evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

Compare commits

base: evolix:master
Branches Tags
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.4
evolix:21.10.1
evolix:21.09
evolix:20.12
evolix:20.04.4
evolix:20.04.3
evolix:20.04.2
evolix:20.04.1
evolix:20.02.1
evolix:19.11.1
evolix:v19.11
evolix:19.10
evolix:19.09
evolix:v19.06
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:v0.12
evolix:debian/0.11-1
evolix:v0.11
..
compare: evolix:openbsd/22.12
Branches Tags
evolix:master
evolix:148
evolix:evoversions
evolix:autoif-bullseye
evolix:check_all_files_in_backup_dir
evolix:IS_NETWORKING_SERVICE
evolix:sources.list-support-option
evolix:IS_SYSTEMDUSERUNIT
evolix:minifirewall_systemd
evolix:check_compressed_mongodump
evolix:bullseye
evolix:IS_LXC_CONTAINER_RESOLV_CONF
evolix:is_mysql_upgrade
evolix:buster-support
evolix:no-check-valid-until
evolix:release-19.06
evolix:fix-mysqlnrpe
evolix:apachesymlink-verbose
evolix:debian
evolix:VERBOSE-ALERT5MINIFW
evolix:11-Check-for-sysadmins-home-size
evolix:linux/24.01
evolix:linux/23.11.1
evolix:linux/23.11
evolix:linux/23.10
evolix:linux/23.07
evolix:openbsd/23.06
evolix:linyx/23.04.01
evolix:linux/23.04
evolix:linux/23.03.01
evolix:linux/23.03
evolix:linux/23.02
evolix:openbsd/23.02
evolix:linux/23.0.2
evolix:openbsd/22.12
evolix:linux/22.12
evolix:openbsd/22.11
evolix:linux/22.11
evolix:openbsd22.10
evolix:linux/22.09
evolix:linux/22.08.1
evolix:linux/22.08
evolix:22.08
evolix:22.06.2
evolix:22.06.1
evolix:22.06
evolix:22.03
evolix:22.03.1
evolix:21.10.4
evolix:21.10.1
evolix:21.09
evolix:20.12
evolix:20.04.4
evolix:20.04.3
evolix:20.04.2
evolix:20.04.1
evolix:20.02.1
evolix:19.11.1
evolix:v19.11
evolix:19.10
evolix:19.09
evolix:v19.06
evolix:v19.04
evolix:debian/0.13.1-1
evolix:v0.13.1
evolix:debian/0.13-1
evolix:v0.13
evolix:debian/0.12-1
evolix:v0.12
evolix:debian/0.11-1
evolix:v0.11

No commits in common. "master" and "openbsd/22.12" have entirely different histories.
master ... openbsd/22

7 changed files with 139 additions and 598 deletions
Show stats Expand all files Collapse all files

2
README.md
View file

@ -52,7 +52,7 @@ For Debian versions : `is_debian`, `is_debian_stretch`, `is_debian_jessie`…
For packs : `is_pack_web`, `is_pack_samba`.
For installed packages : `is_installed <package> [<package>]`.
### Extract variables
### Extact variables
It's better not to inline function calls inside tests. Instead of this :

