From 3fa6c082a1a68860da4a493cc290c53149127289 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 3 Jan 2022 09:34:30 +0100 Subject: [PATCH 01/20] check_mysqlmunin : Complain if munin plugin mysql_commands returns an error This is important to catch incompatibilities between the munin plugin and the mysql output --- CHANGELOG | 2 ++ evocheck.sh | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 2ecba16..478c6a9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Added +check_mysqlmunin : Complain if munin plugin mysql_commands returns an error + ### Changed ### Deprecated diff --git a/evocheck.sh b/evocheck.sh index b7cd83d..4589c26 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1006,6 +1006,8 @@ check_mysqlmunin() { test "${VERBOSE}" = 1 || break fi done + munin-run mysql_commands 2> /dev/null > /dev/null + test $? -eq 0 || failed "IS_MYSQLMUNIN" "Munin plugin mysql_commands returned an error" fi fi } From 1f81732c448c3cabc4d658168cb14d1034b3c241 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 27 Jan 2022 18:42:48 +0100 Subject: [PATCH 02/20] Better cleanup of temporary files + buffer for main output --- evocheck.sh | 57 ++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 18 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 4589c26..204ec4e 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -142,9 +142,9 @@ failed() { RC=1 if [ "${QUIET}" != 1 ]; then if [ -n "${check_comments}" ] && [ "${VERBOSE}" = 1 ]; then - printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" 2>&1 + printf "%s FAILED! %s\n" "${check_name}" "${check_comments}" >> "${main_output_file}" else - printf "%s FAILED!\n" "${check_name}" 2>&1 + printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}" fi fi } @@ -328,8 +328,11 @@ check_tmoutprofile() { check_alert5boot() { if is_debian_buster || is_debian_bullseye; then grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" - test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing" - systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + if [ -f /etc/systemd/system/alert5.service ]; then + systemctl is-enabled alert5.service -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" + else + failed "IS_ALERT5BOOT" "alert5 unit file is missing" + fi else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" @@ -592,9 +595,9 @@ check_evobackup() { } # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { - excludes_file=$(mktemp) - # shellcheck disable=SC2064 - trap "rm -f ${excludes_file}" 0 + excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX") + files_to_cleanup="${files_to_cleanup} ${excludes_file}" + # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" @@ -603,7 +606,6 @@ check_evobackup_exclude_mount() { failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" done done - rm -rf "${excludes_file}" } # Verification de la presence du userlogrotate check_userlogrotate() { @@ -809,8 +811,10 @@ check_tune2fs_m5() { check_evolinuxsudogroup() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then if grep -q "^evolinux-sudo:" /etc/group; then - grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ - || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" + if [ -f /etc/sudoers.d/evolinux ]; then + grep -qE '^%evolinux-sudo +ALL ?= ?\(ALL:ALL\) ALL' /etc/sudoers.d/evolinux \ + || failed "IS_EVOLINUXSUDOGROUP" "missing evolinux-sudo directive in sudoers file" + fi fi fi } @@ -1064,8 +1068,10 @@ check_squidevolinuxconf() { check_duplicate_fs_label() { # Do it only if thereis blkid binary BLKID_BIN=$(command -v blkid) - if [ -x "$BLKID_BIN" ]; then - tmpFile=$(mktemp -p /tmp) + if [ -n "$BLKID_BIN" ]; then + tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX") + files_to_cleanup="${files_to_cleanup} ${tmpFile}" + parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) for part in $parts; do echo "$part" >> "$tmpFile" @@ -1078,7 +1084,6 @@ check_duplicate_fs_label() { labels=$(echo -n $tmpOutput | tr '\n' ' ') failed "IS_DUPLICATE_FS_LABEL" "Duplicate labels: $labels" fi - rm "$tmpFile" else failed "IS_DUPLICATE_FS_LABEL" "blkid not found in ${PATH}" fi @@ -1459,9 +1464,9 @@ add_to_path() { echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" } check_versions() { - versions_file=$(mktemp --tmpdir=/tmp "evocheck-versions.XXXXX") - # shellcheck disable=SC2064 - trap "rm -f ${versions_file}" 0 + versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX") + files_to_cleanup="${files_to_cleanup} ${versions_file}" + download_versions "${versions_file}" add_to_path "/usr/share/scripts" @@ -1479,8 +1484,6 @@ check_versions() { fi fi done - - rm -f "${versions_file}" } main() { @@ -1489,6 +1492,9 @@ main() { # Detect operating system name, version and release detect_os + main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX") + files_to_cleanup="${files_to_cleanup} ${main_output_file}" + #----------------------------------------------------------- # Tests communs à tous les systèmes #----------------------------------------------------------- @@ -1717,8 +1723,19 @@ main() { # - NRPEDISK et NRPEPOSTFIX fi + if [ -f "${main_output_file}" ]; then + if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then + + cat "${main_output_file}" 2>&1 + fi + fi + exit ${RC} } +cleanup_temp_files() { + # shellcheck disable=SC2086 + rm -f ${files_to_cleanup} +} PROGNAME=$(basename "$0") # shellcheck disable=SC2034 @@ -1732,6 +1749,10 @@ readonly ARGS export LANG=C export LANGUAGE=C +files_to_cleanup="" +# shellcheck disable=SC2064 +trap cleanup_temp_files 0 + # Source configuration file # shellcheck disable=SC1091 test -f /etc/evocheck.cf && . /etc/evocheck.cf From 93f8440c92ff482e73409365a06265cbbe027e90 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 15 Mar 2022 23:17:44 +0100 Subject: [PATCH 03/20] check_versions : track minifirewall version --- CHANGELOG | 1 + evocheck.sh | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 478c6a9..c32d2a9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -6,6 +6,7 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Added check_mysqlmunin : Complain if munin plugin mysql_commands returns an error +check_versions : track minifirewall version ### Changed diff --git a/evocheck.sh b/evocheck.sh index 204ec4e..13cf7ea 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1402,6 +1402,7 @@ get_command() { listupgrade) command -v "evolistupgrade.sh" ;; old-kernel-autoremoval) command -v "old-kernel-autoremoval.sh" ;; mysql-queries-killer) command -v "mysql-queries-killer.sh" ;; + minifirewall) echo "/etc/init.d/minifirewall" ;; ## General case, where the program name is the same as the command name *) command -v "${program}" ;; @@ -1422,6 +1423,9 @@ get_version() { add-vm) grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 ;; + minifirewall) + ${command} status | head -1 | cut -d ' ' -f 3 + ;; ## Let's try the --version flag before falling back to grep for the constant kvmstats) if ${command} --version > /dev/null 2> /dev/null; then From 26be0dfe72193c1857262e25a01b7f3c3d22f001 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 15 Mar 2022 23:23:24 +0100 Subject: [PATCH 04/20] Release 22.03 --- CHANGELOG | 9 ++++++--- evocheck.sh | 4 ++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index c32d2a9..ade15ba 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,9 +5,6 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Added -check_mysqlmunin : Complain if munin plugin mysql_commands returns an error -check_versions : track minifirewall version - ### Changed ### Deprecated @@ -18,6 +15,12 @@ check_versions : track minifirewall version ### Security +## [22.03] 2022-03-15 +### Added + +check_mysqlmunin : Complain if munin plugin mysql_commands returns an error +check_versions : track minifirewall version + ## [21.10.4] 2021-10-25 ### Changed diff --git a/evocheck.sh b/evocheck.sh index 13cf7ea..5680510 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="21.10.4" +VERSION="22.03" readonly VERSION # base functions @@ -13,7 +13,7 @@ show_version() { cat <, +Copyright 2009-2022 Evolix , Romain Dessort , Benoit Série , Gregory Colpart , From e921420d20c340408dc0a9eb7eb3adeccc3daedb Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 22 Mar 2022 11:01:08 +0100 Subject: [PATCH 05/20] check_autoif : Ignore lxcbr interfaces, new in bullseye --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 5680510..826eba7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -570,7 +570,7 @@ check_network_interfaces() { # Verify if all if are in auto check_autoif() { if is_debian_stretch || is_debian_buster || is_debian_bullseye; then - interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") + interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ") fi From dabf05b4b78c924bd474218c8056e1eaa267aab6 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Tue, 22 Mar 2022 11:01:43 +0100 Subject: [PATCH 06/20] Release 22.03.1 --- CHANGELOG | 7 +++++++ evocheck.