155 +637,247 @@ if [ -e /etc/debian_version ]; then
# Verification de la conf et de l'activation de mod-deflate # Verification de la conf et de l'activation de mod-deflate
if [ "$IS_MODDEFLATE" = 1 ]; then if [ "$IS_MODDEFLATE" = 1 ]; then
f=/etc/apache2/mods-enabled/deflate.conf f=/etc/apache2/mods-enabled/deflate.conf
is_installed apache2.2 && (test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \ if is_installed apache2.2; then
&& grep -q "AddOutputFilterByType DEFLATE text/css" $f \ { test -e $f && grep -q "AddOutputFilterByType DEFLATE text/html text/plain text/xml" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f || failed "IS_MODDEFLATE") && grep -q "AddOutputFilterByType DEFLATE text/css" $f \
&& grep -q "AddOutputFilterByType DEFLATE application/x-javascript application/javascript" $f;
} || failed "IS_MODDEFLATE"
fi
fi fi
# Verification de la conf log2mail # Verification de la conf log2mail
if [ "$IS_LOG2MAILRUNNING" = 1 ]; then if [ "$IS_LOG2MAILRUNNING" = 1 ]; then
is_pack_web && (is_installed log2mail && pgrep log2mail >/dev/null || echo 'IS_LOG2MAILRUNNING') if is_pack_web && is_installed log2mail; then
pgrep log2mail >/dev/null || failed 'IS_LOG2MAILRUNNING'
fi
fi fi
if [ "$IS_LOG2MAILAPACHE" = 1 ]; then if [ "$IS_LOG2MAILAPACHE" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
conf=/etc/log2mail/config/apache conf=/etc/log2mail/config/apache
else else
conf=/etc/log2mail/config/default conf=/etc/log2mail/config/default
fi fi
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/apache2/error.log" $conf 2>/dev/null || failed "IS_LOG2MAILAPACHE" ) if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/apache2/error.log" $conf \
|| failed "IS_LOG2MAILAPACHE"
fi
fi fi
if [ "$IS_LOG2MAILMYSQL" = 1 ]; then if [ "$IS_LOG2MAILMYSQL" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} 2>/dev/null || failed "IS_LOG2MAILMYSQL" ) if is_pack_web && is_installed log2mail; then
grep -s -q "^file = /var/log/syslog" /etc/log2mail/config/{default,mysql,mysql.conf} \
|| failed "IS_LOG2MAILMYSQL"
fi
fi fi
if [ "$IS_LOG2MAILSQUID" = 1 ]; then if [ "$IS_LOG2MAILSQUID" = 1 ]; then
is_pack_web && ( is_installed log2mail && grep -q "^file = /var/log/squid.*/access.log" \ if is_pack_web && is_installed log2mail; then
/etc/log2mail/config/* 2>/dev/null || failed "IS_LOG2MAILSQUID" ) grep -s -q "^file = /var/log/squid.*/access.log" /etc/log2mail/config/* \
|| failed "IS_LOG2MAILSQUID"
fi
fi fi
# Verification si bind est chroote # Verification si bind est chroote
if [ "$IS_BINDCHROOT" = 1 ]; then if [ "$IS_BINDCHROOT" = 1 ]; then
if is_installed bind9 && $(netstat -utpln |grep "/named" |grep :53 |grep -qvE "(127.0.0.1|::1)"); then if is_installed bind9; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if [ "$(md5sum /usr/sbin/named |cut -f 1 -d ' ')" != "$(md5sum /var/chroot-bind/usr/sbin/named |cut -f 1 -d ' ')" ]; then if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
failed "IS_BINDCHROOT" md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
failed "IS_BINDCHROOT" "The chrooted bind binary is differet than the original binary"
fi
else
failed "IS_BINDCHROOT" "bind process is not chrooted"
fi fi
else
failed "IS_BINDCHROOT"
fi fi
fi fi
fi fi
# Verification de la présence du depot volatile # Verification de la présence du depot volatile
if [ "$IS_REPVOLATILE" = 1 ]; then if [ "$IS_REPVOLATILE" = 1 ]; then
test `cat /etc/debian_version |cut -d "." -f 1` -eq 5 && (grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list || failed "IS_REPVOLATILE") if is_debian_lenny; then
test `cat /etc/debian_version |cut -d "." -f 1` -eq 6 && (grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list || failed "IS_REPVOLATILE") grep -qE "^deb http://volatile.debian.org/debian-volatile" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
if is_debian_squeeze; then
grep -qE "^deb.*squeeze-updates" /etc/apt/sources.list \
|| failed "IS_REPVOLATILE"
fi
fi fi
# /etc/network/interfaces should be present, we don't manage systemd-network yet # /etc/network/interfaces should be present, we don't manage systemd-network yet
if [ "$IS_NETWORK_INTERFACES" = 1 ]; then if [ "$IS_NETWORK_INTERFACES" = 1 ]; then
if ! test -f /etc/network/interfaces; then if ! test -f /etc/network/interfaces; then
failed "IS_NETWORK_INTERFACES"
IS_AUTOIF=0 IS_AUTOIF=0
IS_INTERFACESGW=0 IS_INTERFACESGW=0
failed "IS_NETWORK_INTERFACES" "systemd network configuration is not supported yet"
fi fi
fi fi
# Verify if all if are in auto # Verify if all if are in auto
if [ "$IS_AUTOIF" = 1 ]; then if [ "$IS_AUTOIF" = 1 ]; then
is_debianversion stretch || for interface in `/sbin/ifconfig -s |tail -n +2 |grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" |cut -d " " -f 1 |tr "\n" " "`; do if is_debian_stretch; then
grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
done else
is_debianversion stretch && for interface in `/sbin/ip address show up | grep ^[0-9]*: |grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 |tr -d : |cut -d@ -f1 |tr "\n" " "`; do interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ")
grep -q "^auto $interface" /etc/network/interfaces || (failed "IS_AUTOIF" && break) fi
for interface in $interfaces; do
if ! grep -q "^auto $interface" /etc/network/interfaces; then
failed "IS_AUTOIF" "Network interface \`${interface}' is not set to auto"
test "${VERBOSE}" = 1 || break
fi
done done
fi fi
# Network conf verification # Network conf verification
if [ "$IS_INTERFACESGW" = 1 ]; then if [ "$IS_INTERFACESGW" = 1 ]; then
number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces) number=$(grep -Ec "^[^#]*gateway [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" /etc/network/interfaces)
test $number -gt 1 && failed "IS_INTERFACESGW" test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv4 gateway"
number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces) number=$(grep -Ec "^[^#]*gateway [0-9a-fA-F]+:" /etc/network/interfaces)
test $number -gt 1 && failed "IS_INTERFACESGW" test "$number" -gt 1 && failed "IS_INTERFACESGW" "there is more than 1 IPv6 gateway"
fi fi
# Verification de la mise en place d'evobackup # Verification de la mise en place d'evobackup
if [ "$IS_EVOBACKUP" = 1 ]; then if [ "$IS_EVOBACKUP" = 1 ]; then
ls /etc/cron* |grep -q "evobackup" || failed "IS_EVOBACKUP" evobackup_found=$(find /etc/cron* -name '*evobackup*' | wc -l)
test "$evobackup_found" -gt 0 || failed "IS_EVOBACKUP"
fi fi
# Verification de la presence du userlogrotate # Verification de la presence du userlogrotate
if [ "$IS_USERLOGROTATE" = 1 ]; then if [ "$IS_USERLOGROTATE" = 1 ]; then
is_pack_web && (test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE") if is_pack_web; then
test -x /etc/cron.weekly/userlogrotate || failed "IS_USERLOGROTATE"
fi
fi fi
# Verification de la syntaxe de la conf d'Apache # Verification de la syntaxe de la conf d'Apache
if [ "$IS_APACHECTL" = 1 ]; then if [ "$IS_APACHECTL" = 1 ]; then
is_installed apache2.2-common && (/usr/sbin/apache2ctl configtest 2>&1 |grep -q "^Syntax OK$" || failed "IS_APACHECTL") if is_installed apache2.2-common; then
/usr/sbin/apache2ctl configtest 2>&1 | grep -q "^Syntax OK$" || failed "IS_APACHECTL"
fi
fi fi
# Check if there is regular files in Apache sites-enabled. # Check if there is regular files in Apache sites-enabled.
if [ "$IS_APACHESYMLINK" = 1 ]; then if [ "$IS_APACHESYMLINK" = 1 ]; then
is_installed apache2.2-common && \ if is_installed apache2.2-common; then
(stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK") stat -c %F /etc/apache2/sites-enabled/* | grep -q regular && failed "IS_APACHESYMLINK"
fi
fi fi
# Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so). # Check if there is real IP addresses in Allow/Deny directives (no trailing space, inline comments or so).
if [ "$IS_APACHEIPINALLOW" = 1 ]; then if [ "$IS_APACHEIPINALLOW" = 1 ]; then
# Note: Replace "exit 1" by "print" in Perl code to debug it. # Note: Replace "exit 1" by "print" in Perl code to debug it.
is_installed apache2.2-common && \ if is_installed apache2.2-common; then
(grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ |grep -iv "from all" |grep -iv "env=" |perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' || failed "IS_APACHEIPINALLOW") grep -IrE "^[^#] *(Allow|Deny) from" /etc/apache2/ \
| grep -iv "from all" \
| grep -iv "env=" \
| perl -ne 'exit 1 unless (/from( [\da-f:.\/]+)+$/i)' \
|| failed "IS_APACHEIPINALLOW"
fi
fi fi
# Check if default Apache configuration file for munin is absent (or empty or commented). # Check if default Apache configuration file for munin is absent (or empty or commented).
if [ "$IS_MUNINAPACHECONF" = 1 ]; then if [ "$IS_MUNINAPACHECONF" = 1 ]; then
if is_debianversion squeeze || is_debianversion wheezy; then if is_debian_squeeze || is_debian_wheezy; then
muninconf="/etc/apache2/conf.d/munin" muninconf="/etc/apache2/conf.d/munin"
else else
muninconf="/etc/apache2/conf-available/munin.conf" muninconf="/etc/apache2/conf-available/munin.conf"
fi fi
is_installed apache2.2-common && ([ -e $muninconf ] && grep -vEq "^( |\t)*#" $muninconf && failed "IS_MUNINAPACHECONF") if is_installed apache2.2-common; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" && failed "IS_MUNINAPACHECONF"
fi
fi fi
# Verification de la priorité du package samba si les backports sont utilisés # Verification de la priorité du package samba si les backports sont utilisés
if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then if [ "$IS_SAMBAPINPRIORITY" = 1 ]; then
is_pack_samba && grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d} && ( priority=`grep -E -A2 "^Package:.*samba" /etc/apt/preferences |grep -A1 "^Pin: release a=lenny-backports" |grep "^Pin-Priority:" |cut -f2 -d" "` && test $priority -gt 500 || failed "IS_SAMBAPINPRIORITY" ) if is_debian_lenny && is_pack_samba; then
if grep -qrE "^[^#].*backport" /etc/apt/sources.list{,.d}; then
priority=$(grep -E -A2 "^Package:.*samba" /etc/apt/preferences | grep -A1 "^Pin: release a=lenny-backports" | grep "^Pin-Priority:" | cut -f2 -d" ")
test "$priority" -gt 500 || failed "IS_SAMBAPINPRIORITY"
fi
fi
fi fi
# Verification si le système doit redémarrer suite màj kernel. # Verification si le système doit redémarrer suite màj kernel.
if [ "$IS_KERNELUPTODATE" = 1 ]; then if [ "$IS_KERNELUPTODATE" = 1 ]; then
if is_installed linux-image* && [ $(date -d $(ls --full-time -lcrt /boot | tail -n1 | tr -s " " | cut -d " " -f 6) +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then if is_installed linux-image*; then
failed "IS_KERNELUPTODATE" # shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE"
fi
fi fi
fi fi
# Check if the server is running for more than a year. # Check if the server is running for more than a year.
if [ "$IS_UPTIME" = 1 ]; then if [ "$IS_UPTIME" = 1 ]; then
if is_installed linux-image* && [ $(date -d "now - 2 year" +%s) -gt $(($(date +%s) - $(cut -f1 -d '.' /proc/uptime))) ]; then if is_installed linux-image*; then
failed "IS_UPTIME" limit=$(date -d "now - 2 year" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$limit" -gt "$last_reboot_at" ]; then
failed "IS_UPTIME"