123
linux/CHANGELOG
View file

@ -5,121 +5,6 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Added
* IS_EVOLIX_GROUP: new check to verify that all Evolix users are in "evolix" group
### Changed
* IS_SYSLOGCONF: better detection
### Deprecated
### Removed
### Fixed
* Fix errors in some LXC checks: list only active LXC containers, add conditions to filter containers that are not in evo-standards.
* check_sshallowusers: fix unwanted sterr when /etc/ssh/sshd_condig.d does not exist.
## [24.01] 2024-01-03
### Added
* IS_BACKPORTS_VERSION: check if the Backports release matches the Debian release
### Changed
* IS_BROADCOMFIRMWARE: use apt policy
* Prefer long options
* IS_POSTFIX_MYDESTINATION: use fixed string instead of escaping characters
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: correctly treat old versions of evobackup
* IS_DEBIANSECURITY_LXC: dont test older than Debian 9 containers
* IS_KERNELUPTODATE: address false positive in case of kernel removal
* IS_SSHPERMITROOTNO: specify lport, avoiding failure if sshd listens to more than one port
* IS_DRBDTWOPRIMARIES: fix false positive (#151)
* IS_ETCGIT_LXC, IS_GITPERMS_LXC: fix path
## [23.11.1] 2023-11-27
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: fix another regression introduced in previous release
### Security
## [23.11] 2023-11-27
### Added
* trixie and forky support (Debian 13, 14)
* IS_LXC_OPENSSH: check in openssh is installed in containers
* IS_LXC_PHP_BAD_DEBIAN_VERSION: check if php containers use the expected Debian release
* IS_DEBIANSECURITY_LXC: IS_DEBIANSECURITY in containers
* IS_SURY_LXC: IS_SURY in containers
* IS_OLDPUB_LXC: IS_OLDPUB in containers
* IS_ETCGIT_LXC: IS_ETCGIT in containers
* IS_GITPERMS_LXC: IS_GITPERMS in containers
### Changed
* IS_SSHALLOWUSERS: add Debian 12 condition
* IS_PHPEVOLINUXCONF: update for bookworm
* IS_MINIFWINCLUDES, IS_NRPEPID: Change Debian release detection logic
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: fix regression introduced in previous version
## [23.10] 2023-10-26
### Added
* IS_MINIFW: better detection of minifirewall status
* IS_OLDPUB: pub.evolix.net has been supersed by pub.evolix.org since Stretch
* IS_NEWPUB: verify that the new public repository is present
* IS_DRBDTWOPRIMARIES: check there are not 2 DRBD primaries at the same time.
* IS_SURY: check that if sury is enabled, then a safeguard must be in place
### Changed
* IS_BACKPORTSCONF: does not require preferences anymore
### Fixed
* IS_BINDCHROOT: fix /etc/default path for Debian >= 11 (renamed from bind9 to named)
* IS_EVOBACKUP_EXCLUDE_MOUNT: adapt to new version of evobackup (#148)
## [23.07] 2023-07-07
### Fixed
* IS_REDIS_BACKUP: full rewrite of the check to be more flexible, and also check time of dump.
## [23.04.01] 2023-04-07
### Fixed
* IS_POSTFIX_MYDESTINATION: fix regex not working (again).
## [23.04] 2023-04-07
### Changed
* IS_LOCALHOST_IN_POSTFIX_MYDESTINATION: renamed to IS_POSTFIX_MYDESTINATION
### Fixed
* IS_POSTFIX_MYDESTINATION: fix regex not working.
## [23.03.01] 2023-03-01
### Fixed
* Fix version number.
## [23.03] 2023-03-01
### Added
* Log output and runtime config to /var/log/evocheck.log.
### Changed
### Deprecated
@ -127,17 +12,9 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Removed
### Fixed
* IS_LOCALHOST_IN_POSTFIX_MYDESTINATION: set grep quiet.
* IS_LXC_PHP_FPM_SERVICE_UMASK_SET: fix inverted test condition.
### Security
## [23.02] 2023-02-10
### Fixed
* Release with the correct version number.
## [22.12] 2023-02-10
### Added

2
linux/evocheck.jessie.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="24.01"
VERSION="22.12"
readonly VERSION
# base functions