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index ade15ba..00d1235 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -15,7 +15,14 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Security +## [22.03.1] 2022-03-22 + +### Changed + +check_autoif : Ignore lxcbr interfaces, new since bullseye + ## [22.03] 2022-03-15 + ### Added check_mysqlmunin : Complain if munin plugin mysql_commands returns an error diff --git a/evocheck.sh b/evocheck.sh index 826eba7..2f01afa 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.03" +VERSION="22.03.1" readonly VERSION # base functions From a14c83904fd0fdb333622cacd89102b2ab213446 Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Tue, 29 Mar 2022 16:21:01 +0200 Subject: [PATCH 07/20] check_debiansecurity: https://security.debian.org/debian-security is valid on bullseye The documentation for upgrading from buster and https://www.debian.org/security/ use 2 different URLs for the security repository. Consider both as valid. --- evocheck.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 2f01afa..38bd258 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -234,7 +234,8 @@ check_syslogconf() { check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive - pattern="^deb https://deb\.debian\.org/debian-security/? bullseye-security main" + # https://www.debian.org/security/ + pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then From 3c0a88074f7be03250804a6297569230e26a5d6d Mon Sep 17 00:00:00 2001 From: Mathieu Trossevin Date: Tue, 29 Mar 2022 16:27:15 +0200 Subject: [PATCH 08/20] Update changelog --- CHANGELOG | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 00d1235..416203d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -15,6 +15,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Security +check_debiansecurity: Consider both https://deb\.debian\.org/debian-security/ and https://security\.debian\.org/debian-security/ as valid since both are documented as such. + ## [22.03.1] 2022-03-22 ### Changed From 6eeca5eacd320f05b7a14dd2af3ff378ca9e4564 Mon Sep 17 00:00:00 2001 From: Jeremy Dubois Date: Thu, 14 Apr 2022 09:45:39 +0200 Subject: [PATCH 09/20] check_versions: "IS_CHECK_VERSIONS" was checked but "IS_VERSIONS_CHECK" was echoed, now "IS_CHECK_VERSIONS" everywhere --- CHANGELOG | 2 ++ evocheck.sh | 14 +++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 416203d..689a7d8 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Fixed +check_versions: "IS_CHECK_VERSIONS" was checked but "IS_VERSIONS_CHECK" was echoed, now "IS_CHECK_VERSIONS" everywhere + ### Security check_debiansecurity: Consider both https://deb\.debian\.org/debian-security/ and https://security\.debian\.org/debian-security/ as valid since both are documented as such. diff --git a/evocheck.sh b/evocheck.sh index 38bd258..5571e55 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1375,7 +1375,7 @@ download_versions() { elif is_openbsd; then versions_url="https://upgrades.evolix.org/versions-${OPENBSD_RELEASE}" else - failed "IS_VERSIONS_CHECK" "error determining os release" + failed "IS_CHECK_VERSIONS" "error determining os release" fi # fetch timeout, in seconds @@ -1388,9 +1388,9 @@ download_versions() { elif command -v GET; then GET -t ${timeout}s "${versions_url}" > "${versions_file}" else - failed "IS_VERSIONS_CHECK" "failed to find curl, wget or GET" + failed "IS_CHECK_VERSIONS" "failed to find curl, wget or GET" fi - test "$?" -eq 0 || failed "IS_VERSIONS_CHECK" "failed to download ${versions_url} to ${versions_file}" + test "$?" -eq 0 || failed "IS_CHECK_VERSIONS" "failed to download ${versions_url} to ${versions_file}" } get_command() { local program @@ -1452,11 +1452,11 @@ check_version() { actual_version=$(get_version "${program}" "${command}") # printf "program:%s expected:%s actual:%s\n" "${program}" "${expected_version}" "${actual_version}" if [ -z "${actual_version}" ]; then - failed "IS_VERSIONS_CHECK" "failed to lookup actual version of ${program}" + failed "IS_CHECK_VERSIONS" "failed to lookup actual version of ${program}" elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then - failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is older than expected version ${expected_version}" + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then - failed "IS_VERSIONS_CHECK" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index." + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index." else : # Version check OK fi @@ -1485,7 +1485,7 @@ check_versions() { if [ -n "${version}" ]; then check_version "${program}" "${version}" else - failed "IS_VERSIONS_CHECK" "failed to lookup expected version for ${program}" + failed "IS_CHECK_VERSIONS" "failed to lookup expected version for ${program}" fi fi done From b92d81fd91a4c1902730eed5b15d4259dbb8a9e7 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Tue, 19 Apr 2022 14:22:15 +0200 Subject: [PATCH 10/20] Typo in check_version' error message --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 5571e55..c705038 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1456,7 +1456,7 @@ check_version() { elif dpkg --compare-versions "${actual_version}" lt "${expected_version}"; then failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is older than expected version ${expected_version}" elif dpkg --compare-versions "${actual_version}" gt "${expected_version}"; then - failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update tour index." + failed "IS_CHECK_VERSIONS" "${program} version ${actual_version} is newer than expected version ${expected_version}, you should update your index." else : # Version check OK fi From 3694b364d3a48ad013ae9b9a870302c2a52f36fd Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 09:55:12 +0200 Subject: [PATCH 11/20] IS_EVOBACKUP_EXCLUDE_MOUNT : skip if --one-file-system is used --- CHANGELOG | 2 ++ evocheck.sh | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index 689a7d8..e26acc7 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed +* IS_EVOBACKUP_EXCLUDE_MOUNT : skip if --one-file-system is used + ### Deprecated ### Removed diff --git a/evocheck.sh b/evocheck.sh index c705038..3556897 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -601,7 +601,11 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + grep -q -- "^\s*--one-file-system" "${evobackup_file}" \ + || grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' \ + > "${excludes_file}" not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") for mount in ${not_excluded}; do failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" From e1bafc2a0a0726ee172732bb0e67bb3dffbee5de Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 09:57:09 +0200 Subject: [PATCH 12/20] Release 22.04 --- CHANGELOG | 25 +++++++++++++++++-------- evocheck.sh | 2 +- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index e26acc7..f9fe1f1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,32 +7,40 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed -* IS_EVOBACKUP_EXCLUDE_MOUNT : skip if --one-file-system is used - ### Deprecated ### Removed ### Fixed -check_versions: "IS_CHECK_VERSIONS" was checked but "IS_VERSIONS_CHECK" was echoed, now "IS_CHECK_VERSIONS" everywhere +### Security + +## [22.04] 2022-04-25 + +### Changed + +* IS_EVOBACKUP_EXCLUDE_MOUNT : skip if --one-file-system is used + +### Fixed + +* check_versions: "IS_CHECK_VERSIONS" was checked but "IS_VERSIONS_CHECK" was echoed, now "IS_CHECK_VERSIONS" everywhere ### Security -check_debiansecurity: Consider both https://deb\.debian\.org/debian-security/ and https://security\.debian\.org/debian-security/ as valid since both are documented as such. +* check_debiansecurity: Consider both https://deb\.debian\.org/debian-security/ and https://security\.debian\.org/debian-security/ as valid since both are documented as such. ## [22.03.1] 2022-03-22 ### Changed -check_autoif : Ignore lxcbr interfaces, new since bullseye +* check_autoif : Ignore lxcbr interfaces, new since bullseye ## [22.03] 2022-03-15 ### Added -check_mysqlmunin : Complain if munin plugin mysql_commands returns an error -check_versions : track minifirewall version +* check_mysqlmunin : Complain if munin plugin mysql_commands returns an error +* check_versions : track minifirewall version ## [21.10.4] 2021-10-25 @@ -50,7 +58,8 @@ check_versions : track minifirewall version ## [21.10.2] 2021-10-22 ### Changed -Let's try the --version flag before falling back to grep for the constant + +* Let's try the --version flag before falling back to grep for the constant ## [21.10.1] 2021-10-01 diff --git a/evocheck.sh b/evocheck.sh index 3556897..07ec97f 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.03.1" +VERSION="22.04" readonly VERSION # base functions From f5b19ad6562aa7c72a350a2951553966fd317024 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 10:08:14 +0200 Subject: [PATCH 13/20] fix various shellcheck violations --- CHANGELOG | 2 ++ evocheck.sh | 12 +++++++----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index f9fe1f1..57d1f24 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed +* fix various shellcheck violations + ### Deprecated ### Removed diff --git a/evocheck.sh b/evocheck.sh index 07ec97f..f03f7e4 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -596,7 +596,7 @@ check_evobackup() { } # Vérification de l'exclusion des montages (NFS) dans les sauvegardes check_evobackup_exclude_mount() { - excludes_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.evobackup_exclude_mount.XXXXX") + excludes_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.evobackup_exclude_mount.XXXXX") files_to_cleanup="${files_to_cleanup} ${excludes_file}" # shellcheck disable=SC2044 @@ -1074,7 +1074,7 @@ check_duplicate_fs_label() { # Do it only if thereis blkid binary BLKID_BIN=$(command -v blkid) if [ -n "$BLKID_BIN" ]; then - tmpFile=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.duplicate_fs_label.XXXXX") + tmpFile=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.duplicate_fs_label.XXXXX") files_to_cleanup="${files_to_cleanup} ${tmpFile}" parts=$($BLKID_BIN -c /dev/null | grep -ve raid_member -e EFI_SYSPART | grep -Eo ' LABEL=".