fi
fi fi
fi fi
# Check if munin-node running and RRD files are up to date. # Check if munin-node running and RRD files are up to date.
if [ "$IS_MUNINRUNNING" = 1 ]; then if [ "$IS_MUNINRUNNING" = 1 ]; then
pgrep munin-node >/dev/null || failed "IS_MUNINRUNNING" if ! pgrep munin-node >/dev/null; then
[ "$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ] && failed "IS_MUNINRUNNING" failed "IS_MUNINRUNNING" "Munin is not running"
grep -q "^graph_strategy cron" /etc/munin/munin.conf && ([ "$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)" -lt $(date +"%s" -d "now - 10 minutes") ]) && failed "IS_MUNINRUNNING" elif [ -d "/var/lib/munin/" ] && [ -d "/var/cache/munin/" ]; then
limit=$(date +"%s" -d "now - 10 minutes")
if [ -n "$(find /var/lib/munin/ -name '*load-g.rrd')" ]; then
updated_at=$(stat -c "%Y" /var/lib/munin/*/*load-g.rrd |sort |tail -1)
[ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load RRD has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load RRD not found)"
fi
if [ -n "$(find /var/cache/munin/www/ -name 'load-day.png')" ]; then
updated_at=$(stat -c "%Y" /var/cache/munin/www/*/*/load-day.png |sort |tail -1)
grep -sq "^graph_strategy cron" /etc/munin/munin.conf && [ "$limit" -gt "$updated_at" ] && failed "IS_MUNINRUNNING" "Munin load PNG has not been updated in the last 10 minutes"
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (load PNG not found)"
fi
else
failed "IS_MUNINRUNNING" "Munin is not installed properly (main directories are missing)"
fi
fi fi
# Check if files in /home/backup/ are up-to-date # Check if files in /home/backup/ are up-to-date
if [ "$IS_BACKUPUPTODATE" = 1 ]; then if [ "$IS_BACKUPUPTODATE" = 1 ]; then
[ -d /home/backup/ ] && for file in /home/backup/*; do if [ -d /home/backup/ ]; then
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then if [ -n "$(ls -A /home/backup/)" ]; then
failed "IS_BACKUPUPTODATE" for file in /home/backup/*; do
break; limit=$(date +"%s" -d "now - 2 day")
updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_BACKUPUPTODATE" "$file has not been backed up"
test "${VERBOSE}" = 1 || break;
fi
done
else
failed "IS_BACKUPUPTODATE" "/home/backup/ is empty"
fi fi
done else
failed "IS_BACKUPUPTODATE" "/home/backup/ is missing"
fi
fi
if [ "$IS_ETCGIT" = 1 ]; then
(cd /etc; git rev-parse --is-inside-work-tree > /dev/null 2>&1) || failed "IS_ETCGIT" "/etc is not a Git repository"
fi fi
# Check if /etc/.git/ has read/write permissions for root only. # Check if /etc/.git/ has read/write permissions for root only.
if [ "$IS_GITPERMS" = 1 ]; then if [ "$IS_GITPERMS" = 1 ]; then
test -d /etc/.git && [ "$(stat -c "%a" /etc/.git/)" = "700" ] || failed "IS_GITPERMS" if test -d /etc/.git; then
expected="700"
actual=$(stat -c "%a" /etc/.git/)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS"
fi
fi fi
# Check if no package has been upgraded since $limit. # Check if no package has been upgraded since $limit.
@ -564,15 +885,14 @@ if [ -e /etc/debian_version ]; then
last_upgrade=0 last_upgrade=0
upgraded=false upgraded=false
for log in /var/log/dpkg.log*; do for log in /var/log/dpkg.log*; do
zgrep -qsm1 upgrade "$log" if zgrep -qsm1 upgrade "$log"; then
if [ $? -eq 0 ]; then
# There is at least one upgrade # There is at least one upgrade
upgraded=true upgraded=true
break break
fi fi
done done
if $upgraded; then if $upgraded; then
last_upgrade=$(date +%s -d $(zgrep -h upgrade /var/log/dpkg.log* |sort -n |tail -1 |cut -f1 -d ' ')) last_upgrade=$(date +%s -d "$(zgrep -h upgrade /var/log/dpkg.log* | sort -n | tail -1 | cut -f1 -d ' ')")
fi fi
if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \ if grep -qs '^mailto="listupgrade-todo@' /etc/evolinux/listupgrade.cnf \
|| grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then || grep -qs -E '^[[:digit:]]+[[:space:]]+[[:digit:]]+[[:space:]]+[^\*]' /etc/cron.d/listupgrade; then
@ -587,101 +907,140 @@ if [ -e /etc/debian_version ]; then
install_date=$(stat -c %Z /var/log/installer) install_date=$(stat -c %Z /var/log/installer)
fi fi
# Check install_date if the system never received an upgrade # Check install_date if the system never received an upgrade
if [ $last_upgrade -eq 0 ]; then if [ "$last_upgrade" -eq 0 ]; then
[ $install_date -lt $limit ] && failed "IS_NOTUPGRADED" [ "$install_date" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system has never been updated"
else else
[ $last_upgrade -lt $limit ] && failed "IS_NOTUPGRADED" [ "$last_upgrade" -lt "$limit" ] && failed "IS_NOTUPGRADED" "The system hasn't been updated for too long"
fi fi
fi fi
# Check if reserved blocks for root is at least 5% on every mounted partitions. # Check if reserved blocks for root is at least 5% on every mounted partitions.
if [ "$IS_TUNE2FS_M5" = 1 ]; then if [ "$IS_TUNE2FS_M5" = 1 ]; then
min=5
parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ') parts=$(grep -E "ext(3|4)" /proc/mounts | cut -d ' ' -f1 | tr -s '\n' ' ')
for part in $parts; do for part in $parts; do
blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+") blockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Block count:" | grep -Eo "[0-9]+")
