Fixed various shellcheck violations and added a function to cleanup files at once instead of using multiple trap rm
This commit is contained in:
parent
8d460b039d
commit
d35d7491f1
|
@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
## [Unreleased]
|
## [Unreleased]
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
- Fixed various shellcheck violations
|
||||||
|
- Added a function to cleanup files at once instead of using multiple trap rm
|
||||||
|
|
||||||
## [22.04] - 2022-04-13
|
## [22.04] - 2022-04-13
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
85
evocheck.sh
85
evocheck.sh
|
@ -45,7 +45,7 @@ END
|
||||||
}
|
}
|
||||||
is_installed(){
|
is_installed(){
|
||||||
for pkg in "$@"; do
|
for pkg in "$@"; do
|
||||||
pkg_info | grep -q $pkg || return 1
|
pkg_info | grep -q "$pkg" || return 1
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -75,12 +75,12 @@ check_tmpnoexec(){
|
||||||
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
|
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
|
||||||
}
|
}
|
||||||
check_softdep(){
|
check_softdep(){
|
||||||
if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then
|
if [ "$(grep -c softdep /etc/fstab)" -ne "$(grep -c ffs /etc/fstab)" ]; then
|
||||||
failed "IS_SOFTDEP" "All partitions should have the softdep option"
|
failed "IS_SOFTDEP" "All partitions should have the softdep option"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_noatime(){
|
check_noatime(){
|
||||||
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then
|
if [ "$(mount | grep -c noatime)" -ne "$(grep ffs /etc/fstab | grep -vc ^\#)" ]; then
|
||||||
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -92,12 +92,12 @@ check_tmoutprofile(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_raidok(){
|
check_raidok(){
|
||||||
egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
|
grep -E 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
|
||||||
RESULT=$?
|
RESULT=$?
|
||||||
if [ $RESULT -eq 0 ]; then
|
if [ $RESULT -eq 0 ]; then
|
||||||
raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1)
|
raid_device=$(grep -E 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1)
|
||||||
raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }')
|
raid_status=$(bioctl "$raid_device" | grep softraid | awk '{ print $3 }')
|
||||||
if [ $raid_status != "Online" ]; then
|
if [ "$raid_status" != "Online" ]; then
|
||||||
failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations"
|
failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -110,14 +110,14 @@ check_evobackup(){
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_uptodate(){
|
check_uptodate(){
|
||||||
if [ $(command -v syspatch) ]; then
|
if [ "$(command -v syspatch)" ]; then
|
||||||
if syspatch -c | egrep "." 1> /dev/null 2>&1; then
|
if syspatch -c | grep -E "." 1> /dev/null 2>&1; then
|
||||||
failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!"
|
failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_uptime(){
|
check_uptime(){
|
||||||
let "uptime = $(date +"%s") - $(sysctl -n kern.boottime)"
|
uptime=$(($(date +"%s") - $(sysctl -n kern.boottime)))
|
||||||
if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
|
if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
|
||||||
failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
|
failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
|
||||||
fi
|
fi
|
||||||
|
@ -126,8 +126,8 @@ check_backupuptodate(){
|
||||||
backup_dir="/home/backup"
|
backup_dir="/home/backup"
|
||||||
if [ -d "${backup_dir}" ]; then
|
if [ -d "${backup_dir}" ]; then
|
||||||
if [ -n "$(ls -A ${backup_dir})" ]; then
|
if [ -n "$(ls -A ${backup_dir})" ]; then
|
||||||
for file in ${backup_dir}/*; do
|
for file in "${backup_dir}"/*; do
|
||||||
let "limit = $(date +"%s") - 172800"
|
limit=$(($(date +"%s") - 172800))
|
||||||
updated_at=$(stat -f "%m" "$file")
|
updated_at=$(stat -f "%m" "$file")
|
||||||
|
|
||||||
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
|
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
|
||||||
|
@ -154,11 +154,11 @@ check_carpadvbase(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
bad_advbase=0
|
bad_advbase=0
|
||||||
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
|
||||||
if [[ "$advbase" -gt 5 ]]; then
|
if [ "$advbase" -gt 5 ]; then
|
||||||
bad_advbase=1
|
bad_advbase=1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
if [[ "$bad_advbase" -eq 1 ]]; then
|
if [ "$bad_advbase" -eq 1 ]; then
|
||||||
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -166,7 +166,7 @@ check_carpadvbase(){
|
||||||
check_carppreempt(){
|
