evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

Fixed various shellcheck violations and added a function to cleanup files at once instead of using multiple trap rm

Browse source
This commit is contained in:
Jérémy Dubois 2022-06-16 17:21:06 +02:00
parent 8d460b039d
commit d35d7491f1
2 changed files with 64 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG
View file

@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased] ## [Unreleased]
### Changed
- Fixed various shellcheck violations
- Added a function to cleanup files at once instead of using multiple trap rm
## [22.04] - 2022-04-13 ## [22.04] - 2022-04-13
### Added ### Added

85
evocheck.sh
View file

@ -45,7 +45,7 @@ END
} }
is_installed(){ is_installed(){
for pkg in "$@"; do for pkg in "$@"; do
pkg_info | grep -q $pkg || return 1 pkg_info | grep -q "$pkg" || return 1
done done
} }
@ -75,12 +75,12 @@ check_tmpnoexec(){
mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option" mount | grep "on /tmp" | grep -q noexec || failed "IS_TMPNOEXEC" "/tmp should be mounted with the noexec option"
} }
check_softdep(){ check_softdep(){
if [ $(grep -c softdep /etc/fstab) -ne $(grep -c ffs /etc/fstab) ]; then if [ "$(grep -c softdep /etc/fstab)" -ne "$(grep -c ffs /etc/fstab)" ]; then
failed "IS_SOFTDEP" "All partitions should have the softdep option" failed "IS_SOFTDEP" "All partitions should have the softdep option"
fi fi
} }
check_noatime(){ check_noatime(){
if [ $(mount | grep -c noatime) -ne $(grep ffs /etc/fstab | grep -vc ^\#) ]; then if [ "$(mount | grep -c noatime)" -ne "$(grep ffs /etc/fstab | grep -vc ^\#)" ]; then
failed "IS_NOATIME" "All partitions should be mounted with the noatime option" failed "IS_NOATIME" "All partitions should be mounted with the noatime option"
fi fi
} }
@ -92,12 +92,12 @@ check_tmoutprofile(){
fi fi
} }
check_raidok(){ check_raidok(){
egrep 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1 grep -E 'sd.*RAID' /var/run/dmesg.boot 1> /dev/null 2>&1
RESULT=$? RESULT=$?
if [ $RESULT -eq 0 ]; then if [ $RESULT -eq 0 ]; then
raid_device=$(egrep 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1) raid_device=$(grep -E 'sd.*RAID' /var/run/dmesg.boot | awk '{ print $1 }' | tail -1)
raid_status=$(bioctl $raid_device | grep softraid | awk '{ print $3 }') raid_status=$(bioctl "$raid_device" | grep softraid | awk '{ print $3 }')
if [ $raid_status != "Online" ]; then if [ "$raid_status" != "Online" ]; then
failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations" failed "IS_RAIDOK" "One of the RAID disk members is faulty. Use bioctl -h $raid_device for more informations"
fi fi
fi fi
@ -110,14 +110,14 @@ check_evobackup(){
fi fi
} }
check_uptodate(){ check_uptodate(){
if [ $(command -v syspatch) ]; then if [ "$(command -v syspatch)" ]; then
if syspatch -c | egrep "." 1> /dev/null 2>&1; then if syspatch -c | grep -E "." 1> /dev/null 2>&1; then
failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!" failed "IS_UPTODATE" "Security update available! Update with syspatch(8)!"
fi fi
fi fi
} }
check_uptime(){ check_uptime(){
let "uptime = $(date +"%s") - $(sysctl -n kern.boottime)" uptime=$(($(date +"%s") - $(sysctl -n kern.boottime)))
if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then if [ "$uptime" -gt "$(( 2*365*24*60*60 ))" ]; then
failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised" failed "IS_UPTIME" "The server has an uptime of more than 2 years, reboot on new kernel advised"
fi fi
@ -126,8 +126,8 @@ check_backupuptodate(){
backup_dir="/home/backup" backup_dir="/home/backup"
if [ -d "${backup_dir}" ]; then if [ -d "${backup_dir}" ]; then
if [ -n "$(ls -A ${backup_dir})" ]; then if [ -n "$(ls -A ${backup_dir})" ]; then
for file in ${backup_dir}/*; do for file in "${backup_dir}"/*; do
let "limit = $(date +"%s") - 172800" limit=$(($(date +"%s") - 172800))
updated_at=$(stat -f "%m" "$file") updated_at=$(stat -f "%m" "$file")
if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then if [ -f "$file" ] && [ "$limit" -gt "$updated_at" ]; then
@ -154,11 +154,11 @@ check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0 bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
if [[ "$advbase" -gt 5 ]]; then if [ "$advbase" -gt 5 ]; then
bad_advbase=1 bad_advbase=1
fi fi
done done
if [[ "$bad_advbase" -eq 1 ]]; then if [ "$bad_advbase" -eq 1 ]; then
