|
|
|
@ -215,6 +215,16 @@ check_oldpub() {
|
|
|
|
|
apt-cache policy | grep --quiet pub.evolix.net
|
|
|
|
|
test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
|
|
|
|
|
}
|
|
|
|
|
check_oldpub_lxc() {
|
|
|
|
|
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
|
|
|
|
|
if is_installed lxc; then
|
|
|
|
|
container_list=$(lxc-ls)
|
|
|
|
|
for container in $container_list; do
|
|
|
|
|
lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
|
|
|
|
|
test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}"
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
check_newpub() {
|
|
|
|
|
# Look for enabled pub.evolix.org sources
|
|
|
|
|
apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
|
|
|
|
@ -278,8 +288,15 @@ check_customcrontab() {
|
|
|
|
|
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
|
|
|
|
|
}
|
|
|
|
|
check_sshallowusers() {
|
|
|
|
|
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
|
|
|
|
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
|
|
|
|
if is_debian_bookworm; then
|
|
|
|
|
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
|
|
|
|
|
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
|
|
|
|
|
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|
|
|
|
|
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
|
|
|
|
|
else
|
|
|
|
|
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|
|
|
|
|
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
check_diskperf() {
|
|
|
|
|
perfFile="/root/disk-perf.txt"
|
|
|
|
@ -336,7 +353,7 @@ check_minifw() {
|
|
|
|
|
} || failed "IS_MINIFW" "minifirewall seems not started"
|
|
|
|
|
}
|
|
|
|
|
check_minifw_includes() {
|
|
|
|
|
if is_debian_bullseye; then
|
|
|
|
|
if { ! is_debian_stretch && ! is_debian_buster ; }; then
|
|
|
|
|
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then
|
|
|
|
|
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
|
|
|
|
|
fi
|
|
|
|
@ -363,13 +380,13 @@ check_nrpedisks() {
|
|
|
|
|
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
|
|
|
|
|
}
|
|
|
|
|
check_nrpepid() {
|
|
|
|
|
if { is_debian_bullseye || is_debian_bookworm ; }; then
|
|
|
|
|
if { is_debian_stretch || is_debian_buster ; }; then
|
|
|
|
|
{ test -e /etc/nagios/nrpe.cfg \
|
|
|
|
|
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
|
|
|
|
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
|
|
|
|
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
|
|
|
|
else
|
|
|
|
|
{ test -e /etc/nagios/nrpe.cfg \
|
|
|
|
|
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
|
|
|
|
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
|
|
|
|
|
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
@ -726,6 +743,16 @@ check_etcgit() {
|
|
|
|
|
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|
|
|
|
|
|| failed "IS_ETCGIT" "/etc is not a git repository"
|
|
|
|
|
}
|
|
|
|
|
check_etcgit_lxc() {
|
|
|
|
|
if is_installed lxc; then
|
|
|
|
|
container_list=$(lxc-ls)
|
|
|
|
|
for container in $container_list; do
|
|
|
|
|
export GIT_DIR="/var/lib/lxc/${container}/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/etc"
|
|
|
|
|
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|
|
|
|
|
|| failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}"
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
# Check if /etc/.git/ has read/write permissions for root only.
|
|
|
|
|
check_gitperms() {
|
|
|
|
|
GIT_DIR="/etc/.git"
|
|
|
|
@ -735,6 +762,19 @@ check_gitperms() {
|
|
|
|
|
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
check_gitperms_lxc() {
|
|
|
|
|
if is_installed lxc; then
|
|
|
|
|
container_list=$(lxc-ls)
|
|
|
|
|
for container in $container_list; do
|
|
|
|
|
GIT_DIR="/var/lib/lxc/${container}/etc/.git"
|
|
|
|
|
if test -d $GIT_DIR; then
|
|
|
|
|
expected="700"
|
|
|
|
|
actual=$(stat -c "%a" $GIT_DIR)
|
|
|
|
|
[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
# Check if no package has been upgraded since $limit.
|
|
|
|
|
check_notupgraded() {
|
|
|
|
|
last_upgrade=0
|
|
|
|
@ -1029,6 +1069,7 @@ check_phpevolinuxconf() {
|
|
|
|
|
is_debian_stretch && phpVersion="7.0"
|
|
|
|
|
is_debian_buster && phpVersion="7.3"
|
|
|
|
|
is_debian_bullseye && phpVersion="7.4"
|
|
|
|
|
is_debian_bookworm && phpVersion="8.2"
|
|
|
|
|
if is_installed php; then
|
|
|
|
|
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
|
|
|
|
|
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
|
|
|
|
@ -1519,6 +1560,7 @@ main() {
|
|
|
|
|
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
|
|
|
|
|
test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
|
|
|
|
|
test "${IS_OLDPUB:=1}" = 1 && check_oldpub
|
|
|
|
|
test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
|
|
|
|
|
test "${IS_NEWPUB:=1}" = 1 && check_newpub
|
|
|
|
|
test "${IS_SURY:=1}" = 1 && check_sury
|
|
|
|
|
test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
|
|
|
|
@ -1574,7 +1616,9 @@ main() {
|
|
|
|
|
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
|
|
|
|
|
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
|
|
|
|
|
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
|
|
|
|
|
test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc
|
|
|
|
|
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
|
|
|
|
|
test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc
|
|
|
|
|
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
|
|
|
|
|
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
|
|
|
|
|
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
|
|
|
|
|