check_carppreempt(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
|
||||||
if [[ "$preempt" -ne 1 ]]; then
|
if [ "$preempt" -ne 1 ]; then
|
||||||
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
|
||||||
fi
|
fi
|
||||||
if [ -f /etc/sysctl.conf ]; then
|
if [ -f /etc/sysctl.conf ]; then
|
||||||
|
@ -198,6 +198,7 @@ check_pkgmirror(){
|
||||||
}
|
}
|
||||||
check_history(){
|
check_history(){
|
||||||
file=/root/.profile
|
file=/root/.profile
|
||||||
|
# shellcheck disable=SC2015
|
||||||
grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
|
grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
|
||||||
}
|
}
|
||||||
check_vim(){
|
check_vim(){
|
||||||
|
@ -213,6 +214,7 @@ check_customsyslog(){
|
||||||
}
|
}
|
||||||
check_sudomaint(){
|
check_sudomaint(){
|
||||||
file=/etc/sudoers
|
file=/etc/sudoers
|
||||||
|
# shellcheck disable=SC2015
|
||||||
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
|
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
|
||||||
&& grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
|
&& grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
|
||||||
|| failed "IS_SUDOMAINT" ""
|
|| failed "IS_SUDOMAINT" ""
|
||||||
|
@ -304,7 +306,7 @@ check_defaultroute(){
|
||||||
}
|
}
|
||||||
check_ntp(){
|
check_ntp(){
|
||||||
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
|
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
|
||||||
if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then
|
if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
|
||||||
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
|
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -313,23 +315,24 @@ check_ntp(){
|
||||||
}
|
}
|
||||||
check_openvpncronlog(){
|
check_openvpncronlog(){
|
||||||
if /etc/rc.d/openvpn check > /dev/null 2>&1; then
|
if /etc/rc.d/openvpn check > /dev/null 2>&1; then
|
||||||
|
# shellcheck disable=SC2016
|
||||||
grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
|
grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_carpadvskew(){
|
check_carpadvskew(){
|
||||||
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
|
||||||
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
|
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
|
||||||
ifconfig $carp | grep -q master
|
ifconfig "$carp" | grep -q master
|
||||||
master=$?
|
master=$?
|
||||||
ifconfig $carp | grep -q backup
|
ifconfig "$carp" | grep -q backup
|
||||||
backup=$?
|
backup=$?
|
||||||
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
|
advskew=$(ifconfig "$carp" | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
|
||||||
if [ "$master" -eq 0 ]; then
|
if [ "$master" -eq 0 ]; then
|
||||||
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then
|
if [ "$advskew" -lt 1 ] || [ "$advskew" -gt 50 ]; then
|
||||||
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
|
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
|
||||||
fi
|
fi
|
||||||
elif [ "$backup" -eq 0 ]; then
|
elif [ "$backup" -eq 0 ]; then
|
||||||
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then
|
if [ "$advskew" -lt 100 ] || [ "$advskew" -gt 150 ]; then
|
||||||
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
|
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
|
@ -346,7 +349,9 @@ check_sshallowusers() {
|
||||||
}
|
}
|
||||||
check_evobackup_exclude_mount() {
|
check_evobackup_exclude_mount() {
|
||||||
excludes_file=$(mktemp)
|
excludes_file=$(mktemp)
|
||||||
trap "rm -f ${excludes_file}" 0
|
files_to_cleanup="${files_to_cleanup} ${excludes_file}"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2013
|
||||||
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
|
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
|
||||||
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
|
||||||
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
|
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
|
||||||
|
@ -376,6 +381,7 @@ check_evolix_user() {
|
||||||
grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
|
grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
|
||||||
}
|
}
|
||||||
download_versions() {
|
download_versions() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local file
|
local file
|
||||||
file=${1:-}
|
file=${1:-}
|
||||||
|
|
||||||
|
@ -402,6 +408,7 @@ download_versions() {
|
||||||
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
|
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
|
||||||
}
|
}
|
||||||
get_command() {
|
get_command() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local program
|
local program
|
||||||
program=${1:-}
|
program=${1:-}
|