379
linux/evocheck.sh
View file

@ -4,9 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
#set -x
VERSION="24.01"
VERSION="22.12"
readonly VERSION
# base functions
@ -57,7 +55,7 @@ detect_os() {
DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "This version is built for Debian 9 and later." >&2
exit
fi
@ -70,8 +68,6 @@ detect_os() {
10) DEBIAN_RELEASE="buster";;
11) DEBIAN_RELEASE="bullseye";;
12) DEBIAN_RELEASE="bookworm";;
13) DEBIAN_RELEASE="trixie";;
14) DEBIAN_RELEASE="forky";;
esac
fi
fi
@ -89,12 +85,6 @@ is_debian_bullseye() {
is_debian_bookworm() {
test "${DEBIAN_RELEASE}" = "bookworm"
}
is_debian_trixie() {
test "${DEBIAN_RELEASE}" = "trixie"
}
is_debian_forky() {
test "${DEBIAN_RELEASE}" = "forky"
}
is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
@ -110,17 +100,6 @@ is_installed(){
# logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() {
check_name=$1
shift
@ -134,9 +113,6 @@ failed() {
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
fi
fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
}
# check functions
@ -156,16 +132,10 @@ check_dpkgwarning() {
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
}
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
check_postfix_mydestination() {
check_localhost_in_postfix_mydestination() {
# shellcheck disable=SC2016
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp 'localhost([[:blank:]]|$)'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost' is missing in Postfix mydestination option."
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.localdomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option."
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.$mydomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option."
if ! grep mydestination /etc/postfix/main.cf | grep --extended-regexp 'localhost[^\\.]' | grep 'localhost.localdomain' | grep 'localhost.$mydomain'; then
failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then."
fi
}
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
@ -195,86 +165,14 @@ check_logrotateconf() {
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d"
}
check_syslogconf() {
# Test for modern servers
if [ ! -f /etc/rsyslog.d/10-evolinux-default.conf ]; then
# Fallback test for legacy servers
if ! grep --quiet --ignore-case "Syslog for Pack Evolix" /etc/*syslog*/*.conf; then
failed "IS_SYSLOGCONF" "Evolix syslog config is missing"
fi
fi
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
}
check_debiansecurity() {
# Look for enabled "Debian-Security" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
}
check_debiansecurity_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
if [ -f /var/lib/lxc/${container}/rootfs/etc/debian_version ]; then
DEBIAN_LXC_VERSION=$(cut -d "." -f 1 < /var/lib/lxc/${container}/rootfs/etc/debian_version)
if [ $DEBIAN_LXC_VERSION -ge 9 ]; then
lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
fi
fi
done
fi
}
check_backports_version() {
# Look for enabled "Debian Backports" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 1 || ( \
apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet "\bn=${DEBIAN_RELEASE}-backports\b" && \
test $? -eq 0 || failed "IS_BACKPORTS_VERSION" "Debian Backports enabled for another release than ${DEBIAN_RELEASE}" )
}
check_oldpub() {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
}
check_oldpub_lxc() {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
APT_CACHE_BIN=$(lxc-attach --name $container -- bash -c "command -v apt-cache")
if [ -x "${APT_CACHE_BIN}" ]; then
lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}"
fi
done
fi
}
check_newpub() {
# Look for enabled pub.evolix.org sources
apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
test $? -eq 0 || failed "IS_NEWPUB" "New pub.evolix.org repository is missing"
}
check_sury() {
# Look for enabled packages.sury.org sources
apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ]; then
apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
fi
}
check_sury_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
APT_CACHE_BIN=$(lxc-attach --name $container -- bash -c "command -v apt-cache")
if [ -x "${APT_CACHE_BIN}" ]; then
lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ]; then
lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY_LXC" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${container}"
fi
fi
done
fi
}
check_aptitude() {
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
}
@ -313,25 +211,8 @@ check_customcrontab() {
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
check_sshallowusers() {
if is_debian_bookworm; then