# If buggy partition, skip it. # If buggy partition, skip it.
if [ -z $blockCount ]; then if [ -z "$blockCount" ]; then
continue continue
fi fi
reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+") reservedBlockCount=$(dumpe2fs -h "$part" 2>/dev/null | grep -e "Reserved block count:" | grep -Eo "[0-9]+")
percentage=$(python -c "print(int(round(float(${reservedBlockCount})/${blockCount}*100)))") # Use awk to have a rounded percentage
if [ "$percentage" -lt 5 ]; then # python is slow, bash is unable and bc rounds weirdly
failed "IS_TUNE2FS_M5" "Partition ${part} has less than 5% reserved blocks!" percentage=$(awk "BEGIN { pc=100*${reservedBlockCount}/${blockCount}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
if [ "$percentage" -lt "${min}" ]; then
failed "IS_TUNE2FS_M5" "Partition ${part} has less than ${min}% reserved blocks (${percentage}%)"
fi fi
done done
fi fi
if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then if [ "$IS_EVOLINUXSUDOGROUP" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
(grep -q ^evolinux-sudo: /etc/group \ if grep -q "^evolinux-sudo:" /etc/group; then
&& grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux) || failed "IS_EVOLINUXSUDOGROUP" grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \
|| failed "IS_EVOLINUXSUDOGROUP"
fi
fi fi
fi fi
if [ "$IS_USERINADMGROUP" = 1 ]; then if [ "$IS_USERINADMGROUP" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
for user in $(grep ^evolinux-sudo: /etc/group |awk -F: '{print $4}' |tr ',' ' '); do users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ')
groups $user |grep -q adm || failed "IS_USERINADMGROUP" for user in $users; do
if ! groups "$user" | grep -q adm; then
failed "IS_USERINADMGROUP" "User $user doesn't belong to \`adm' group"
test "${VERBOSE}" = 1 || break
fi
done done
fi fi
fi fi
if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then if [ "$IS_APACHE2EVOLINUXCONF" = 1 ]; then
if (test -d /etc/apache2 && is_debianversion stretch); then if is_debian_stretch && test -d /etc/apache2; then
(test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \
&& test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \
&& test -f /etc/apache2/ipaddr_whitelist.conf) || failed "IS_APACHE2EVOLINUXCONF" && test -f /etc/apache2/ipaddr_whitelist.conf;
} || failed "IS_APACHE2EVOLINUXCONF"
fi fi
fi fi
if [ "$IS_BACKPORTSCONF" = 1 ]; then if [ "$IS_BACKPORTSCONF" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
grep -qsE "^[^#].*backports" /etc/apt/sources.list \ grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" && failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \ grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" || failed "IS_BACKPORTSCONF" "backports must have preferences"
fi fi
fi fi
fi fi
if [ "$IS_BIND9MUNIN" = 1 ]; then if [ "$IS_BIND9MUNIN" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then if is_debian_stretch && is_installed bind9; then
(test -L /etc/munin/plugins/bind9 && test -e /etc/munin/plugin-conf.d/bind9) || failed "IS_BIND9MUNIN" { test -L /etc/munin/plugins/bind9 \
&& test -e /etc/munin/plugin-conf.d/bind9;
} || failed "IS_BIND9MUNIN"
fi fi
fi fi
if [ "$IS_BIND9LOGROTATE" = 1 ]; then if [ "$IS_BIND9LOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed bind9; then if is_debian_stretch && is_installed bind9; then
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE"
fi fi
fi fi
if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then if [ "$IS_BROADCOMFIRMWARE" = 1 ]; then
if lspci | grep -q 'NetXtreme II'; then LSPCI_BIN=$(command -v lspci)
(is_installed firmware-bnx2 && grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list) || failed "IS_BROADCOMFIRMWARE" if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE"
fi
else
failed "IS_BROADCOMFIRMWARE" "lspci is missing"
fi fi
fi fi
if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then if [ "$IS_HARDWARERAIDTOOL" = 1 ]; then
lspci |grep -q 'MegaRAID SAS' && (is_installed megacli && (is_installed megaclisas-status || is_installed megaraidsas-status) || failed "IS_HARDWARERAIDTOOL") LSPCI_BIN=$(command -v lspci)
lspci |grep -q 'Hewlett-Packard Company Smart Array' && (is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL") if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'MegaRAID SAS'; then
# shellcheck disable=SC2015
is_installed megacli && { is_installed megaclisas-status || is_installed megaraidsas-status; } \
|| failed "IS_HARDWARERAIDTOOL" "Mega tools not found"
fi
if ${LSPCI_BIN} | grep -q 'Hewlett-Packard Company Smart Array'; then
is_installed cciss-vol-status || failed "IS_HARDWARERAIDTOOL" "cciss-vol-status not installed"
fi
else
failed "IS_HARDWARERAIDTOOL" "lspci is missing"
fi
fi fi
if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then if [ "$IS_LOG2MAILSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch; then if is_debian_stretch; then
(systemctl -q is-active log2mail.service && test -f /etc/systemd/system/log2mail.service && ! test -f /etc/init.d/log2mail) || failed "IS_LOG2MAILSYSTEMDUNIT" { systemctl -q is-active log2mail.service \
&& test -f /etc/systemd/system/log2mail.service \
&& ! test -f /etc/init.d/log2mail;
} || failed "IS_LOG2MAILSYSTEMDUNIT"
fi fi
fi fi
if [ "$IS_LISTUPGRADE" = 1 ]; then if [ "$IS_LISTUPGRADE" = 1 ]; then
(test -f /etc/cron.d/listupgrade && test -x /usr/share/scripts/listupgrade.sh) || failed "IS_LISTUPGRADE" { test -f /etc/cron.d/listupgrade \
&& test -x /usr/share/scripts/listupgrade.sh;
} || failed "IS_LISTUPGRADE"
fi fi
if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then if [ "$IS_MARIADBEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then if is_debian_stretch; then
(test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ if is_installed mariadb-server; then
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf) || failed "IS_MARIADBEVOLINUXCONF" { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \
&& test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf;
} || failed "IS_MARIADBEVOLINUXCONF"
fi
fi fi
fi fi
@ -689,16 +1048,16 @@ if [ -e /etc/debian_version ]; then
if (is_installed "mysql-server" || is_installed "mariadb-server"); then if (is_installed "mysql-server" || is_installed "mariadb-server"); then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"} SQL_BACKUP_PATH=${SQL_BACKUP_PATH:-"/home/backup/mysql.bak.gz"}
test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" test -f "$SQL_BACKUP_PATH" || failed "IS_SQL_BACKUP" "MySQL dump is missing (${SQL_BACKUP_PATH})"
fi fi
fi fi
if [ "$IS_POSTGRES_BACKUP" = 1 ]; then if [ "$IS_POSTGRES_BACKUP" = 1 ]; then
if is_installed "postgresql-9*"; then if is_installed "postgresql-9*"; then
# If you use something like barman, you should deactivate this check # If you use something like barman, you should disable this check
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"} POSTGRES_BACKUP_PATH=${POSTGRES_BACKUP_PATH:-"/home/backup/pg.dump.bak"}
test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" test -f "$POSTGRES_BACKUP_PATH" || failed "IS_POSTGRES_BACKUP" "PostgreSQL dump is missing (${POSTGRES_BACKUP_PATH})"
fi fi
fi fi
@ -707,17 +1066,19 @@ if [ -e /etc/debian_version ]; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"}
if [ -d "$MONGO_BACKUP_PATH" ]; then if [ -d "$MONGO_BACKUP_PATH" ]; then
for file in ${MONGO_BACKUP_PATH}/*/*.{json,bson}; do for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do
# Skip indexes file. # Skip indexes file.
if ! [[ "$file" =~ indexes ]]; then if ! [[ "$file" =~ indexes ]]; then
if [ -f $file ] && [ $(stat -c "%Y" $file) -lt $(date +"%s" -d "now - 2 day") ]; then limit=$(date +"%s" -d "now - 2 day")
failed "IS_MONGO_BACKUP" updated_at=$(stat -c "%Y" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
failed "IS_MONGO_BACKUP" "MongoDB hasn't been dumped for more than 2 days"
break break
fi fi
fi fi
done done
else else
failed "IS_MONGO_BACKUP" failed "IS_MONGO_BACKUP" "MongoDB dump directory is missing (${MONGO_BACKUP_PATH})"
fi fi
fi fi
fi fi
@ -726,7 +1087,7 @@ if [ -e /etc/debian_version ]; then
if is_installed slapd; then if is_installed slapd; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"} LDAP_BACKUP_PATH=${LDAP_BACKUP_PATH:-"/home/backup/ldap.bak"}
test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" test -f "$LDAP_BACKUP_PATH" || failed "IS_LDAP_BACKUP" "LDAP dump is missing (${LDAP_BACKUP_PATH})"
fi fi
fi fi
@ -734,7 +1095,7 @@ if [ -e /etc/debian_version ]; then
if is_installed redis-server; then if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"} REDIS_BACKUP_PATH=${REDIS_BACKUP_PATH:-"/home/backup/dump.rdb"}
test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" test -f "$REDIS_BACKUP_PATH" || failed "IS_REDIS_BACKUP" "Redis dump is missing (${REDIS_BACKUP_PATH})"
fi fi
fi fi
@ -742,18 +1103,20 @@ if [ -e /etc/debian_version ]; then
if is_installed elasticsearch; then if is_installed elasticsearch; then
# You could change the default path in /etc/evocheck.cf # You could change the default path in /etc/evocheck.cf
ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"} ELASTIC_BACKUP_PATH=${ELASTIC_BACKUP_PATH:-"/home/backup/elasticsearch"}
test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" test -d "$ELASTIC_BACKUP_PATH" || failed "IS_ELASTIC_BACKUP" "Elastic snapshot is missing (${ELASTIC_BACKUP_PATH})"
fi fi
fi fi
if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then if [ "$IS_MARIADBSYSTEMDUNIT" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then if is_debian_stretch && is_installed mariadb-server; then
(systemctl -q is-active mariadb.service && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf) || failed "IS_MARIADBSYSTEMDUNIT" { systemctl -q is-active mariadb.service \
&& test -f /etc/systemd/system/mariadb.service.d/evolinux.conf;
} || failed "IS_MARIADBSYSTEMDUNIT"
fi fi
fi fi
if [ "$IS_MYSQLMUNIN" = 1 ]; then if [ "$IS_MYSQLMUNIN" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then if is_debian_stretch && is_installed mariadb-server; then
for file in mysql_bytes mysql_queries mysql_slowqueries \ for file in mysql_bytes mysql_queries mysql_slowqueries \
mysql_threads mysql_connections mysql_files_tables \ mysql_threads mysql_connections mysql_files_tables \
mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \
@ -762,52 +1125,57 @@ if [ -e /etc/debian_version ]; then
mysql_sorts mysql_tmp_tables; do mysql_sorts mysql_tmp_tables; do
if [[ ! -L /etc/munin/plugins/$file ]]; then if [[ ! -L /etc/munin/plugins/$file ]]; then
failed "IS_MYSQLMUNIN" failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing"
break test "${VERBOSE}" = 1 || break
fi fi
done done
fi fi
fi fi
if [ "$IS_MYSQLNRPE" = 1 ]; then if [ "$IS_MYSQLNRPE" = 1 ]; then
if is_debianversion stretch && is_installed mariadb-server; then if is_debian_stretch && is_installed mariadb-server; then
(test -f ~nagios/.my.cnf \ nagios_file="~nagios/.my.cnf"
&& [ $(stat -c %U ~nagios/.my.cnf) = "nagios" ] \ { test -f $nagios_file \
&& [ $(stat -c %a ~nagios/.my.cnf) = "600" ] \ && [ "$(stat -c %U $nagios_file)" = "nagios" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f ~nagios/.my.cnf") || failed "IS_MYSQLNRPE" && [ "$(stat -c %a $nagios_file)" = "600" ] \
&& grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql -H localhost -f $nagios_file";
} || failed "IS_MYSQLNRPE"
fi fi
fi fi
if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then if [ "$IS_PHPEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed php; then if is_debian_stretch && is_installed php; then
(test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \
&& test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini) || failed "IS_PHPEVOLINUXCONF" && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini;
} || failed "IS_PHPEVOLINUXCONF"
fi fi
fi fi
if [ "$IS_SQUIDLOGROTATE" = 1 ]; then if [ "$IS_SQUIDLOGROTATE" = 1 ]; then
if is_debianversion stretch && is_installed squid; then if is_debian_stretch && is_installed squid; then
grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE" grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE"
fi fi
fi fi
if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then if [ "$IS_SQUIDEVOLINUXCONF" = 1 ]; then
if is_debianversion stretch && is_installed squid; then if is_debian_stretch && is_installed squid; then
(grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \
&& test -f /etc/squid/evolinux-defaults.conf \ && test -f /etc/squid/evolinux-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-defaults.conf \ && test -f /etc/squid/evolinux-whitelist-defaults.conf \
&& test -f /etc/squid/evolinux-whitelist-custom.conf \ && test -f /etc/squid/evolinux-whitelist-custom.conf \
&& test -f /etc/squid/evolinux-acl.conf \ && test -f /etc/squid/evolinux-acl.conf \
&& test -f /etc/squid/evolinux-httpaccess.conf \ && test -f /etc/squid/evolinux-httpaccess.conf \
&& test -f /etc/squid/evolinux-custom.conf) || failed "IS_SQUIDEVOLINUXCONF" && test -f /etc/squid/evolinux-custom.conf;