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!" failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
fi fi
fi fi
@ -166,7 +166,7 @@ check_carpadvbase(){
check_carppreempt(){ check_carppreempt(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2) preempt=$(sysctl net.inet.carp.preempt | cut -d"=" -f2)
if [[ "$preempt" -ne 1 ]]; then if [ "$preempt" -ne 1 ]; then
failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in" failed "IS_CARPPREEMPT" "The preempt function is not activated! Please type 'sysctl net.inet.carp.preempt=1' in"
fi fi
if [ -f /etc/sysctl.conf ]; then if [ -f /etc/sysctl.conf ]; then
@ -198,6 +198,7 @@ check_pkgmirror(){
} }
check_history(){ check_history(){
file=/root/.profile file=/root/.profile
# shellcheck disable=SC2015
grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile" grep -qE "^HISTFILE=\$HOME/.histfile" $file && grep -qE "^export HISTSIZE=100000" $file || failed "IS_HISTORY" "Make sure both 'HISTFILE=$HOME/.histfile' and 'export HISTSIZE=100000' are present in /root/.profile"
} }
check_vim(){ check_vim(){
@ -213,6 +214,7 @@ check_customsyslog(){
} }
check_sudomaint(){ check_sudomaint(){
file=/etc/sudoers file=/etc/sudoers
# shellcheck disable=SC2015
grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \ grep -q "Cmnd_Alias MAINT = /usr/share/scripts/evomaintenance.sh" $file \
&& grep -q "%wheel ALL=NOPASSWD: MAINT" $file \ && grep -q "%wheel ALL=NOPASSWD: MAINT" $file \
|| failed "IS_SUDOMAINT" "" || failed "IS_SUDOMAINT" ""
@ -304,7 +306,7 @@ check_defaultroute(){
} }
check_ntp(){ check_ntp(){
if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then if grep -q "server ntp.evolix.net" /etc/ntpd.conf; then
if [ $(wc -l /etc/ntpd.conf | awk '{print $1}') -ne 1 ]; then if [ "$(wc -l /etc/ntpd.conf | awk '{print $1}')" -ne 1 ]; then
failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"." failed "IS_NTP" "The /etc/ntpd.conf file should only contains \"server ntp.evolix.net\"."
fi fi
else else
@ -313,23 +315,24 @@ check_ntp(){
} }
check_openvpncronlog(){ check_openvpncronlog(){
if /etc/rc.d/openvpn check > /dev/null 2>&1; then if /etc/rc.d/openvpn check > /dev/null 2>&1; then
# shellcheck disable=SC2016
grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)." grep -q 'cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo "$(date +\\%F. .\\%R) - logfile turned over via cron" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name "openvpn.log.\*" -mtime .365 -exec rm {} \\+' /var/cron/tabs/root || failed "IS_OPENVPNCRONLOG" "OpenVPN is enabled but there is no log rotation in the root crontab, or the cron is not up to date (OpenVPN log rotation in newsyslog is not used because a restart is needed)."
fi fi
} }
check_carpadvskew(){ check_carpadvskew(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do for carp in $(ifconfig carp | grep ^carp | awk '{print $1}' | tr -d ":"); do
ifconfig $carp | grep -q master ifconfig "$carp" | grep -q master
master=$? master=$?
ifconfig $carp | grep -q backup ifconfig "$carp" | grep -q backup
backup=$? backup=$?
advskew=$(ifconfig $carp | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}') advskew=$(ifconfig "$carp" | grep advbase | awk -F 'advskew' '{print $2}' | awk '{print $1}')
if [ "$master" -eq 0 ]; then if [ "$master" -eq 0 ]; then
if [ $advskew -lt 1 ] || [ $advskew -gt 50 ]; then if [ "$advskew" -lt 1 ] || [ "$advskew" -gt 50 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew" failed "IS_CARPADVSKEW" "Interface $carp is master : advskew must be between 1 and 50, and must remain lower than that of the backup - current value : $advskew"
fi fi
elif [ "$backup" -eq 0 ]; then elif [ "$backup" -eq 0 ]; then
if [ $advskew -lt 100 ] || [ $advskew -gt 150 ]; then if [ "$advskew" -lt 100 ] || [ "$advskew" -gt 150 ]; then
failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew" failed "IS_CARPADVSKEW" "Interface $carp is backup : advskew must be between 100 and 150, and must remain greater than that of the master - current value : $advskew"
fi fi
else else
@ -346,7 +349,9 @@ check_sshallowusers() {
} }
check_evobackup_exclude_mount() { check_evobackup_exclude_mount() {
excludes_file=$(mktemp) excludes_file=$(mktemp)
trap "rm -f ${excludes_file}" 0 files_to_cleanup="${files_to_cleanup} ${excludes_file}"
# shellcheck disable=SC2013
for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do for evobackup_file in $(grep -Eo "/usr/share/scripts/zzz_evobackup.*" /etc/daily.local | grep -v "^#" | awk '{print $1}'); do
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}") not_excluded=$(mount | grep "type nfs" | awk '{print $3}' | grep -v -f "${excludes_file}")
@ -376,6 +381,7 @@ check_evolix_user() {
grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist" grep -q -E "^evolix:" /etc/passwd && failed "IS_EVOLIX_USER" "evolix user should not exist"
} }
download_versions() { download_versions() {
# shellcheck disable=SC2039
local file local file
file=${1:-} file=${1:-}
@ -402,6 +408,7 @@ download_versions() {
test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}"
} }
get_command() { get_command() {
# shellcheck disable=SC2039
local program local program
program=${1:-} program=${1:-}
@ -416,7 +423,9 @@ get_command() {
esac esac
} }
get_version() { get_version() {
# shellcheck disable=SC2039
local program local program
# shellcheck disable=SC2039
local command local command
program=${1:-} program=${1:-}
command=${2:-} command=${2:-}
@ -434,8 +443,20 @@ get_version() {
*) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;; *) ${command} --version 2> /dev/null | head -1 | cut -d ' ' -f 3 ;;
esac esac
} }
get_lower_version() {
# shellcheck disable=SC2039
local actual_version
# shellcheck disable=SC2039
local expected_version
actual_version=${1:-}
expected_version=${2:-}
printf "%s\n%s" "${actual_version}" "${expected_version}" | sort -V | head -n 1
}
check_version() { check_version() {
# shellcheck disable=SC2039
local program local program
# shellcheck disable=SC2039
local expected_version local expected_version
program=${1:-} program=${1:-}
expected_version=${2:-} expected_version=${2:-}
@ -448,14 +469,15 @@ check_version() {
failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}"
elif [ "${actual_version}" = "${expected_version}" ]; then elif [ "${actual_version}" = "${expected_version}" ]; then
: # Version check OK ; to check first because of the way the check works : # Version check OK ; to check first because of the way the check works
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${actual_version}" ]; then elif [ "$(get_lower_version "${actual_version}" "${expected_version}")" = "${actual_version}" ]; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}"
elif [ "$(echo ${actual_version}\\n${expected_version} | sort -V | head -n 1)" = "${expected_version}" ]; then elif [ "$(get_lower_version "${actual_version}" "${expected_version}")" = "${expected_version}" ]; then
failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index."
fi fi
fi fi
} }
add_to_path() { add_to_path() {
# shellcheck disable=SC2039
local new_path local new_path
new_path=${1:-} new_path=${1:-}
@ -463,12 +485,15 @@ add_to_path() {
} }
check_versions() { check_versions() {
versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX") versions_file=$(mktemp -p /tmp "evocheck-versions.XXXXXXXX")
trap "rm -f ${versions_file}" 0 files_to_cleanup="${files_to_cleanup} ${versions_file}"
download_versions "${versions_file}" download_versions "${versions_file}"
add_to_path "/usr/share/scripts" add_to_path "/usr/share/scripts"
grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do grep -v '^ *#' < "${versions_file}" | while IFS= read -r line; do
# shellcheck disable=SC2039
local program local program
# shellcheck disable=SC2039
local version local version
program=$(echo "${line}" | cut -d ' ' -f 1) program=$(echo "${line}" | cut -d ' ' -f 1)
version=$(echo "${line}" | cut -d ' ' -f 2) version=$(echo "${line}" | cut -d ' ' -f 2)
@ -542,12 +567,20 @@ main() {
exit ${RC} exit ${RC}
} }
cleanup_temp_files() {
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
}
# Disable LANG* # Disable LANG*
export LANG=C export LANG=C
export LANGUAGE=C export LANGUAGE=C
files_to_cleanup=""
trap cleanup_temp_files 0
# Source configuration file # Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf test -f /etc/evocheck.cf && . /etc/evocheck.cf
# Parse options # Parse options
@ -563,7 +596,6 @@ while :; do
exit 0 exit 0
;; ;;
--cron) --cron)
IS_KERNELUPTODATE=0
IS_UPTIME=0 IS_UPTIME=0
IS_CHECK_VERSIONS=0 IS_CHECK_VERSIONS=0
;; ;;
@ -592,4 +624,5 @@ while :; do
shift shift
done done
# shellcheck disable=SC2086
main ${ARGS} main ${ARGS}