if [ -d /etc/ssh/sshd_config.d/ ]; then
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config.d/
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
fi
# AllowUsers or AllowGroups should not be in /etc/ssh/sshd_config
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
else
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/
if [ -d /etc/ssh/sshd_config.d/ ]; then
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
else
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
fi
fi
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
}
check_diskperf() {
perfFile="/root/disk-perf.txt"
@ -375,20 +256,11 @@ check_alert5minifw() {
fi
}
check_minifw() {
{
if [ -f /etc/systemd/system/minifirewall.service ]; then
systemctl is-active minifirewall > /dev/null 2>&1
else
if test -x /usr/share/scripts/minifirewall_status; then
/usr/share/scripts/minifirewall_status > /dev/null 2>&1
else
/sbin/iptables -L -n 2> /dev/null | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
fi
fi
} || failed "IS_MINIFW" "minifirewall seems not started"
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW" "minifirewall seems not started"
}
check_minifw_includes() {
if { ! is_debian_stretch && ! is_debian_buster ; }; then
if is_debian_bullseye; then
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
fi
@ -415,13 +287,13 @@ check_nrpedisks() {
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
}
check_nrpepid() {
if { is_debian_stretch || is_debian_buster ; }; then
if is_debian_bullseye; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
fi
}
@ -548,11 +420,7 @@ check_log2mailsquid() {
check_bindchroot() {
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
default_conf=/etc/default/named
if is_debian_buster || is_debian_stretch; then
default_conf=/etc/default/bind9
fi
if grep -q '^OPTIONS=".*-t' "${default_conf}" && grep -q '^OPTIONS=".*-u' "${default_conf}"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
@ -630,12 +498,7 @@ check_evobackup_exclude_mount() {
# If rsync is not limited by "one-file-system"
# then we verify that every mount is excluded
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
# old releases of evobackups don't have version
if grep -q "^VERSION=" "${evobackup_file}" && dpkg --compare-versions "$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}")" ge 22.12 ; then
sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}"
else
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
fi
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
@ -688,7 +551,7 @@ check_apacheipinallow() {
check_muninapacheconf() {
muninconf="/etc/apache2/conf-available/munin.conf"
if is_installed apache2; then
test -e $muninconf && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$muninconf" \
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
fi
}
@ -697,17 +560,17 @@ check_phpmyadminapacheconf() {
phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf"
phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf"
if is_installed apache2; then
test -e $phpmyadminconf0 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf0" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) should be commented or disabled"
test -e $phpmyadminconf1 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf1" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) should be commented or disabled"
test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled"
test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled"
fi
}
# Verification si le système doit redémarrer suite màj kernel.
check_kerneluptodate() {
if is_installed linux-image*; then
# shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}')" +%s)
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
@ -774,17 +637,6 @@ check_etcgit() {
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|| failed "IS_ETCGIT" "/etc is not a git repository"
}
check_etcgit_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
export GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git"
export GIT_WORK_TREE="/var/lib/lxc/${container}/rootfs/etc"
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|| failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}"
done
fi
}
# Check if /etc/.git/ has read/write permissions for root only.
check_gitperms() {
GIT_DIR="/etc/.git"
@ -794,19 +646,6 @@ check_gitperms() {
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
fi
}
check_gitperms_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git"
if test -d $GIT_DIR; then
expected="700"
actual=$(stat -c "%a" $GIT_DIR)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
fi
done
fi
}