} || failed "IS_SQUIDEVOLINUXCONF"
fi fi
fi fi
if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then if [ "$IS_DUPLICATE_FS_LABEL" = 1 ]; then
# Do it only if thereis blkid binary # Do it only if thereis blkid binary
if [ -x "$(which blkid)" ]; then BLKID_BIN=$(command -v blkid)
if [ -x "$BLKID_BIN" ]; then
tmpFile=$(mktemp -p /tmp) tmpFile=$(mktemp -p /tmp)
parts=$(blkid | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) parts=$($BLKID_BIN | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2)
for part in $parts; do for part in $parts; do
echo "$part" >> "$tmpFile" echo "$part" >> "$tmpFile"
done done
@ -815,13 +1183,13 @@ if [ -e /etc/debian_version ]; then
# If there is no duplicate, uniq will have no output # If there is no duplicate, uniq will have no output
# So, if $tmpOutput is not null, there is a duplicate # So, if $tmpOutput is not null, there is a duplicate
if [ -n "$tmpOutput" ]; then if [ -n "$tmpOutput" ]; then
failed "IS_DUPLICATE_FS_LABEL" # shellcheck disable=SC2086
if [ "$VERBOSE" = 1 ]; then labels=$(echo -n $tmpOutput | tr '\n' ' ')
echo "Duplicate labels:" failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels"
echo -e "$tmpOutput\n"
fi
fi fi
rm $tmpFile rm "$tmpFile"
else
failed "IS_DUPLICATE_FS_LABEL" "blkid not found"
fi fi
fi fi
@ -832,27 +1200,31 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_EVOACME_CRON" = 1 ]; then if [ "$IS_EVOACME_CRON" = 1 ]; then
if [ -f "/usr/local/sbin/evoacme" ]; then if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted # Old cron file, should be deleted
test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" test -f /etc/cron.daily/certbot && failed "IS_EVOACME_CRON" "certbot cron is incompatible with evoacme"
# evoacme cron file should be present # evoacme cron file should be present
test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" test -f /etc/cron.daily/evoacme || failed "IS_EVOACME_CRON" "evoacme cron is missing"
fi fi
fi fi
if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then if [ "$IS_EVOACME_LIVELINKS" = 1 ]; then
if [ -x "$(which evoacme)" ]; then EVOACME_BIN=$(command -v evoacme)
if [ -x "$EVOACME_BIN" ]; then
# Sometimes evoacme is installed but no certificates has been generated # Sometimes evoacme is installed but no certificates has been generated
numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l) numberOfLinks=$(find /etc/letsencrypt/ -type l | wc -l)
if [ $numberOfLinks -gt 0 ]; then if [ "$numberOfLinks" -gt 0 ]; then
for live in /etc/letsencrypt/*/live; do for live in /etc/letsencrypt/*/live; do
actualLink=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 11) actualLink=$(readlink -f "$live")
actualCertDate=$(cut -d'/' -f5 <<< $actualLink) actualVersion=$(basename "$actualLink")
liveDir=$(ls -lhad $live | tr -s ' ' | cut -d' ' -f 9)
certDir=${liveDir%%/live} certDir=$(dirname "$live")
lastCertDir=$(stat -c %n ${certDir}/[0-9]* | tail -1) certName=$(basename "$certDir")
lastCertDate=$(cut -d'/' -f5 <<< $lastCertDir) # shellcheck disable=SC2012
if [[ "$actualCertDate" != "$lastCertDate" ]]; then lastCertDir=$(ls -ds "${certDir}"/[0-9]* | tail -1)
failed "IS_EVOACME_LIVELINKS" lastVersion=$(basename "$lastCertDir")
break
if [[ "$lastVersion" != "$actualVersion" ]]; then
failed "IS_EVOACME_LIVELINKS" "Certificate \`$certName' hasn't been updated"
test "${VERBOSE}" = 1 || break
fi fi
done done
fi fi
@ -863,7 +1235,7 @@ if [ -e /etc/debian_version ]; then
# Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/
# must be replaced by conf-available/ and config files symlinked # must be replaced by conf-available/ and config files symlinked
# to conf-enabled/ # to conf-enabled/
if is_debianversion jessie || is_debianversion stretch; then if is_debian_jessie || is_debian_stretch; then
if [ -f /etc/apache2/apache2.conf ]; then if [ -f /etc/apache2/apache2.conf ]; then
test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED" test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED"
grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED" grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED"
@ -874,45 +1246,45 @@ if [ -e /etc/debian_version ]; then
if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
# For Stretch, detection is easy as the kernel use # For Stretch, detection is easy as the kernel use
# /sys/devices/system/cpu/vulnerabilities/ # /sys/devices/system/cpu/vulnerabilities/
if is_debianversion stretch; then if is_debian_stretch; then
for vuln in meltdown spectre_v1 spectre_v2; do for vuln in meltdown spectre_v1 spectre_v2; do
test -f /sys/devices/system/cpu/vulnerabilities/$vuln || failed "IS_MELTDOWN_SPECTRE" test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \
|| failed "IS_MELTDOWN_SPECTRE"
done done
# For Jessie this is quite complicated to verify and we need to use kernel config file # For Jessie this is quite complicated to verify and we need to use kernel config file
elif is_debianversion jessie; then elif is_debian_jessie; then
if grep -q BOOT_IMAGE= /proc/cmdline; then if grep -q "BOOT_IMAGE=" /proc/cmdline; then
kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
kernelVer=${kernelPath##*/vmlinuz-} kernelVer=${kernelPath##*/vmlinuz-}
kernelConfig="config-${kernelVer}" kernelConfig="config-${kernelVer}"
# Sometimes autodetection of kernel config file fail, so we test if the file really exists. # Sometimes autodetection of kernel config file fail, so we test if the file really exists.