*"' | cut -d'"' -f2) @@ -1473,7 +1473,7 @@ add_to_path() { echo "$PATH" | grep -qF "${new_path}" || export PATH="${PATH}:${new_path}" } check_versions() { - versions_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.versions.XXXXX") + versions_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.versions.XXXXX") files_to_cleanup="${files_to_cleanup} ${versions_file}" download_versions "${versions_file}" @@ -1501,7 +1501,7 @@ main() { # Detect operating system name, version and release detect_os - main_output_file=$(mktemp --tmpdir=${TMPDIR:-/tmp} "evocheck.main.XXXXX") + main_output_file=$(mktemp --tmpdir="${TMPDIR:-/tmp}" "evocheck.main.XXXXX") files_to_cleanup="${files_to_cleanup} ${main_output_file}" #----------------------------------------------------------- @@ -1733,7 +1733,9 @@ main() { fi if [ -f "${main_output_file}" ]; then - if [ $(cat "${main_output_file}" | wc -l) -gt 0 ]; then + lines_found=$(wc -l < "${main_output_file}") + # shellcheck disable=SC2086 + if [ ${lines_found} -gt 0 ]; then cat "${main_output_file}" 2>&1 fi From bef0eba53917bbbbb84e3e37698244ab1f7c2918 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 10:32:26 +0200 Subject: [PATCH 14/20] IS_EVOBACKUP_EXCLUDE_MOUNT: fix one-file-system restriction --- CHANGELOG | 2 ++ evocheck.sh | 14 +++++++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 57d1f24..8d2caa5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -15,6 +15,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Fixed +* IS_EVOBACKUP_EXCLUDE_MOUNT: fix one-file-system restriction + ### Security ## [22.04] 2022-04-25 diff --git a/evocheck.sh b/evocheck.sh index f03f7e4..b6d5ef0 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -603,13 +603,13 @@ check_evobackup_exclude_mount() { for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do # If rsync is not limited by "one-file-system" # then we verify that every mount is excluded - grep -q -- "^\s*--one-file-system" "${evobackup_file}" \ - || grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' \ - > "${excludes_file}" - not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") - for mount in ${not_excluded}; do - failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" - done + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi done } # Verification de la presence du userlogrotate From 7ff09cd97376c6a78e2c30102724ccce61b9c5ce Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Mon, 25 Apr 2022 10:33:11 +0200 Subject: [PATCH 15/20] Release 22.04.1 --- CHANGELOG | 14 ++++++++++---- evocheck.sh | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 8d2caa5..bbe8c3f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,18 +7,24 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed -* fix various shellcheck violations - ### Deprecated ### Removed ### Fixed -* IS_EVOBACKUP_EXCLUDE_MOUNT: fix one-file-system restriction - ### Security +## [22.04.1] 2022-04-25 + +### Changed + +* fix various shellcheck violations + +### Fixed + +* IS_EVOBACKUP_EXCLUDE_MOUNT: fix one-file-system restriction + ## [22.04] 2022-04-25 ### Changed diff --git a/evocheck.sh b/evocheck.sh index b6d5ef0..4f24ae7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.04" +VERSION="22.04.1" readonly VERSION # base functions From 7a57016da1307e69384e7e95977e21b77a402308 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 May 2022 15:43:25 +0200 Subject: [PATCH 16/20] IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command --- CHANGELOG | 2 ++ evocheck.sh | 21 ++++++++++++--------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index bbe8c3f..0b50229 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,6 +7,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed +IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command + ### Deprecated ### Removed diff --git a/evocheck.sh b/evocheck.sh index 4f24ae7..657447a 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -601,14 +601,17 @@ check_evobackup_exclude_mount() { # shellcheck disable=SC2044 for evobackup_file in $(find /etc/cron* -name '*evobackup*' | grep -v -E ".disabled$"); do - # If rsync is not limited by "one-file-system" - # then we verify that every mount is excluded - if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then - grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" - not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") - for mount in ${not_excluded}; do - failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" - done + # if the file seems to be a backup script, with an Rsync invocation + if grep -q "^\s*rsync" "${evobackup_file}"; then + # If rsync is not limited by "one-file-system" + # then we verify that every mount is excluded + if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then + grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}" + not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}") + for mount in ${not_excluded}; do + failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script" + done + fi fi done } @@ -1429,7 +1432,7 @@ get_version() { grep '^VERSION=' "${command}" | head -1 | cut -d '=' -f 2 ;; minifirewall) - ${command} status | head -1 | cut -d ' ' -f 3 + ${command} version | head -1 | cut -d ' ' -f 3 ;; ## Let's try the --version flag before falling back to grep for the constant kvmstats) From 40687bc294caadef85e190f10400f313ec799004 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 12 May 2022 15:45:54 +0200 Subject: [PATCH 17/20] Release 22.05 --- CHANGELOG | 8 ++++++-- evocheck.sh | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 0b50229..c306f7a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -7,8 +7,6 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp ### Changed -IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command - ### Deprecated ### Removed @@ -17,6 +15,12 @@ IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command ### Security +## [22.05] 2022-05-12 + +### Changed + +IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command + ## [22.04.1] 2022-04-25 ### Changed diff --git a/evocheck.sh b/evocheck.sh index 657447a..cf901bb 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -4,7 +4,7 @@ # Script to verify compliance of a Debian/OpenBSD server # powered by Evolix -VERSION="22.04.1" +VERSION="22.05" readonly VERSION # base functions From 124efe7f380b42727dac4e6ae014c07e788270ca Mon Sep 17 00:00:00 2001 From: "William Hirigoyen (Evolix)" Date: Wed, 25 May 2022 12:22:55 +0200 Subject: [PATCH 18/20] Ajoute le cas /etc/init.d/alert5 pour IS_ALERT5MINIFW et IS_ALERT5BOOT --- evocheck.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index cf901bb..2a07975 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -337,6 +337,8 @@ check_alert5boot() { else if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^date" /etc/init.d/alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 int script" else failed "IS_ALERT5BOOT" "alert5 init script is missing" fi @@ -350,6 +352,9 @@ check_alert5minifw() { if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + elif [ -n "$(find /etc/init.d/ -name 'alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/init.d/alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" else failed "IS_ALERT5MINIFW" "alert5 init script is missing" fi From 3935bccfabd4b004f3520981c9d161a7852fe4c5 Mon Sep 17 00:00:00 2001 From: Bruno TATU Date: Wed, 25 May 2022 17:02:28 +0200 Subject: [PATCH 19/20] =?UTF-8?q?#65947=20meilleure=20d=C3=A9tection=20de?= =?UTF-8?q?=20dump=20compress=C3=A9=20ou=20non=20pour=20mongo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 2a07975..86372fc 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -960,7 +960,7 @@ check_mongo_backup() { # You could change the default path in /etc/evocheck.cf MONGO_BACKUP_PATH=${MONGO_BACKUP_PATH:-"/home/backup/mongodump"} if [ -d "$MONGO_BACKUP_PATH" ]; then - for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}; do + for file in "${MONGO_BACKUP_PATH}"/*/*.{json,bson}.*; do # Skip indexes file. if ! [[ "$file" =~ indexes ]]; then limit=$(date +"%s" -d "now - 2 day") From 294c96b077818ad8f4ec08f6d1daa5a7678313e7 Mon Sep 17 00:00:00 2001 From: Gregory Colpart Date: Tue, 31 May 2022 11:04:35 +0200 Subject: [PATCH 20/20] Fix Debian security repo for Bullseye, cf https://www.debian.org/releases/stable/errata --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 86372fc..c41da45 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -235,7 +235,7 @@ check_debiansecurity() { if is_debian_bullseye; then # https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive # https://www.debian.org/security/ - pattern="^deb https://(deb|security)\.debian\.org/debian-security/? bullseye-security main" + pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main" elif is_debian_buster; then pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main" elif is_debian_stretch; then