# Check if no package has been upgraded since $limit.
check_notupgraded() {
last_upgrade=0
@ -894,6 +733,10 @@ check_apache2evolinuxconf() {
check_backportsconf() {
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
}
check_bind9munin() {
if is_installed bind9; then
@ -907,25 +750,12 @@ check_bind9logrotate() {
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
fi
}
check_drbd_two_primaries() {
if is_installed drbd-utils; then
if command -v drbd-overview >/dev/null; then
if drbd-overview 2>&1 | grep -q "Primary/Primary"; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
elif command -v drbdadm >/dev/null; then
if drbdadm role all 2>&1 | grep -q 'Primary/Primary'; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
fi
fi
}
check_broadcomfirmware() {
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& apt-cache policy | grep "\bl=Debian\b" | grep --quiet -v "\b,c=non-free\b"
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
fi
else
@ -1024,27 +854,19 @@ check_ldap_backup() {
check_redis_backup() {
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
# REDIS_BACKUP_PATH may contain space-separated paths, for example:
# REDIS_BACKUP_PATH may contain space-separated paths, example:
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
# Warning : this script doesn't handle spaces in file paths !
REDIS_BACKUP_PATH="${REDIS_BACKUP_PATH:-$(find /home/backup/ -iname "*.rdb*")}"
# Check number of dumps
n_instances=$(pgrep 'redis-server' | wc -l)
n_dumps=$(echo $REDIS_BACKUP_PATH | wc -w)
if [ ${n_dumps} -lt ${n_instances} ]; then
failed "IS_REDIS_BACKUP" "Missing Redis dump : ${n_instances} instance(s) found versus ${n_dumps} dump(s) found."
fi
# Check last dump date
age_threshold=$(date +"%s" -d "now - 2 days")
for dump in ${REDIS_BACKUP_PATH}; do
last_update=$(stat -c "%Z" $dump)
if [ "${last_update}" -lt "${age_threshold}" ]; then
failed "IS_REDIS_BACKUP" "Redis dump ${dump} is older than 2 days."
# Old default path: /home/backup/dump.rdb
# New default path: /home/backup/redis/dump.rdb
if [ -z "${REDIS_BACKUP_PATH}" ]; then
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
fi
done
else
for file in ${REDIS_BACKUP_PATH}; do
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
done
fi
fi
}
check_elastic_backup() {
@ -1101,7 +923,6 @@ check_phpevolinuxconf() {
is_debian_stretch && phpVersion="7.0"
is_debian_buster && phpVersion="7.3"
is_debian_bullseye && phpVersion="7.4"
is_debian_bookworm && phpVersion="8.2"
if is_installed php; then
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
@ -1153,13 +974,6 @@ check_evolix_user() {
grep -q -E "^evolix:" /etc/passwd \
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
}
check_evolix_group() {
users=$(grep ":20..:20..:" /etc/passwd | cut -d ":" -f 1)
for user in ${users}; do
grep -E "^evolix:" /etc/group | grep -q -E "\b${user}\b" \
|| failed "IS_EVOLIX_GROUP" "user \`${user}' should be in \`evolix' group"
done
}
check_evoacme_cron() {
if [ -f "/usr/local/sbin/evoacme" ]; then
# Old cron file, should be deleted
@ -1240,10 +1054,16 @@ check_usrsharescripts() {
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
}
check_sshpermitrootno() {
# You could change the SSH port in /etc/evocheck.cf
sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}"
if is_debian_buster; then
sshd_args="${sshd_args},rdomain="
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if is_debian_stretch; then
# Noop, we'll use the default $sshd_args
:
elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# -T doesn't require the additional -C.
sshd_args=
fi
# shellcheck disable=SC2086
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
@ -1361,10 +1181,10 @@ check_nginx_letsencrypt_uptodate() {
}
check_lxc_container_resolv_conf() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
container_list=$(lxc-ls)
current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
for container in $container_list; do
for container in $container_list; do
if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
while read -r resolver; do
@ -1376,22 +1196,22 @@ check_lxc_container_resolv_conf() {
else
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
fi
done
done
fi
}
# Check that there are containers if lxc is installed.
check_no_lxc_container() {
if is_installed lxc; then
containers_count=$(lxc-ls --active | wc -l)
containers_count=$(lxc-ls | wc -l)
if [ "$containers_count" -eq 0 ]; then
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no active container. Consider removing it."
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
fi
fi
}
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