if [ -f /boot/$kernelConfig ]; then if [ -f "/boot/${kernelConfig}" ]; then
grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || failed "IS_MELTDOWN_SPECTRE" grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' "/boot/$kernelConfig" \
grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || failed "IS_MELTDOWN_SPECTRE" || failed "IS_MELTDOWN_SPECTRE" "PAGE_TABLE_ISOLATION vulnerability is not patched"
grep -Eq '^CONFIG_RETPOLINE=y' "/boot/$kernelConfig" \
|| failed "IS_MELTDOWN_SPECTRE" "RETPOLINE vulnerability is not patched"
fi fi
fi fi
fi fi
fi fi
if [ "$IS_OLD_HOME_DIR" = 1 ]; then if [ "$IS_OLD_HOME_DIR" = 1 ]; then
for dir in /home/*; do homeDir=${homeDir:-/home}
for dir in "$homeDir"/*; do
statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \ statResult=$(stat -c "%n has owner %u resolved as %U" "$dir" \
| grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \ | grep -Eve '.bak' -e '\.[0-9]{2}-[0-9]{2}-[0-9]{4}' \
| grep UNKNOWN) | grep "UNKNOWN")
# There is at least one dir matching # There is at least one dir matching
if [[ -n "$statResult" ]]; then if [[ -n "$statResult" ]]; then
failed "IS_OLD_HOME_DIR" failed "IS_OLD_HOME_DIR" "$statResult"
if [[ "$VERBOSE" == 1 ]]; then test "${VERBOSE}" = 1 || break
echo "$statResult"
else
break
fi
fi fi
done done
fi fi
fi fi
if [ `uname -s` == "OpenBSD" ]; then if is_openbsd; then
if [ "$IS_SOFTDEP" = 1 ]; then if [ "$IS_SOFTDEP" = 1 ]; then
grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP" grep -q "softdep" /etc/fstab || failed "IS_SOFTDEP"
@ -927,20 +1299,21 @@ if [ `uname -s` == "OpenBSD" ]; then
fi fi
if [ "$IS_PKGMIRROR" = 1 ]; then if [ "$IS_PKGMIRROR" = 1 ]; then
grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile || failed "IS_PKGMIRROR" grep -qE "^export PKG_PATH=http://ftp\.fr\.openbsd\.org/pub/OpenBSD/[0-9.]+/packages/[a-z0-9]+/$" /root/.profile \
|| failed "IS_PKGMIRROR"
fi fi
if [ "$IS_HISTORY" = 1 ]; then if [ "$IS_HISTORY" = 1 ]; then
f=/root/.profile f=/root/.profile
grep -q "^HISTFILE=\$HOME/.histfile" $f \ { grep -q "^HISTFILE=\$HOME/.histfile" $f \
&& grep -q "^export HISTFILE" $f \ && grep -q "^export HISTFILE" $f \
&& grep -q "^HISTSIZE=1000" $f \ && grep -q "^HISTSIZE=1000" $f \
&& grep -q "^export HISTSIZE" $f \ && grep -q "^export HISTSIZE" $f;
|| failed "IS_HISTORY" } || failed "IS_HISTORY"
fi fi
if [ "$IS_VIM" = 1 ]; then if [ "$IS_VIM" = 1 ]; then
which vim 2>1 >> /dev/null || failed "IS_VIM" command -v vim > /dev/null 2>&1 || failed "IS_VIM"
fi fi
if [ "$IS_TTYC0SECURE" = 1 ]; then if [ "$IS_TTYC0SECURE" = 1 ]; then
@ -948,32 +1321,33 @@ if [ `uname -s` == "OpenBSD" ]; then
fi fi
if [ "$IS_CUSTOMSYSLOG" = 1 ]; then if [ "$IS_CUSTOMSYSLOG" = 1 ]; then
grep -q Evolix /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG" grep -q "Evolix" /etc/newsyslog.conf || failed "IS_CUSTOMSYSLOG"
fi fi
if [ "$IS_NOINETD" = 1 ]; then if [ "$IS_NOINETD" = 1 ]; then
grep -q inetd=NO /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD" grep -q "inetd=NO" /etc/rc.conf.local 2>/dev/null || failed "IS_NOINETD"
fi fi
if [ "$IS_SUDOMAINT" = 1 ]; then if [ "$IS_SUDOMAINT" = 1 ]; then
f=/etc/sudoers f=/etc/sudoers
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \ { grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $f \
&& grep -q "ADMIN ALL=NOPASSWD: MAINT" $f \ && grep -q "ADMIN ALL=NOPASSWD: MAINT" $f;
|| failed "IS_SUDOMAINT" } || failed "IS_SUDOMAINT"
fi fi
if [ "$IS_POSTGRESQL" = 1 ]; then if [ "$IS_POSTGRESQL" = 1 ]; then
pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" pkg info | grep -q postgresql-client || failed "IS_POSTGRESQL" "postgresql-client is not installed"
fi fi
if [ "$IS_NRPE" = 1 ]; then if [ "$IS_NRPE" = 1 ]; then
( pkg info | grep -qE "nagios-plugins-[0-9.]" \ { pkg info | grep -qE "nagios-plugins-[0-9.]" \
&& pkg info | grep -q nagios-plugins-ntp \ && pkg info | grep -q nagios-plugins-ntp \
&& pkg info | grep -q nrpe ) || failed "IS_NRPE" && pkg info | grep -q nrpe;
} || failed "IS_NRPE" "NRPE is not installed"
fi fi
# if [ "$IS_NRPEDISKS" = 1 ]; then # if [ "$IS_NRPEDISKS" = 1 ]; then
# NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep ^command.check_disk[0-9] | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1) # NRPEDISKS=$(grep command.check_disk /etc/nrpe.cfg 2>/dev/null | grep "^command.check_disk[0-9]" | sed -e "s/^command.check_disk\([0-9]\+\).*/\1/" | sort -n | tail -1)
# DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l) # DFDISKS=$(df -Pl | grep -E -v "(^Filesystem|/lib/init/rw|/dev/shm|udev|rpc_pipefs)" | wc -l)
# [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS" # [ "$NRPEDISKS" = "$DFDISKS" ] || failed "IS_NRPEDISKS"
# fi # fi
@ -985,11 +1359,13 @@ if [ `uname -s` == "OpenBSD" ]; then
# fi # fi
if [ "$IS_NRPEDAEMON" = 1 ]; then if [ "$IS_NRPEDAEMON" = 1 ]; then
grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local || failed "IS_NREPEDAEMON" grep -q "echo -n ' nrpe'; /usr/local/sbin/nrpe -d" /etc/rc.local \
|| failed "IS_NREPEDAEMON"
fi fi
if [ "$IS_ALERTBOOT" = 1 ]; then if [ "$IS_ALERTBOOT" = 1 ]; then
grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local || failed "IS_ALERTBOOT" grep -qE "^date \| mail -sboot/reboot .*evolix.fr$" /etc/rc.local \
|| failed "IS_ALERTBOOT"
fi fi
if [ "$IS_RSYNC" = 1 ]; then if [ "$IS_RSYNC" = 1 ]; then
@ -997,7 +1373,8 @@ if [ `uname -s` == "OpenBSD" ]; then