||||||
|
|
||||||
|
@ -416,7 +423,9 @@ get_command() {
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
get_version() {
|
get_version() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local program
|
local program
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local command
|
local command
|
||||||
program=${1:-}
|
program=${1:-}
|
||||||
command=${2:-}
|
command=${2:-}
|
||||||
|
@ -434,8 +443,20 @@ get_version() {
|
||||||
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
|
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
|
||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
get_lower_version() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
|
local actual_version
|
||||||
|
# shellcheck disable=SC2039
|
||||||
|
local expected_version
|
||||||
|
actual_version=${1:-}
|
||||||
|
expected_version=${2:-}
|
||||||
|
|
||||||
|
printf "%s\n%s" "${actual_version}" "${expected_version}" | sort -V | head -n 1
|
||||||
|
}
|
||||||
check_version() {
|
check_version() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local program
|
local program
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local expected_version
|
local expected_version
|
||||||
program=${1:-}
|
program=${1:-}
|
||||||
expected_version=${2:-}
|
expected_version=${2:-}
|
||||||
|
@ -448,14 +469,15 @@ check_version() {
|
||||||
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
|
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
|
||||||
elif [ "${actual_version}" = "${expected_version}" ]; then
|
elif [ "${actual_version}" = "${expected_version}" ]; then
|
||||||
: # Version check OK ; to check first because of the way the check works
|
: # Version check OK ; to check first because of the way the check works
|
||||||
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${actual_version}" ]; then
|
elif [ "$(get_lower_version "${actual_version}" "${expected_version}")" = "${actual_version}" ]; then
|
||||||
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
|
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
|
||||||
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${expected_version}" ]; then
|
elif [ "$(get_lower_version "${actual_version}" "${expected_version}")" = "${expected_version}" ]; then
|
||||||
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
|
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
add_to_path() {
|
add_to_path() {
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local new_path
|
local new_path
|
||||||
new_path=${1:-}
|
new_path=${1:-}
|
||||||
|
|
||||||
|
@ -463,12 +485,15 @@ add_to_path() {
|
||||||
}
|
}
|
||||||
check_versions() {
|
check_versions() {
|
||||||
versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
|
versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
|
||||||
trap "rm -f ${versions_file}" 0
|
files_to_cleanup="${files_to_cleanup} ${versions_file}"
|
||||||
|
|
||||||
download_versions "${versions_file}"
|
download_versions "${versions_file}"
|
||||||
add_to_path "/usr/share/scripts"
|
add_to_path "/usr/share/scripts"
|
||||||
|
|
||||||
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
|
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local program
|
local program
|
||||||
|
# shellcheck disable=SC2039
|
||||||
local version
|
local version
|
||||||
program=$(echo "${line}" | cut -d ' ' -f 1)
|
program=$(echo "${line}" | cut -d ' ' -f 1)
|
||||||
version=$(echo "${line}" | cut -d ' ' -f 2)
|
version=$(echo "${line}" | cut -d ' ' -f 2)
|
||||||
|
@ -542,12 +567,20 @@ main() {
|
||||||
|
|
||||||
exit ${RC}
|
exit ${RC}
|
||||||
}
|
}
|
||||||
|
cleanup_temp_files() {
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
rm -f ${files_to_cleanup}
|
||||||
|
}
|
||||||
|
|
||||||
# Disable LANG*
|
# Disable LANG*
|
||||||
export LANG=C
|
export LANG=C
|
||||||
export LANGUAGE=C
|
export LANGUAGE=C
|
||||||
|
|
||||||
|
files_to_cleanup=""
|
||||||
|
trap cleanup_temp_files 0
|
||||||
|
|
||||||
# Source configuration file
|
# Source configuration file
|
||||||
|
# shellcheck disable=SC1091
|
||||||
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
test -f /etc/evocheck.cf && . /etc/evocheck.cf
|
||||||
|
|
||||||
# Parse options
|
# Parse options
|
||||||
|
@ -563,7 +596,6 @@ while :; do
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
--cron)
|
--cron)
|
||||||
IS_KERNELUPTODATE=0
|
|
||||||
IS_UPTIME=0
|
IS_UPTIME=0
|
||||||
IS_CHECK_VERSIONS=0
|
IS_CHECK_VERSIONS=0
|
||||||
;;
|
;;
|
||||||
|
@ -592,4 +624,5 @@ while :; do
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
main ${ARGS}
|
main ${ARGS}
|
||||||
|
|
Loading…
Reference in a new issue