check_lxc_php_fpm_service_umask_set() {
if is_installed lxc; then
php_containers_list=$(lxc-ls --active --filter php)
php_containers_list=$(lxc-ls --filter php)
missing_umask=""
for container in $php_containers_list; do
# Translate container name in service name
@ -1401,7 +1221,7 @@ check_lxc_php_fpm_service_umask_set() {
service="${container:0:4}.${container:4}-fpm"
fi
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
if [ "$umask" != "0007" ]; then
if ! [ "$umask" != "0007" ]; then
missing_umask="${missing_umask} ${container}"
fi
done
@ -1410,34 +1230,6 @@ check_lxc_php_fpm_service_umask_set() {
fi
fi
}
# Check that LXC containers have the proper Debian version.
check_lxc_php_bad_debian_version() {
if is_installed lxc; then
php_containers_list=$(lxc-ls --active --filter php)
missing_umask=""
for container in $php_containers_list; do
if [ "$container" = "php56" ]; then
grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Jessie"
elif [ "$container" = "php70" ]; then
grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Stretch"
elif [ "$container" = "php73" ]; then
grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Buster"
elif [ "$container" = "php74" ]; then
grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye"
elif [ "$container" = "php82" ]; then
grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm"
fi
done
fi
}
check_lxc_openssh() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
test -e /var/lib/lxc/${container}/rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" "openssh-server should not be installed in container ${container}"
done
fi
}
download_versions() {
local file
@ -1490,7 +1282,7 @@ get_version() {
case "${program}" in
## Special case if `command --version => 'command` is not the standard way to get the version
# my_command)
# /path/to/my_command --get-version
# /path/to/my_command --get-version
# ;;
add-vm)
@ -1583,7 +1375,7 @@ main() {
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_POSTFIX_MYDESTINATION:=1}" = 1 && check_postfix_mydestination
test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
@ -1591,13 +1383,6 @@ main() {
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
test "${IS_BACKPORTS_VERSION:=1}" = 1 && check_backports_version
test "${IS_OLDPUB:=1}" = 1 && check_oldpub
test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
test "${IS_NEWPUB:=1}" = 1 && check_newpub
test "${IS_SURY:=1}" = 1 && check_sury
test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_USRRO:=1}" = 1 && check_usrro
@ -1650,9 +1435,7 @@ main() {
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
@ -1661,7 +1444,6 @@ main() {
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_DRBDTWOPRIMARIES:=1}" = 1 && check_drbd_two_primaries
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
@ -1681,7 +1463,6 @@ main() {
test "${IS_SQUIDEVOLINUXCONF:=1}" = 1 && check_squidevolinuxconf
test "${IS_DUPLICATE_FS_LABEL:=1}" = 1 && check_duplicate_fs_label
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_EVOLIX_GROUP:=1}" = 1 && check_evolix_group
test "${IS_EVOACME_CRON:=1}" = 1 && check_evoacme_cron
test "${IS_EVOACME_LIVELINKS:=1}" = 1 && check_evoacme_livelinks
test "${IS_APACHE_CONFENABLED:=1}" = 1 && check_apache_confenabled
@ -1695,8 +1476,6 @@ main() {
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
test "${IS_LXC_PHP_BAD_DEBIAN_VERSION:=1}" = 1 && check_lxc_php_bad_debian_version
test "${IS_LXC_OPENSSH:=1}" = 1 && check_lxc_openssh
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
if [ -f "${main_output_file}" ]; then
@ -1710,12 +1489,9 @@ main() {
exit ${RC}
}
cleanup() {
# Cleanup tmp files
# shellcheck disable=SC2068,SC2317
cleanup_temp_files() {
# shellcheck disable=SC2086,SC2317
rm -f ${files_to_cleanup[@]}
log "$PROGNAME exit."
}
PROGNAME=$(basename "$0")
@ -1726,23 +1502,17 @@ readonly PROGNAME
ARGS=$@
readonly ARGS
LOGFILE="/var/log/evocheck.log"
readonly LOGFILE
CONFIGFILE="/etc/evocheck.cf"
readonly CONFIGFILE
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# shellcheck disable=SC2034
readonly DATEFORMAT
# Disable LANG*
export LANG=C
export LANGUAGE=C
declare -a files_to_cleanup
# shellcheck disable=SC2064
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
test -f /etc/evocheck.cf && . /etc/evocheck.cf
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -1790,24 +1560,5 @@ while :; do
shift
done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
declare -a files_to_cleanup
files_to_cleanup=""
# shellcheck disable=SC2064
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
fi
# shellcheck disable=SC2086
main ${ARGS}
log "End of $PROGNAME execution."

2
linux/evocheck.wheezy.sh
View file

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="24.01"
VERSION="22.12"
readonly VERSION
# base functions

148
openbsd/CHANGELOG
View file

@ -7,230 +7,198 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
### Changed
### Fixed
### Removed
### Security
## [23.06] - 2023-06-05
### Added
* Log output and runtime config to /var/log/evocheck.log.
* check_mountfstab and check_mount: make sure all mounted partitions are in fstab and all partitions in fstab are mounted
### Fixed
* check_carpadvbase and check_carppreempt: fixed indentation
* check_mount: removed useless echo
### Changed
* check_evobackup: zzz_evobackup is now executed with bash
## [23.02] - 2023-02-10
### Fixed
* Release with the correct version number.
## [22.12] - 2023-02-10
### Changed
* Replaced check_sudomaint with check_doasmaint because evomaintenance is used with doas, not with sudo
- Replaced check_sudomaint with check_doasmaint because evomaintenance is used with doas, not with sudo
### Fixed
* check_history: escape $HOME variable
* check_pkgmirror: fix openbsd mirror
- check_history: escape $HOME variable
- check_pkgmirror: fix openbsd mirror
### Removed
* check_wheel: wheel group mustn't be sudo because we use the evolinux-sudo group
- check_wheel: wheel group mustn't be sudo because we use the evolinux-sudo group
## [22.11] - 2022-11-28
### Changed
* check_pkgmirror: use our own openbsd mirror
- check_pkgmirror: use our own openbsd mirror
## [22.10] - 2022-10-14
### Changed
* check_evobackup_exclude_mount: skip if --one-file-system is used, and exclude scripts without Rsync command
* check_backupuptodate: use find with --max-depth=1 to limit the number of evaluated files
* check_sshpermitrootno: do not display sshd errors
* check_ntp: comply with ntp configuration change on EvoBSD
- check_evobackup_exclude_mount: skip if --one-file-system is used, and exclude scripts without Rsync command
- check_backupuptodate: use find with --max-depth=1 to limit the number of evaluated files
- check_sshpermitrootno: do not display sshd errors
- check_ntp: comply with ntp configuration change on EvoBSD
## [22.08] - 2022-08-04
### Fixed
* Fixed check_sshpermitrootno to check real configuration
- Fixed check_sshpermitrootno to check real configuration
## [22.06] - 2022-06-16
### Changed
* Fixed various shellcheck violations
* Added a function to cleanup files at once instead of using multiple trap rm
- Fixed various shellcheck violations
- Added a function to cleanup files at once instead of using multiple trap rm
## [22.04] - 2022-04-13
### Added
* Added check_root_user: make sure that root user does not have a password
- Added check_root_user: make sure that root user does not have a password
## [22.03] - 2022-03-10
### Added
* check_evomaintenanceconf: check existence and rights of evomaintenance conf file
* Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
* Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
* Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
* Added check_etcgit to ensure that /etc is a git repository
* Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
* Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
* Added check_evolix_user to ensure that evolix user does not exist
* Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
- check_evomaintenanceconf: check existence and rights of evomaintenance conf file
- Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
- Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
- Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
- Added check_etcgit to ensure that /etc is a git repository
- Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
- Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
- Added check_evolix_user to ensure that evolix user does not exist
- Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
### Changed
* Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
* Improved check_umasksudoers to have a more complete grep
* Updated check_history to reflect the new HISTSIZE value
* Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
* Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
- Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
- Improved check_umasksudoers to have a more complete grep
- Updated check_history to reflect the new HISTSIZE value
- Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
- Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
### Fixed
* Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
* Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
- Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
- Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
### Removed
* Removed empty check_pfcustom
- Removed empty check_pfcustom
## [21.10] - 2021-10-07
### Fixed
* Fixed check_tmoutprofile: syntax error on if/else/fi test
- Fixed check_tmoutprofile: syntax error on if/else/fi test
## [21.09] - 2021-09-17
### Changed
* Changed version numbering to use year.month and be capable to know the age of the script
- Changed version numbering to use year.month and be capable to know the age of the script
### Fixed
* Fixed check_tmoutprofile: Add "if" to check if file exists
- Fixed check_tmoutprofile: Add "if" to check if file exists
## [6.9.1] - 2021-07-23
### Changed
* Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
- Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
## [6.9.0] - 2021-07-16
### Added
* Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
- Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
## [6.8.0] - 2020-10-23
### Fixed
* Fix check_noatime: do not take into account commented entry in fstab
- Fix check_noatime: do not take into account commented entry in fstab
## [6.7.7] - 2020-10-22
### Added
* Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
- Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
### Fixed
* Fix check_uptodate: properly check that syspatch exists
* Fix check_raidok: the same device could be displayed multiple times
- Fix check_uptodate: properly check that syspatch exists
- Fix check_raidok: the same device could be displayed multiple times
## [6.7.6] - 2020-10-15
### Added
* Add check_noatime - Check that all ffs partitions are mounted with the noatime option
- Add check_noatime - Check that all ffs partitions are mounted with the noatime option
### Fixed
* Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
- Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
## [6.7.5] - 2020-10-09
### Fixed
* Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
- Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
## [6.7.4] - 2020-08-04
### Added
* Add check_backupuptodate - Check that /home/backup is not older than 2 days
- Add check_backupuptodate - Check that /home/backup is not older than 2 days
## [6.7.3] - 2020-07-23
### Added
* Add check_ntp - Check the ntpd configuration
- Add check_ntp - Check the ntpd configuration
### Fixed
* Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
- Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
### Removed
* Removed check_postgresql - Deprecated since we now use an API
- Removed check_postgresql - Deprecated since we now use an API
## [6.7.2] - 2020-07-22
### Added
* Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
- Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
## [6.7.1] - 2020-07-15
### Fixed
* Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
* Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
* Fix check_advbase - We want the evocheck advbase function output to be uniq
- Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
- Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
- Fix check_advbase - We want the evocheck advbase function output to be uniq
## [6.6.2] - 2020-04-27
### Added
* Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
* Add check_pfenabled function - We make sure PF is enabled
* Add check_uptodate function - Use syspatch(8) to check if security updates are available
- Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
- Add check_pfenabled function - We make sure PF is enabled
- Add check_uptodate function - Use syspatch(8) to check if security updates are available
### Changed
* Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
* Now use a version-naming scheme based on OpenBSD's one
- Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
- Now use a version-naming scheme based on OpenBSD's one
## [6.6.1] - 2020-04-21
### Changed
* Rewrite if statements to functions
* Add a main function
* New help message
- Rewrite if statements to functions
- Add a main function
- New help message

81
openbsd/evocheck.sh
View file

@ -3,7 +3,7 @@
# EvoCheck
# Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="23.06"
readonly VERSION="22.12"
# base functions
@ -51,17 +51,6 @@ is_installed(){
# logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() {
check_name=$1
shift
@ -75,9 +64,6 @@ failed() {
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
}
# check functions
@ -118,9 +104,9 @@ check_raidok(){
}
check_evobackup(){
if [ -f /etc/daily.local ]; then
grep -qE "^(ba)?sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
else
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
fi
}
check_uptodate(){
@ -168,9 +154,9 @@ check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
if [ "$advbase" -gt 5 ]; then
bad_advbase=1
fi
if [ "$advbase" -gt 5 ]; then
bad_advbase=1
fi
done
if [ "$bad_advbase" -eq 1 ]; then
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
@ -186,7 +172,7 @@ check_carppreempt(){
if [ -f /etc/sysctl.conf ]; then
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
else
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
fi
fi
}
@ -429,7 +415,7 @@ get_command() {
evocheck) echo "${0}" ;;
evomaintenance) command -v "evomaintenance.sh" ;;
motd-carp-state) command -v "motd-carp-state.sh" ;;
## General case, where the program name is the same as the command name
*) command -v "${program}" ;;
esac
@ -526,17 +512,6 @@ check_root_user() {
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
fi
}
check_mount(){
for fstab_entry in $(grep ffs /etc/fstab | grep -v "^#" | awk '{print $2}'); do
mount | awk '{print $3}' | grep -q "^$fstab_entry$" || failed "IS_MOUNT" "Local OpenBSD partition(s) detected in /etc/fstab but not mounted"
done
}
check_mountfstab() {
for mount_point in $(mount | awk '{print $3}'); do
grep -q " $mount_point " /etc/fstab || failed "IS_MOUNT_FSTAB" "Partition(s) detected mounted but no presence in /etc/fstab"
done
}
main() {
# Default return code : 0 = no error
@ -586,34 +561,24 @@ main() {
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
test "${IS_MOUNT:=1}" = 1 && check_mount
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
exit ${RC}
}
cleanup() {
# Cleanup tmp files
cleanup_temp_files() {
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
log "$PROGNAME exit."
}
PROGNAME=$(basename "$0")
LOGFILE="/var/log/evocheck.log"
CONFIGFILE="/etc/evocheck.cf"
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# Disable LANG*
export LANG=C
export LANGUAGE=C
files_to_cleanup=""
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
test -f /etc/evocheck.cf && . /etc/evocheck.cf
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -656,25 +621,5 @@ while :; do
shift
done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
files_to_cleanup=""
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
conf=$(sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}")
if [ ! -z "${conf}" ]; then
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
else
log "${CONFIGFILE} is empty."
fi
fi
# shellcheck disable=SC2086
main ${ARGS}