fi fi
if [ "$IS_CRONPATH" = 1 ]; then if [ "$IS_CRONPATH" = 1 ]; then
grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root || failed "IS_CRONPATH" grep -q "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" /var/cron/tabs/root \
|| failed "IS_CRONPATH"
fi fi
#TODO #TODO
@ -1006,79 +1383,89 @@ if [ `uname -s` == "OpenBSD" ]; then
fi fi
if [ "$IS_TMP_1777" = 1 ]; then if [ "$IS_TMP_1777" = 1 ]; then
ls -ld /tmp | grep -q drwxrwxrwt || failed "IS_TMP_1777" actual=$(stat --format "%a" /tmp)
expected="1777"
test "$expected" = "$actual" || failed "IS_TMP_1777"
fi fi
if [ "$IS_ROOT_0700" = 1 ]; then if [ "$IS_ROOT_0700" = 1 ]; then
ls -ld /root | grep -q drwx------ || failed "IS_ROOT_0700" actual=$(stat --format "%a" /root)
expected="700"
test "$expected" = "$actual" || failed "IS_ROOT_0700"
fi fi
if [ "$IS_USRSHARESCRIPTS" = 1 ]; then if [ "$IS_USRSHARESCRIPTS" = 1 ]; then
ls -ld /usr/share/scripts | grep -q drwx------ || failed "IS_USRSHARESCRIPTS" actual=$(stat --format "%a" /usr/share/scripts)
expected="700"
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS"
fi fi
if [ "$IS_SSHPERMITROOTNO" = 1 ]; then if [ "$IS_SSHPERMITROOTNO" = 1 ]; then
is_debianversion stretch || ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) if is_debian_stretch; then
is_debianversion stretch && grep -q ^PermitRoot /etc/ssh/sshd_config && ( grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" ) if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
else
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO"
fi
fi fi
if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then if [ "$IS_EVOMAINTENANCEUSERS" = 1 ]; then
# Can be changed in evocheck.cf if is_debian_stretch; then
homeDir=${homeDir:-/home} users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ')
if ! is_debianversion stretch; then else
if [ -f /etc/sudoers.d/evolinux ]; then if [ -f /etc/sudoers.d/evolinux ]; then
sudoers="/etc/sudoers.d/evolinux" sudoers="/etc/sudoers.d/evolinux"
else else
sudoers="/etc/sudoers" sudoers="/etc/sudoers"
fi fi
for i in $( (grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep ^sudo /etc/group |cut -d: -f 4) | tr "," "\n" |sort -u); do # combine users from User_Alias and sudo group
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/${i}/.*profile users=$({ grep "^User_Alias *ADMIN" $sudoers | cut -d= -f2 | tr -d " "; grep "^sudo" /etc/group | cut -d: -f 4; } | tr "," "\n" | sort -u)
if [ $? != 0 ]; then
failed "IS_EVOMAINTENANCEUSERS"
if [ "$VERBOSE" = 1 ]; then
echo "$i doesn't have evomaintenance trap!"
else
break
fi
fi
done
else
for i in $(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' '); do
grep -qs "^trap.*sudo.*evomaintenance.sh" ${homeDir}/$i/.*profile
if [ $? != 0 ]; then
failed "IS_EVOMAINTENANCEUSERS"
if [ "$VERBOSE" = 1 ]; then
echo "$i doesn't have evomaintenance trap!"
else
break
fi
fi
done
fi fi
for user in $users; do
user_home=$(getent passwd "$user" | cut -d: -f6)
if [ -n "$user_home" ] && [ -d "$user_home" ]; then
if ! grep -qs "^trap.*sudo.*evomaintenance.sh" "${user_home}"/.*profile; then
failed "IS_EVOMAINTENANCEUSERS" "${user} doesn't have an evomaintenance trap"
test "${VERBOSE}" = 1 || break
fi
fi
done
fi fi
# Verification de la configuration d'evomaintenance # Verification de la configuration d'evomaintenance
if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then if [ "$IS_EVOMAINTENANCECONF" = 1 ]; then
f=/etc/evomaintenance.cf f=/etc/evomaintenance.cf
( test -e $f \ if [ -e "$f" ]; then
&& test $(stat -c "%a" $f) = "600" \ perms=$(stat -c "%a" $f)
&& grep "^export PGPASSWORD" $f |grep -qv "your-passwd" \ test "$perms" = "600" || failed "IS_EVOMAINTENANCECONF" "Wrong permissions on \`$f' ($perms instead of 600)"
&& grep "^PGDB" $f |grep -qv "your-db" \
&& grep "^PGTABLE" $f |grep -qv "your-table" \ { grep "^export PGPASSWORD" $f | grep -qv "your-passwd" \
&& grep "^PGHOST" $f |grep -qv "your-pg-host" \ && grep "^PGDB" $f | grep -qv "your-db" \
&& grep "^FROM" $f |grep -qv "jdoe@example.com" \ && grep "^PGTABLE" $f | grep -qv "your-table" \
&& grep "^FULLFROM" $f |grep -qv "John Doe <jdoe@example.com>" \ && grep "^PGHOST" $f | grep -qv "your-pg-host" \
&& grep "^URGENCYFROM" $f |grep -qv "mama.doe@example.com" \ && grep "^FROM" $f | grep -qv "jdoe@example.com" \
&& grep "^URGENCYTEL" $f |grep -qv "06.00.00.00.00" \ && grep "^FULLFROM" $f | grep -qv "John Doe <jdoe@example.com>" \
&& grep "^REALM" $f |grep -qv "example.com" ) || failed "IS_EVOMAINTENANCECONF" && grep "^URGENCYFROM" $f | grep -qv "mama.doe@example.com" \
&& grep "^URGENCYTEL" $f | grep -qv "06.00.00.00.00" \
&& grep "^REALM" $f | grep -qv "example.com";
} || failed "IS_EVOMAINTENANCECONF" "evomaintenance is not correctly configured"
else
failed "IS_EVOMAINTENANCECONF" "Configuration file \`$f' is missing"
fi
fi fi
if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then if [ "$IS_PRIVKEYWOLRDREADABLE" = 1 ]; then
for f in /etc/ssl/private/*; do # a simple globbing fails if directory is empty
perms=$(stat -L -c "%a" $f) if [ -n "$(ls -A /etc/ssl/private/)" ]; then
if [ ${perms: -1} != "0" ]; then for f in /etc/ssl/private/*; do
failed "IS_PRIVKEYWOLRDREADABLE" perms=$(stat -L -c "%a" "$f")
break if [ "${perms: -1}" != 0 ]; then
fi failed "IS_PRIVKEYWOLRDREADABLE" "$f is world-readable"
done test "${VERBOSE}" = 1 || break
fi
done
fi
fi fi
exit ${RC}