CHANGELOG for IS_SSHALLOWUSERS change from ansible-roles

linux/CHANGELOG

@@ -9,16 +9,25 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
 * IS_LXC_OPENSSH: check in openssh is installed in containers
 * IS_LXC_PHP_BAD_DEBIAN_VERSION: check if php containers use the expected Debian release
 * IS_DEBIANSECURITY_LXC: IS_DEBIANSECURITY in containers
-* IS_SURY_LXC: in containers
+* IS_SURY_LXC: IS_SURY in containers
+* IS_OLDPUB_LXC: IS_OLDPUB in containers
+* IS_ETCGIT_LXC: IS_ETCGIT in containers
+* IS_GITPERMS_LXC: IS_GITPERMS in containers
 
 ### Changed
 
+* IS_SSHALLOWUSERS: add Debian 12 condition
+* IS_PHPEVOLINUXCONF: update for bookworm
+* IS_MINIFWINCLUDES, IS_NRPEPID: Change Debian release detection logic
+
 ### Deprecated
 
 ### Removed
 
 ### Fixed
 
+* IS_EVOBACKUP_EXCLUDE_MOUNT: fix regression introduced in previous version
+
 ### Security
 
 ## [23.10] 2023-10-26

linux/evocheck.sh

@@ -215,6 +215,16 @@ check_oldpub() {
     apt-cache policy | grep --quiet pub.evolix.net
     test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
 }
+check_oldpub_lxc() {
+    # Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
+            test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}"
+        done
+    fi
+}
 check_newpub() {
     # Look for enabled pub.evolix.org sources
     apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
@@ -278,8 +288,15 @@ check_customcrontab() {
     test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
 }
 check_sshallowusers() {
-    grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
-        || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    if is_debian_bookworm; then
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
+            && failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
+    else
+        grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
+            || failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
+    fi
 }
 check_diskperf() {
     perfFile="/root/disk-perf.txt"
@@ -336,7 +353,7 @@ check_minifw() {
     } || failed "IS_MINIFW" "minifirewall seems not started"
 }
 check_minifw_includes() {
-    if is_debian_bullseye; then
+    if { ! is_debian_stretch && ! is_debian_buster ; }; then
         if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then
             failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
         fi
@@ -363,13 +380,13 @@ check_nrpedisks() {
     test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
 }
 check_nrpepid() {
-    if { is_debian_bullseye || is_debian_bookworm ; }; then
+    if { is_debian_stretch || is_debian_buster ; }; then
         { test -e /etc/nagios/nrpe.cfg \
-            && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
+            && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
         } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
     else
         { test -e /etc/nagios/nrpe.cfg \
-            && grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
+            && grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
         } || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
     fi
 }
@@ -726,6 +743,16 @@ check_etcgit() {
     git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
         || failed "IS_ETCGIT" "/etc is not a git repository"
 }
+check_etcgit_lxc() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            export GIT_DIR="/var/lib/lxc/${container}/etc/.git" GIT_WORK_TREE="/var/lib/lxc/${container}/etc"
+            git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
+                || failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}"
+        done
+    fi
+}
 # Check if /etc/.git/ has read/write permissions for root only.
 check_gitperms() {
     GIT_DIR="/etc/.git"
@@ -735,6 +762,19 @@ check_gitperms() {
         [ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
     fi
 }
+check_gitperms_lxc() {
+    if is_installed lxc; then
+        container_list=$(lxc-ls)
+        for container in $container_list; do
+            GIT_DIR="/var/lib/lxc/${container}/etc/.git"
+            if test -d $GIT_DIR; then
+                expected="700"
+                actual=$(stat -c "%a" $GIT_DIR)
+		[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
+            fi
+        done
+    fi
+}
 # Check if no package has been upgraded since $limit.
 check_notupgraded() {
     last_upgrade=0
@@ -1029,6 +1069,7 @@ check_phpevolinuxconf() {
     is_debian_stretch  && phpVersion="7.0"
     is_debian_buster   && phpVersion="7.3"
     is_debian_bullseye && phpVersion="7.4"
+    is_debian_bookworm && phpVersion="8.2"
     if is_installed php; then
         { test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
             && test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
@@ -1519,6 +1560,7 @@ main() {
     test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
     test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
     test "${IS_OLDPUB:=1}" = 1 && check_oldpub
+    test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
     test "${IS_NEWPUB:=1}" = 1 && check_newpub
     test "${IS_SURY:=1}" = 1 && check_sury
     test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
@@ -1574,7 +1616,9 @@ main() {
     test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
     test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
     test "${IS_ETCGIT:=1}" = 1 && check_etcgit
+    test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc
     test "${IS_GITPERMS:=1}" = 1 && check_gitperms
+    test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc
     test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
     test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
     test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup