Compare commits

...

76 Commits

Author SHA1 Message Date
William Hirigoyen 6762ced399 check_sshallowusers: fix unwanted sterr when /etc/ssh/sshd_condig.d does not exist 2024-03-07 17:11:17 +01:00
Jérémy Lecour 202db682a0
IS_SYSLOGCONF: modern and legacy tests 2024-02-05 19:17:33 +01:00
William Hirigoyen 25b00f6fa7 Fix errors in some LXC checks: list only active LXC containers, add conditions to filter containers that are not in evo-standards. 2024-01-31 14:50:28 +01:00
Jérémy Lecour c4c8dd2112
IS_SYSLOGCONF: better detection 2024-01-26 16:17:34 +01:00
David Prevot 5536e8f6ec Fix recent release dates 2024-01-03 17:41:05 +01:00
David Prevot d14a6d52a3 Linux - Release 24.01 2024-01-03 17:30:13 +01:00
Mathieu Trossevin fba4dc75c3 fix(IS_EVOBACKUP_EXCLUDE_MOUNT): correctly treat old versions of evobackup
This commit fix #150

Prior to this older versions of evobackup without `VERSION=` in them
would be treated as not having any exclude whatsoever as the `else`
block was only inside of the `if grep -q  "^VERSION="
"${evobackup_file}"` block.

Now the treatment of old evobackup scripts is done if there isn't a
`VERSION=` in the script or if the version is older than 22.12.
2024-01-03 15:13:23 +01:00
David Prevot 1fc94ec4f1 Changelog for previous entries 2023-12-13 17:51:10 +01:00
David Prevot 2df62afa21 IS_DEBIANSECURITY_LXC: Don’t test older than Debian 9 containers
We use eLTS for Jessie without security, that has been archived and
signed with an expired key.
2023-12-13 17:49:35 +01:00
David Prevot ff5f7ec399 IS_KERNELUPTODATE: Address false positive in case of kernel removal
If a kernel is removed, then grub is updated. Try to check the actual
kernel files instead of any file in /boot.
2023-12-13 17:06:52 +01:00
David Prevot f64176db21 Add IS_BACKPORTS_VERSION 2023-12-13 17:02:55 +01:00
David Prevot 14e56cd575 check_broadcomfirmware: use apt-policy (making it useful before Debian 10) 2023-12-05 15:17:25 +01:00
Alexis Ben Miloud--Josselin 27347f7342 check_sshpermitrootno: Always specify lport
When sshd listens two ports (usually 22 and another one), the sshd
-T command will fail if lport is not specified.

This commit also simplifies the if-elif block.
2023-12-01 09:45:06 +01:00
Alexis Ben Miloud--Josselin e27bb4124b Chech drbdtwoprimaries: fix false positive
Fix #151
2023-11-29 17:55:00 +01:00
Jérémy Lecour 7041505446
long options are preferred 2023-11-24 16:20:08 +01:00
David Prevot 4dbb3d030d IS_ETCGIT_LXC, IS_GITPERMS_LXC: fix path 2023-11-23 14:58:51 +01:00
Jérémy Lecour fb14549843
long options 2023-11-23 07:31:59 +01:00
Jérémy Lecour 1d995764a9
No need to escape characters if we search for a fixed string 2023-11-23 07:31:48 +01:00
David Prevot 5402fa0dee Linux - Release 23.11.1 2023-11-22 17:25:28 +01:00
David Prevot f024f9d9e8 IS_EVOBACKUP_EXCLUDE_MOUNT: fix another regression introduced in previous release 2023-11-22 17:23:59 +01:00
David Prevot e80a7781c7 Linux - Release 23.11 2023-11-22 17:02:06 +01:00
David Prevot 79a61e3046 CHANGELOG for IS_SSHALLOWUSERS change from ansible-roles 2023-11-22 16:32:35 +01:00
Alexis Ben Miloud--Josselin 95539ea38c evocheck: Fix IS_SSHALLOWUSERS condition 2023-11-22 16:30:30 +01:00
Alexis Ben Miloud--Josselin 77be2c3fe1 evocheck/ssh: add Debian 12 condition 2023-11-22 16:30:21 +01:00
David Prevot f4948b5611 linux/CHANGELOG: Update for latest changes 2023-11-22 15:51:07 +01:00
David Prevot ad85fd9784 IS_MINIFWINCLUDES, IS_NRPEPID: Change Debian release detection logic 2023-11-22 15:46:55 +01:00
David Prevot 668791208a Update IS_PHPEVOLINUXCONF for Bookworm 2023-11-22 15:33:54 +01:00
David Prevot f546fb97f0 Add IS_GITPERMS_LXC 2023-11-22 15:27:47 +01:00
David Prevot be53bce0e5 Add IS_ETCGIT_LXC 2023-11-22 15:20:59 +01:00
David Prevot f2d1f43e85 Add IS_OLDPUB_LXC 2023-11-22 15:08:02 +01:00
David Prevot f5887eb43c CHANGELOG for IS_EVOBACKUP_EXCLUDE_MOUNT fix 2023-11-22 14:38:35 +01:00
Brice Waegeneire 59a14150db fix regressions 2023-11-21 17:02:19 +01:00
David Prevot 3bf5c4fcb7 CHANGELOG for previous commits 2023-11-16 16:25:55 +01:00
David Prevot 5d15f373c2 Add IS_LXC_PHP_BAD_DEBIAN_VERSION 2023-11-16 16:23:02 +01:00
David Prevot 5fe7a88fab Add IS_SURY_LXC 2023-11-16 16:22:57 +01:00
David Prevot ad50601931 Add IS_LXC_OPENSSH 2023-11-16 15:35:00 +01:00
David Prevot 9b1946d9a0 Add IS_DEBIANSECURITY_LXC 2023-11-16 15:20:12 +01:00
David Prevot 443c232b95 [minor] tfix 2023-10-31 09:51:19 +01:00
David Prevot 868fe9d7c0 Add trixie and forky support (Debian 13, 14) 2023-10-31 09:44:46 +01:00
Jérémy Lecour 5b0a011eda
fix CHANGELOG 2023-10-27 10:31:46 +02:00
David Prevot 081a8166cc Linux - Release 23.10 2023-10-26 15:43:09 +02:00
David Prevot 8f58aa00ee IS_SURY: check that if sury is enabled, then a safeguard must be in place 2023-10-17 17:26:44 +02:00
David Prevot d92a8862e8 Add changelog entry for previous commit 2023-10-17 17:24:26 +02:00
David Prevot 1067bc6a27 Don’t recommend preferences for backports anymore
Thanks to “NotAutomatic: yes” and “ButAutomaticUpgrades: yes”, backports
packages are not pulled by default anymore since Squeeze.
2023-10-12 15:25:52 +02:00
William Hirigoyen 42cbd14123 IS_DRBDTWOPRIMARIES: check there are not 2 DRBD primaries at the same time 2023-09-20 11:26:17 +02:00
isaid ed602d9e83 Merge pull request 'fix #148' (#149) from 148 into master
Reviewed-on: #149
reviewed by Brice
2023-09-05 17:23:13 +02:00
Iliane Said b3db84a8f7 fix #148
In check_evobackup_exclude_mount function, add support for new rsync
syntax introduced in evobackup 22.12.
2023-09-05 17:20:49 +02:00
William Hirigoyen 24d3f67718 Typo 2023-08-29 17:26:25 +02:00
Jérémy Lecour 171924d99c
IS_NEWPUB: verify that the new public repository is present 2023-08-10 17:17:47 +02:00
Jérémy Lecour e09e5b3e53
IS_MINIFW: better detection of minifirewall status 2023-08-01 23:21:25 +02:00
David Prevot 7c40af199b Add IS_OLDPUB to check for pub.evolix.net 2023-07-28 09:36:24 +02:00
William Hirigoyen 152653d773 IS_BINDCHROOT: fix /etc/default path for Debian >= 11 (renamed from bind9 to named) 2023-07-17 12:15:45 +02:00
William Hirigoyen 6414a8c70e Linux - Release 23.07 2023-07-07 11:02:01 +02:00
William Hirigoyen 9d011b71b0 IS_REDIS_BACKUP: full rewrite of the check to be more flexible, and also check time of dump 2023-06-21 16:58:36 +02:00
Jérémy Dubois ad9231d9a9 OpenBSD - Release 23.06 2023-06-05 11:42:10 +02:00
Mathieu Trossevin 442d1446b5
fix(check_nrpepid): bookworm should be checked like bullseye 2023-05-04 15:20:32 +02:00
Mathieu Trossevin 90c1f854cf
chore(whitespace) 2023-05-04 15:05:47 +02:00
Mathieu Trossevin 02e2d4c5c0
fix(check_minifw): `iptables -L -n` doesn't tranlate protocol number in bookworm 2023-05-04 15:02:28 +02:00
Jérémy Dubois 4008fb3128 OpenBSD - check_mount: removed useless echo 2023-04-25 11:46:06 +02:00
Jérémy Dubois 0dae32a135 OpenBSD - check_carpadvbase and check_carppreempt: fixed indentation 2023-04-25 11:41:51 +02:00
William Hirigoyen ae797122ad Linux - Release 23.04.01 2023-04-07 11:49:57 +02:00
William Hirigoyen 96ea77b345 Linux - Release 23.04 2023-04-07 10:55:05 +02:00
Jérémy Dubois baf26b23c4 OpenBSD - check_evobackup: zzz_evobackup is now executed with bash 2023-03-22 09:56:13 +01:00
Jérémy Dubois 8d22e5ea85 OpenBSD - Change CHANGELOG format : replace "-" for lists with "*" 2023-03-01 16:02:09 +01:00
Jérémy Dubois 011c62f984 OpenBSD - check_mountfstab and check_mount : make sure all mounted partitions are in fstab and all partitions in fstab are mounted 2023-03-01 16:01:59 +01:00
William Hirigoyen da28729577 Linux - Release 23.03.01 2023-03-01 10:06:52 +01:00
William Hirigoyen 03f9a4eb15 Linux - Release 23.03 2023-03-01 09:53:56 +01:00
William Hirigoyen e21c4e8233 IS_LXC_PHP_FPM_SERVICE_UMASK_SET: fix inverted test condition. 2023-03-01 09:44:48 +01:00
William Hirigoyen 1bb00c10bd Log output and runtime config to /var/log/evocheck.log 2023-02-17 12:54:28 +01:00
William Hirigoyen ff92e3889e Log program exit 2023-02-17 12:53:31 +01:00
William Hirigoyen 97a98c8df3 Log runtime config to /var/log/evocheck.log 2023-02-17 10:48:58 +01:00
William Hirigoyen 32d2a94b71 Log output to /var/log/evocheck.log 2023-02-17 09:52:45 +01:00
William Hirigoyen e5aa1aa323 IS_LOCALHOST_IN_POSTFIX_MYDESTINATION: set grep quiet 2023-02-14 17:31:30 +01:00
William Hirigoyen c852fb188d OpenBSD - Release 23.02 2023-02-10 14:30:45 +01:00
William Hirigoyen c621431e05 OpenBSD - Release 23.02 2023-02-10 12:31:15 +01:00
William Hirigoyen ccb6c3e4f8 Linux - Release 23.02 2023-02-10 12:28:19 +01:00
7 changed files with 588 additions and 139 deletions

View File

@ -52,7 +52,7 @@ For Debian versions : `is_debian`, `is_debian_stretch`, `is_debian_jessie`…
For packs : `is_pack_web`, `is_pack_samba`.
For installed packages : `is_installed <package> [<package>]`.
### Extact variables
### Extract variables
It's better not to inline function calls inside tests. Instead of this :

View File

@ -7,14 +7,135 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Changed
* IS_SYSLOGCONF: better detection
### Deprecated
### Removed
### Fixed
* Fix errors in some LXC checks: list only active LXC containers, add conditions to filter containers that are not in evo-standards.
* check_sshallowusers: fix unwanted sterr when /etc/ssh/sshd_condig.d does not exist.
## [24.01] 2024-01-03
### Added
* IS_BACKPORTS_VERSION: check if the Backports release matches the Debian release
### Changed
* IS_BROADCOMFIRMWARE: use apt policy
* Prefer long options
* IS_POSTFIX_MYDESTINATION: use fixed string instead of escaping characters
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: correctly treat old versions of evobackup
* IS_DEBIANSECURITY_LXC: dont test older than Debian 9 containers
* IS_KERNELUPTODATE: address false positive in case of kernel removal
* IS_SSHPERMITROOTNO: specify lport, avoiding failure if sshd listens to more than one port
* IS_DRBDTWOPRIMARIES: fix false positive (#151)
* IS_ETCGIT_LXC, IS_GITPERMS_LXC: fix path
## [23.11.1] 2023-11-27
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: fix another regression introduced in previous release
### Security
## [23.11] 2023-11-27
### Added
* trixie and forky support (Debian 13, 14)
* IS_LXC_OPENSSH: check in openssh is installed in containers
* IS_LXC_PHP_BAD_DEBIAN_VERSION: check if php containers use the expected Debian release
* IS_DEBIANSECURITY_LXC: IS_DEBIANSECURITY in containers
* IS_SURY_LXC: IS_SURY in containers
* IS_OLDPUB_LXC: IS_OLDPUB in containers
* IS_ETCGIT_LXC: IS_ETCGIT in containers
* IS_GITPERMS_LXC: IS_GITPERMS in containers
### Changed
* IS_SSHALLOWUSERS: add Debian 12 condition
* IS_PHPEVOLINUXCONF: update for bookworm
* IS_MINIFWINCLUDES, IS_NRPEPID: Change Debian release detection logic
### Fixed
* IS_EVOBACKUP_EXCLUDE_MOUNT: fix regression introduced in previous version
## [23.10] 2023-10-26
### Added
* IS_MINIFW: better detection of minifirewall status
* IS_OLDPUB: pub.evolix.net has been supersed by pub.evolix.org since Stretch
* IS_NEWPUB: verify that the new public repository is present
* IS_DRBDTWOPRIMARIES: check there are not 2 DRBD primaries at the same time.
* IS_SURY: check that if sury is enabled, then a safeguard must be in place
### Changed
* IS_BACKPORTSCONF: does not require preferences anymore
### Fixed
* IS_BINDCHROOT: fix /etc/default path for Debian >= 11 (renamed from bind9 to named)
* IS_EVOBACKUP_EXCLUDE_MOUNT: adapt to new version of evobackup (#148)
## [23.07] 2023-07-07
### Fixed
* IS_REDIS_BACKUP: full rewrite of the check to be more flexible, and also check time of dump.
## [23.04.01] 2023-04-07
### Fixed
* IS_POSTFIX_MYDESTINATION: fix regex not working (again).
## [23.04] 2023-04-07
### Changed
* IS_LOCALHOST_IN_POSTFIX_MYDESTINATION: renamed to IS_POSTFIX_MYDESTINATION
### Fixed
* IS_POSTFIX_MYDESTINATION: fix regex not working.
## [23.03.01] 2023-03-01
### Fixed
* Fix version number.
## [23.03] 2023-03-01
### Added
* Log output and runtime config to /var/log/evocheck.log.
### Changed
### Deprecated
### Removed
### Fixed
* IS_LOCALHOST_IN_POSTFIX_MYDESTINATION: set grep quiet.
* IS_LXC_PHP_FPM_SERVICE_UMASK_SET: fix inverted test condition.
### Security
## [23.02] 2023-02-10
### Fixed
* Release with the correct version number.
## [22.12] 2023-02-10
### Added

View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.12"
VERSION="24.01"
readonly VERSION
# base functions

View File

@ -4,7 +4,9 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.12"
#set -x
VERSION="24.01"
readonly VERSION
# base functions
@ -55,7 +57,7 @@ detect_os() {
DEBIAN_MAIN_VERSION=$(cut -d "." -f 1 < /etc/debian_version)
if [ "${DEBIAN_MAIN_VERSION}" -lt "9" ]; then
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "Debian ${DEBIAN_MAIN_VERSION} is incompatible with this version of evocheck." >&2
echo "This version is built for Debian 9 and later." >&2
exit
fi
@ -68,6 +70,8 @@ detect_os() {
10) DEBIAN_RELEASE="buster";;
11) DEBIAN_RELEASE="bullseye";;
12) DEBIAN_RELEASE="bookworm";;
13) DEBIAN_RELEASE="trixie";;
14) DEBIAN_RELEASE="forky";;
esac
fi
fi
@ -85,6 +89,12 @@ is_debian_bullseye() {
is_debian_bookworm() {
test "${DEBIAN_RELEASE}" = "bookworm"
}
is_debian_trixie() {
test "${DEBIAN_RELEASE}" = "trixie"
}
is_debian_forky() {
test "${DEBIAN_RELEASE}" = "forky"
}
is_pack_web(){
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
@ -100,6 +110,17 @@ is_installed(){
# logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() {
check_name=$1
shift
@ -113,6 +134,9 @@ failed() {
printf "%s FAILED!\n" "${check_name}" >> "${main_output_file}"
fi
fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
}
# check functions
@ -132,10 +156,16 @@ check_dpkgwarning() {
|| failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing"
}
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
check_localhost_in_postfix_mydestination() {
check_postfix_mydestination() {
# shellcheck disable=SC2016
if ! grep mydestination /etc/postfix/main.cf | grep --extended-regexp 'localhost[^\\.]' | grep 'localhost.localdomain' | grep 'localhost.$mydomain'; then
failed "IS_LOCALHOST_IN_POSTFIX_MYDESTINATION" "'localhost' and/or 'localhost.localdomain' and/or 'localhost.\$mydomain' are missing in Postfix mydestination option. Consider adding then."
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp 'localhost([[:blank:]]|$)'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost' is missing in Postfix mydestination option."
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.localdomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option."
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost.$mydomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option."
fi
}
# Verifying check_mailq in Nagios NRPE config file. (Option "-M postfix" need to be set if the MTA is Postfix)
@ -165,14 +195,86 @@ check_logrotateconf() {
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d"
}
check_syslogconf() {
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
# Test for modern servers
if [ ! -f /etc/rsyslog.d/10-evolinux-default.conf ]; then
# Fallback test for legacy servers
if ! grep --quiet --ignore-case "Syslog for Pack Evolix" /etc/*syslog*/*.conf; then
failed "IS_SYSLOGCONF" "Evolix syslog config is missing"
fi
fi
}
check_debiansecurity() {
# Look for enabled "Debian-Security" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
}
check_debiansecurity_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
if [ -f /var/lib/lxc/${container}/rootfs/etc/debian_version ]; then
DEBIAN_LXC_VERSION=$(cut -d "." -f 1 < /var/lib/lxc/${container}/rootfs/etc/debian_version)
if [ $DEBIAN_LXC_VERSION -ge 9 ]; then
lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" "missing Debian-Security repository in container ${container}"
fi
fi
done
fi
}
check_backports_version() {
# Look for enabled "Debian Backports" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 1 || ( \
apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet "\bn=${DEBIAN_RELEASE}-backports\b" && \
test $? -eq 0 || failed "IS_BACKPORTS_VERSION" "Debian Backports enabled for another release than ${DEBIAN_RELEASE}" )
}
check_oldpub() {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
}
check_oldpub_lxc() {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
APT_CACHE_BIN=$(lxc-attach --name $container -- bash -c "command -v apt-cache")
if [ -x "${APT_CACHE_BIN}" ]; then
lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB_LXC" "Old pub.evolix.net repository is still enabled in container ${container}"
fi
done
fi
}
check_newpub() {
# Look for enabled pub.evolix.org sources
apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
test $? -eq 0 || failed "IS_NEWPUB" "New pub.evolix.org repository is missing"
}
check_sury() {
# Look for enabled packages.sury.org sources
apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ]; then
apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
fi
}
check_sury_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
APT_CACHE_BIN=$(lxc-attach --name $container -- bash -c "command -v apt-cache")
if [ -x "${APT_CACHE_BIN}" ]; then
lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ]; then
lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY_LXC" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${container}"
fi
fi
done
fi
}
check_aptitude() {
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
}
@ -211,8 +313,25 @@ check_customcrontab() {
test "$found_lines" = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
check_sshallowusers() {
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
if is_debian_bookworm; then
if [ -d /etc/ssh/sshd_config.d/ ]; then
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config.d/
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
fi
# AllowUsers or AllowGroups should not be in /etc/ssh/sshd_config
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
else
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/
if [ -d /etc/ssh/sshd_config.d/ ]; then
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
else
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
fi
fi
}
check_diskperf() {
perfFile="/root/disk-perf.txt"
@ -256,11 +375,20 @@ check_alert5minifw() {
fi
}
check_minifw() {
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|| failed "IS_MINIFW" "minifirewall seems not started"
{
if [ -f /etc/systemd/system/minifirewall.service ]; then
systemctl is-active minifirewall > /dev/null 2>&1
else
if test -x /usr/share/scripts/minifirewall_status; then
/usr/share/scripts/minifirewall_status > /dev/null 2>&1
else
/sbin/iptables -L -n 2> /dev/null | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$"
fi
fi
} || failed "IS_MINIFW" "minifirewall seems not started"
}
check_minifw_includes() {
if is_debian_bullseye; then
if { ! is_debian_stretch && ! is_debian_buster ; }; then
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall"; then
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
fi
@ -287,13 +415,13 @@ check_nrpedisks() {
test "$NRPEDISKS" = "$DFDISKS" || failed "IS_NRPEDISKS" "there must be $DFDISKS check_disk in nrpe.cfg"
}
check_nrpepid() {
if is_debian_bullseye; then
if { is_debian_stretch || is_debian_buster ; }; then
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
else
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/var/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
fi
}
@ -420,7 +548,11 @@ check_log2mailsquid() {
check_bindchroot() {
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)"; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
default_conf=/etc/default/named
if is_debian_buster || is_debian_stretch; then
default_conf=/etc/default/bind9
fi
if grep -q '^OPTIONS=".*-t' "${default_conf}" && grep -q '^OPTIONS=".*-u' "${default_conf}"; then
md5_original=$(md5sum /usr/sbin/named | cut -f 1 -d ' ')
md5_chrooted=$(md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ')
if [ "$md5_original" != "$md5_chrooted" ]; then
@ -498,7 +630,12 @@ check_evobackup_exclude_mount() {
# If rsync is not limited by "one-file-system"
# then we verify that every mount is excluded
if ! grep -q -- "^\s*--one-file-system" "${evobackup_file}"; then
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
# old releases of evobackups don't have version
if grep -q "^VERSION=" "${evobackup_file}" && dpkg --compare-versions "$(sed -E -n 's/VERSION="(.*)"/\1/p' "${evobackup_file}")" ge 22.12 ; then
sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' "${evobackup_file}" > "${excludes_file}"
else
grep -- "--exclude " "${evobackup_file}" | grep -E -o "\"[^\"]+\"" | tr -d '"' > "${excludes_file}"
fi
not_excluded=$(findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f "${excludes_file}")
for mount in ${not_excluded}; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" "${mount} is not excluded from ${evobackup_file} backup script"
@ -551,7 +688,7 @@ check_apacheipinallow() {
check_muninapacheconf() {
muninconf="/etc/apache2/conf-available/munin.conf"
if is_installed apache2; then
test -e $muninconf && grep -vEq "^( |\t)*#" "$muninconf" \
test -e $muninconf && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$muninconf" \
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
fi
}
@ -560,17 +697,17 @@ check_phpmyadminapacheconf() {
phpmyadminconf0="/etc/apache2/conf-available/phpmyadmin.conf"
phpmyadminconf1="/etc/apache2/conf-enabled/phpmyadmin.conf"
if is_installed apache2; then
test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" "$phpmyadminconf0" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) may be commented or disabled"
test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" "$phpmyadminconf1" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) may be commented or disabled"
test -e $phpmyadminconf0 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf0" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf0) should be commented or disabled"
test -e $phpmyadminconf1 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" "$phpmyadminconf1" \
&& failed "IS_PHPMYADMINAPACHECONF" "default phpmyadmin configuration ($phpmyadminconf1) should be commented or disabled"
fi
}
# Verification si le système doit redémarrer suite màj kernel.
check_kerneluptodate() {
if is_installed linux-image*; then
# shellcheck disable=SC2012
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}')" +%s)
kernel_installed_at=$(date -d "$(ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}')" +%s)
last_reboot_at=$(($(date +%s) - $(cut -f1 -d '.' /proc/uptime)))
if [ "$kernel_installed_at" -gt "$last_reboot_at" ]; then
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
@ -637,6 +774,17 @@ check_etcgit() {
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|| failed "IS_ETCGIT" "/etc is not a git repository"
}
check_etcgit_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
export GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git"
export GIT_WORK_TREE="/var/lib/lxc/${container}/rootfs/etc"
git rev-parse --is-inside-work-tree > /dev/null 2>&1 \
|| failed "IS_ETCGIT_LXC" "/etc is not a git repository in container ${container}"
done
fi
}
# Check if /etc/.git/ has read/write permissions for root only.
check_gitperms() {
GIT_DIR="/etc/.git"
@ -646,6 +794,19 @@ check_gitperms() {
[ "$expected" = "$actual" ] || failed "IS_GITPERMS" "$GIT_DIR must be $expected"
fi
}
check_gitperms_lxc() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
GIT_DIR="/var/lib/lxc/${container}/rootfs/etc/.git"
if test -d $GIT_DIR; then
expected="700"
actual=$(stat -c "%a" $GIT_DIR)
[ "$expected" = "$actual" ] || failed "IS_GITPERMS_LXC" "$GIT_DIR must be $expected (in container ${container})"
fi
done
fi
}
# Check if no package has been upgraded since $limit.
check_notupgraded() {
last_upgrade=0
@ -733,10 +894,6 @@ check_apache2evolinuxconf() {
check_backportsconf() {
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
}
check_bind9munin() {
if is_installed bind9; then
@ -750,12 +907,25 @@ check_bind9logrotate() {
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
fi
}
check_drbd_two_primaries() {
if is_installed drbd-utils; then
if command -v drbd-overview >/dev/null; then
if drbd-overview 2>&1 | grep -q "Primary/Primary"; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
elif command -v drbdadm >/dev/null; then
if drbdadm role all 2>&1 | grep -q 'Primary/Primary'; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
fi
fi
}
check_broadcomfirmware() {
LSPCI_BIN=$(command -v lspci)
if [ -x "${LSPCI_BIN}" ]; then
if ${LSPCI_BIN} | grep -q 'NetXtreme II'; then
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
&& apt-cache policy | grep "\bl=Debian\b" | grep --quiet -v "\b,c=non-free\b"
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
fi
else
@ -854,19 +1024,27 @@ check_ldap_backup() {
check_redis_backup() {
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
# REDIS_BACKUP_PATH may contain space-separated paths, example:
# REDIS_BACKUP_PATH may contain space-separated paths, for example:
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
# Old default path: /home/backup/dump.rdb
# New default path: /home/backup/redis/dump.rdb
if [ -z "${REDIS_BACKUP_PATH}" ]; then
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ]; then
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
fi
else
for file in ${REDIS_BACKUP_PATH}; do
test -f "${file}" || failed "IS_REDIS_BACKUP" "Redis dump ${file} is missing."
done
# Warning : this script doesn't handle spaces in file paths !
REDIS_BACKUP_PATH="${REDIS_BACKUP_PATH:-$(find /home/backup/ -iname "*.rdb*")}"
# Check number of dumps
n_instances=$(pgrep 'redis-server' | wc -l)
n_dumps=$(echo $REDIS_BACKUP_PATH | wc -w)
if [ ${n_dumps} -lt ${n_instances} ]; then
failed "IS_REDIS_BACKUP" "Missing Redis dump : ${n_instances} instance(s) found versus ${n_dumps} dump(s) found."
fi
# Check last dump date
age_threshold=$(date +"%s" -d "now - 2 days")
for dump in ${REDIS_BACKUP_PATH}; do
last_update=$(stat -c "%Z" $dump)
if [ "${last_update}" -lt "${age_threshold}" ]; then
failed "IS_REDIS_BACKUP" "Redis dump ${dump} is older than 2 days."
fi
done
fi
}
check_elastic_backup() {
@ -923,6 +1101,7 @@ check_phpevolinuxconf() {
is_debian_stretch && phpVersion="7.0"
is_debian_buster && phpVersion="7.3"
is_debian_bullseye && phpVersion="7.4"
is_debian_bookworm && phpVersion="8.2"
if is_installed php; then
{ test -f "/etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini" \
&& test -f "/etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini"
@ -1054,16 +1233,10 @@ check_usrsharescripts() {
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
}
check_sshpermitrootno() {
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
if is_debian_stretch; then
# Noop, we'll use the default $sshd_args
:
elif is_debian_buster; then
sshd_args="${sshd_args},rdomain="
else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# -T doesn't require the additional -C.
sshd_args=
# You could change the SSH port in /etc/evocheck.cf
sshd_args="-C addr=,user=,host=,laddr=,lport=${SSH_PORT:-22}"
if is_debian_buster; then
sshd_args="${sshd_args},rdomain="
fi
# shellcheck disable=SC2086
if ! (sshd -T ${sshd_args} 2> /dev/null | grep -qi 'permitrootlogin no'); then
@ -1181,10 +1354,10 @@ check_nginx_letsencrypt_uptodate() {
}
check_lxc_container_resolv_conf() {
if is_installed lxc; then
container_list=$(lxc-ls)
container_list=$(lxc-ls --active)
current_resolvers=$(grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
for container in $container_list; do
for container in $container_list; do
if [ -f "/var/lib/lxc/${container}/rootfs/etc/resolv.conf" ]; then
while read -r resolver; do
@ -1196,22 +1369,22 @@ check_lxc_container_resolv_conf() {
else
failed "IS_LXC_CONTAINER_RESOLV_CONF" "resolv.conf missing in container ${container}"
fi
done
done
fi
}
# Check that there are containers if lxc is installed.
check_no_lxc_container() {
if is_installed lxc; then
containers_count=$(lxc-ls | wc -l)
containers_count=$(lxc-ls --active | wc -l)
if [ "$containers_count" -eq 0 ]; then
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no active container. Consider removing it."
fi
fi
}
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
check_lxc_php_fpm_service_umask_set() {
if is_installed lxc; then
php_containers_list=$(lxc-ls --filter php)
php_containers_list=$(lxc-ls --active --filter php)
missing_umask=""
for container in $php_containers_list; do
# Translate container name in service name
@ -1221,7 +1394,7 @@ check_lxc_php_fpm_service_umask_set() {
service="${container:0:4}.${container:4}-fpm"
fi
umask=$(lxc-attach --name "${container}" -- systemctl show -p UMask "$service" | cut -d "=" -f2)
if ! [ "$umask" != "0007" ]; then
if [ "$umask" != "0007" ]; then
missing_umask="${missing_umask} ${container}"
fi
done
@ -1230,6 +1403,34 @@ check_lxc_php_fpm_service_umask_set() {
fi
fi
}
# Check that LXC containers have the proper Debian version.
check_lxc_php_bad_debian_version() {
if is_installed lxc; then
php_containers_list=$(lxc-ls --active --filter php)
missing_umask=""
for container in $php_containers_list; do
if [ "$container" = "php56" ]; then
grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Jessie"
elif [ "$container" = "php70" ]; then
grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Stretch"
elif [ "$container" = "php73" ]; then
grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Buster"
elif [ "$container" = "php74" ]; then
grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bullseye"
elif [ "$container" = "php82" ]; then
grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${container}/rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" "Container ${container} should use Bookworm"
fi
done
fi
}
check_lxc_openssh() {
if is_installed lxc; then
container_list=$(lxc-ls --active)
for container in $container_list; do
test -e /var/lib/lxc/${container}/rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" "openssh-server should not be installed in container ${container}"
done
fi
}
download_versions() {
local file
@ -1282,7 +1483,7 @@ get_version() {
case "${program}" in
## Special case if `command --version => 'command` is not the standard way to get the version
# my_command)
# /path/to/my_command --get-version
# /path/to/my_command --get-version
# ;;
add-vm)
@ -1375,7 +1576,7 @@ main() {
test "${IS_LSBRELEASE:=1}" = 1 && check_lsbrelease
test "${IS_DPKGWARNING:=1}" = 1 && check_dpkgwarning
test "${IS_LOCALHOST_IN_POSTFIX_MYDESTINATION:=1}" = 1 && check_localhost_in_postfix_mydestination
test "${IS_POSTFIX_MYDESTINATION:=1}" = 1 && check_postfix_mydestination
test "${IS_NRPEPOSTFIX:=1}" = 1 && check_nrpepostfix
test "${IS_CUSTOMSUDOERS:=1}" = 1 && check_customsudoers
test "${IS_VARTMPFS:=1}" = 1 && check_vartmpfs
@ -1383,6 +1584,13 @@ main() {
test "${IS_LOGROTATECONF:=1}" = 1 && check_logrotateconf
test "${IS_SYSLOGCONF:=1}" = 1 && check_syslogconf
test "${IS_DEBIANSECURITY:=1}" = 1 && check_debiansecurity
test "${IS_DEBIANSECURITY_LXC:=1}" = 1 && check_debiansecurity_lxc
test "${IS_BACKPORTS_VERSION:=1}" = 1 && check_backports_version
test "${IS_OLDPUB:=1}" = 1 && check_oldpub
test "${IS_OLDPUB_LXC:=1}" = 1 && check_oldpub_lxc
test "${IS_NEWPUB:=1}" = 1 && check_newpub
test "${IS_SURY:=1}" = 1 && check_sury
test "${IS_SURY_LXC:=1}" = 1 && check_sury_lxc
test "${IS_APTITUDE:=1}" = 1 && check_aptitude
test "${IS_APTGETBAK:=1}" = 1 && check_aptgetbak
test "${IS_USRRO:=1}" = 1 && check_usrro
@ -1435,7 +1643,9 @@ main() {
test "${IS_MUNINRUNNING:=1}" = 1 && check_muninrunning
test "${IS_BACKUPUPTODATE:=1}" = 1 && check_backupuptodate
test "${IS_ETCGIT:=1}" = 1 && check_etcgit
test "${IS_ETCGIT_LXC:=1}" = 1 && check_etcgit_lxc
test "${IS_GITPERMS:=1}" = 1 && check_gitperms
test "${IS_GITPERMS_LXC:=1}" = 1 && check_gitperms_lxc
test "${IS_NOTUPGRADED:=1}" = 1 && check_notupgraded
test "${IS_TUNE2FS_M5:=1}" = 1 && check_tune2fs_m5
test "${IS_EVOLINUXSUDOGROUP:=1}" = 1 && check_evolinuxsudogroup
@ -1444,6 +1654,7 @@ main() {
test "${IS_BACKPORTSCONF:=1}" = 1 && check_backportsconf
test "${IS_BIND9MUNIN:=1}" = 1 && check_bind9munin
test "${IS_BIND9LOGROTATE:=1}" = 1 && check_bind9logrotate
test "${IS_DRBDTWOPRIMARIES:=1}" = 1 && check_drbd_two_primaries
test "${IS_BROADCOMFIRMWARE:=1}" = 1 && check_broadcomfirmware
test "${IS_HARDWARERAIDTOOL:=1}" = 1 && check_hardwareraidtool
test "${IS_LOG2MAILSYSTEMDUNIT:=1}" = 1 && check_log2mailsystemdunit
@ -1476,6 +1687,8 @@ main() {
test "${IS_LXC_CONTAINER_RESOLV_CONF:=1}" = 1 && check_lxc_container_resolv_conf
test "${IS_NO_LXC_CONTAINER:=1}" = 1 && check_no_lxc_container
test "${IS_LXC_PHP_FPM_SERVICE_UMASK_SET:=1}" = 1 && check_lxc_php_fpm_service_umask_set
test "${IS_LXC_PHP_BAD_DEBIAN_VERSION:=1}" = 1 && check_lxc_php_bad_debian_version
test "${IS_LXC_OPENSSH:=1}" = 1 && check_lxc_openssh
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
if [ -f "${main_output_file}" ]; then
@ -1489,9 +1702,12 @@ main() {
exit ${RC}
}
cleanup_temp_files() {
# shellcheck disable=SC2086,SC2317
cleanup() {
# Cleanup tmp files
# shellcheck disable=SC2068,SC2317
rm -f ${files_to_cleanup[@]}
log "$PROGNAME exit."
}
PROGNAME=$(basename "$0")
@ -1502,17 +1718,23 @@ readonly PROGNAME
ARGS=$@
readonly ARGS
LOGFILE="/var/log/evocheck.log"
readonly LOGFILE
CONFIGFILE="/etc/evocheck.cf"
readonly CONFIGFILE
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# shellcheck disable=SC2034
readonly DATEFORMAT
# Disable LANG*
export LANG=C
export LANGUAGE=C
declare -a files_to_cleanup
# shellcheck disable=SC2064
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -1560,5 +1782,24 @@ while :; do
shift
done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
declare -a files_to_cleanup
files_to_cleanup=""
# shellcheck disable=SC2064
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
fi
# shellcheck disable=SC2086
main ${ARGS}
log "End of $PROGNAME execution."

View File

@ -4,7 +4,7 @@
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
VERSION="22.12"
VERSION="24.01"
readonly VERSION
# base functions

View File

@ -7,198 +7,230 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
### Added
### Changed
### Fixed
### Removed
### Security
## [23.06] - 2023-06-05
### Added
* Log output and runtime config to /var/log/evocheck.log.
* check_mountfstab and check_mount: make sure all mounted partitions are in fstab and all partitions in fstab are mounted
### Fixed
* check_carpadvbase and check_carppreempt: fixed indentation
* check_mount: removed useless echo
### Changed
* check_evobackup: zzz_evobackup is now executed with bash
## [23.02] - 2023-02-10
### Fixed
* Release with the correct version number.
## [22.12] - 2023-02-10
### Changed
- Replaced check_sudomaint with check_doasmaint because evomaintenance is used with doas, not with sudo
* Replaced check_sudomaint with check_doasmaint because evomaintenance is used with doas, not with sudo
### Fixed
- check_history: escape $HOME variable
- check_pkgmirror: fix openbsd mirror
* check_history: escape $HOME variable
* check_pkgmirror: fix openbsd mirror
### Removed
- check_wheel: wheel group mustn't be sudo because we use the evolinux-sudo group
* check_wheel: wheel group mustn't be sudo because we use the evolinux-sudo group
## [22.11] - 2022-11-28
### Changed
- check_pkgmirror: use our own openbsd mirror
* check_pkgmirror: use our own openbsd mirror
## [22.10] - 2022-10-14
### Changed
- check_evobackup_exclude_mount: skip if --one-file-system is used, and exclude scripts without Rsync command
- check_backupuptodate: use find with --max-depth=1 to limit the number of evaluated files
- check_sshpermitrootno: do not display sshd errors
- check_ntp: comply with ntp configuration change on EvoBSD
* check_evobackup_exclude_mount: skip if --one-file-system is used, and exclude scripts without Rsync command
* check_backupuptodate: use find with --max-depth=1 to limit the number of evaluated files
* check_sshpermitrootno: do not display sshd errors
* check_ntp: comply with ntp configuration change on EvoBSD
## [22.08] - 2022-08-04
### Fixed
- Fixed check_sshpermitrootno to check real configuration
* Fixed check_sshpermitrootno to check real configuration
## [22.06] - 2022-06-16
### Changed
- Fixed various shellcheck violations
- Added a function to cleanup files at once instead of using multiple trap rm
* Fixed various shellcheck violations
* Added a function to cleanup files at once instead of using multiple trap rm
## [22.04] - 2022-04-13
### Added
- Added check_root_user: make sure that root user does not have a password
* Added check_root_user: make sure that root user does not have a password
## [22.03] - 2022-03-10
### Added
- check_evomaintenanceconf: check existence and rights of evomaintenance conf file
- Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
- Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
- Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
- Added check_etcgit to ensure that /etc is a git repository
- Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
- Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
- Added check_evolix_user to ensure that evolix user does not exist
- Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
* check_evomaintenanceconf: check existence and rights of evomaintenance conf file
* Added check_nrpeopensmtpd to ensure that opensmtpd is used for mailq nrpe check
* Added check_sshallowusers to ensure that AllowUsers or AllowGroups directive is present in sshd_config
* Added check_evobackup_exclude_mount to ensure that NFS mounts are excluded from backup
* Added check_etcgit to ensure that /etc is a git repository
* Added check_evolinuxsudogroup to ensure that evolinux-sudo is properly configured in sudo if group exist
* Added check_bind9munin to ensure that a plugin for bind is configured when munin is installed
* Added check_evolix_user to ensure that evolix user does not exist
* Added check_versions and its functions (download_versions, get_command, get_version, check_version, add_to_path) to ensure that custom scripts are up to date
### Changed
- Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
- Improved check_umasksudoers to have a more complete grep
- Updated check_history to reflect the new HISTSIZE value
- Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
- Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
* Overall improvement of evocheck: reordering, splitting version and help options, adding comments, developping some functions so they are more comprehensible
* Improved check_umasksudoers to have a more complete grep
* Updated check_history to reflect the new HISTSIZE value
* Renamed check_tmp1777 and check_root0700 respectively to check_tmp_1777 and check_root_0700
* Improved check_tmp_1777, check_root_0700, check_usrsharescripts in the way the folders rights are checked
### Fixed
- Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
- Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
* Fixed check_uptime: it didn't work at all, and tried to get uptime in the wrong way
* Fixed check_evomaintenanceusers: sudo is not used for the evomaintenance trap, doas is ; and users were not found the better way
### Removed
- Removed empty check_pfcustom
* Removed empty check_pfcustom
## [21.10] - 2021-10-07
### Fixed
- Fixed check_tmoutprofile: syntax error on if/else/fi test
* Fixed check_tmoutprofile: syntax error on if/else/fi test
## [21.09] - 2021-09-17
### Changed
- Changed version numbering to use year.month and be capable to know the age of the script
* Changed version numbering to use year.month and be capable to know the age of the script
### Fixed
- Fixed check_tmoutprofile: Add "if" to check if file exists
* Fixed check_tmoutprofile: Add "if" to check if file exists
## [6.9.1] - 2021-07-23
### Changed
- Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
* Renamed check_advskew, check_preempt, check_advbase and their alert to add "carp" in them
## [6.9.0] - 2021-07-16
### Added
- Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
* Add check_advskew: convention for CARP interfaces. CARP in master state must have advskew parameter between 1 and 50, CARP in backup state must have advskew parameter between 100 and 150, preventing a configuration error with the same value for master and backup
## [6.8.0] - 2020-10-23
### Fixed
- Fix check_noatime: do not take into account commented entry in fstab
* Fix check_noatime: do not take into account commented entry in fstab
## [6.7.7] - 2020-10-22
### Added
- Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
* Add check_openvpncronlog: a cron is needed to rotate logs, because a restart of OpenVPN would be needed with the use of newsyslog to rotate logs
### Fixed
- Fix check_uptodate: properly check that syspatch exists
- Fix check_raidok: the same device could be displayed multiple times
* Fix check_uptodate: properly check that syspatch exists
* Fix check_raidok: the same device could be displayed multiple times
## [6.7.6] - 2020-10-15
### Added
- Add check_noatime - Check that all ffs partitions are mounted with the noatime option
* Add check_noatime - Check that all ffs partitions are mounted with the noatime option
### Fixed
- Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
* Fix check_softdep - We now check the number of ffs partitions and we compare it to the number of softdep options currently there
## [6.7.5] - 2020-10-09
### Fixed
- Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
* Fix check_cronpath - Do not check PATH=XXX but only XXX because XXX can also be in quotes (PATH="XXX" would not be matched)
## [6.7.4] - 2020-08-04
### Added
- Add check_backupuptodate - Check that /home/backup is not older than 2 days
* Add check_backupuptodate - Check that /home/backup is not older than 2 days
## [6.7.3] - 2020-07-23
### Added
- Add check_ntp - Check the ntpd configuration
* Add check_ntp - Check the ntpd configuration
### Fixed
- Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
* Fix check_defaultroute - We need to check if the /etc/mygate file exists before comparing it
### Removed
- Removed check_postgresql - Deprecated since we now use an API
* Removed check_postgresql - Deprecated since we now use an API
## [6.7.2] - 2020-07-22
### Added
- Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
* Add check_defaultroute function - Make sure the default route in /etc/mygate file is the same that the one currently used
## [6.7.1] - 2020-07-15
### Fixed
- Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
- Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
- Fix check_advbase - We want the evocheck advbase function output to be uniq
* Fix check_customsyslog - We have to check whether EvoBSD is present in newsyslog.conf file
* Fix check_sudomaint function - ADMIN group does not exist anymore, we now check that the wheel group has NOPASSWD to run the evomaintenance command alias
* Fix check_advbase - We want the evocheck advbase function output to be uniq
## [6.6.2] - 2020-04-27
### Added
- Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
- Add check_pfenabled function - We make sure PF is enabled
- Add check_uptodate function - Use syspatch(8) to check if security updates are available
* Add check_sync function - If a server is a Carp member we check whether the sync.sh script is present or not
* Add check_pfenabled function - We make sure PF is enabled
* Add check_uptodate function - Use syspatch(8) to check if security updates are available
### Changed
- Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
- Now use a version-naming scheme based on OpenBSD's one
* Remove check_oldhomedir - This information is irrelevant since we always keep home directories of former sysadmins
* Now use a version-naming scheme based on OpenBSD's one
## [6.6.1] - 2020-04-21
### Changed
- Rewrite if statements to functions
- Add a main function
- New help message
* Rewrite if statements to functions
* Add a main function
* New help message

View File

@ -3,7 +3,7 @@
# EvoCheck
# Script to verify compliance of an OpenBSD server powered by Evolix
readonly VERSION="22.12"
readonly VERSION="23.06"
# base functions
@ -51,6 +51,17 @@ is_installed(){
# logging
log() {
date=$(/bin/date +"${DATE_FORMAT}")
if [ "${1}" != '' ]; then
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${1}" >> "${LOGFILE}"
else
while read line; do
printf "[%s] %s: %s\\n" "$date" "${PROGNAME}" "${line}" >> "${LOGFILE}"
done < /dev/stdin
fi
}
failed() {
check_name=$1
shift
@ -64,6 +75,9 @@ failed() {
printf "%s FAILED!\n" "${check_name}" 2>&1
fi
fi
# Always log verbose
log "${check_name} FAILED! ${check_comments}"
}
# check functions
@ -104,9 +118,9 @@ check_raidok(){
}
check_evobackup(){
if [ -f /etc/daily.local ]; then
grep -qE "^sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
grep -qE "^(ba)?sh /usr/share/scripts/zzz_evobackup" /etc/daily.local || failed "IS_EVOBACKUP" "Make sure 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
else
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
failed "IS_EVOBACKUP" "Make sure /etc/daily.local exists and 'bash or sh /usr/share/scripts/zzz_evobackup' is present and activated in /etc/daily.local"
fi
}
check_uptodate(){
@ -154,9 +168,9 @@ check_carpadvbase(){
if ls /etc/hostname.carp* 1> /dev/null 2>&1; then
bad_advbase=0
for advbase in $(ifconfig carp | grep advbase | awk -F 'advbase' '{print $2}' | awk '{print $1}' | xargs); do
if [ "$advbase" -gt 5 ]; then
bad_advbase=1
fi
if [ "$advbase" -gt 5 ]; then
bad_advbase=1
fi
done
if [ "$bad_advbase" -eq 1 ]; then
failed "IS_CARPADVBASE" "At least one CARP interface has advbase greater than 5 seconds!"
@ -172,7 +186,7 @@ check_carppreempt(){
if [ -f /etc/sysctl.conf ]; then
grep -qE "^net.inet.carp.preempt=1" /etc/sysctl.conf || failed "IS_CARPPREEMPT" "The preempt parameter is not permanently activated! Please add 'net.inet.carp.preempt=1' in /etc/sysctl.conf"
else
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
failed "IS_CARPPREEMPT" "Make sure /etc/sysctl.conf exists and contains the line 'net.inet.carp.preempt=1'"
fi
fi
}
@ -415,7 +429,7 @@ get_command() {
evocheck) echo "${0}" ;;
evomaintenance) command -v "evomaintenance.sh" ;;
motd-carp-state) command -v "motd-carp-state.sh" ;;
## General case, where the program name is the same as the command name
*) command -v "${program}" ;;
esac
@ -512,6 +526,17 @@ check_root_user() {
failed "IS_ROOT_USER" "root user should not have a password ; replace the password field with 'vipw' for the root user with '*************' (exactly 13 asterisks) "
fi
}
check_mount(){
for fstab_entry in $(grep ffs /etc/fstab | grep -v "^#" | awk '{print $2}'); do
mount | awk '{print $3}' | grep -q "^$fstab_entry$" || failed "IS_MOUNT" "Local OpenBSD partition(s) detected in /etc/fstab but not mounted"
done
}
check_mountfstab() {
for mount_point in $(mount | awk '{print $3}'); do
grep -q " $mount_point " /etc/fstab || failed "IS_MOUNT_FSTAB" "Partition(s) detected mounted but no presence in /etc/fstab"
done
}
main() {
# Default return code : 0 = no error
@ -561,24 +586,34 @@ main() {
test "${IS_EVOLIX_USER:=1}" = 1 && check_evolix_user
test "${IS_CHECK_VERSIONS:=1}" = 1 && check_versions
test "${IS_ROOT_USER:=1}" = 1 && check_root_user
test "${IS_MOUNT:=1}" = 1 && check_mount
test "${IS_MOUNT_FSTAB:=1}" = 1 && check_mountfstab
exit ${RC}
}
cleanup_temp_files() {
cleanup() {
# Cleanup tmp files
# shellcheck disable=SC2086
rm -f ${files_to_cleanup}
log "$PROGNAME exit."
}
PROGNAME=$(basename "$0")
LOGFILE="/var/log/evocheck.log"
CONFIGFILE="/etc/evocheck.cf"
DATE_FORMAT="%Y-%m-%d %H:%M:%S"
# Disable LANG*
export LANG=C
export LANGUAGE=C
files_to_cleanup=""
trap cleanup_temp_files 0
# Source configuration file
# shellcheck disable=SC1091
test -f /etc/evocheck.cf && . /etc/evocheck.cf
test -f "${CONFIGFILE}" && . "${CONFIGFILE}"
# Parse options
# based on https://gist.github.com/deshion/10d3cb5f88a21671e17a
@ -621,5 +656,25 @@ while :; do
shift
done
# Keep this after "show_version(); exit 0" which is called by check_versions
# to avoid logging exit twice.
files_to_cleanup=""
trap cleanup EXIT INT TERM
log '-----------------------------------------------'
log "Running $PROGNAME $VERSION..."
# Log config file content
if [ -f "${CONFIGFILE}" ]; then
log "Runtime configuration (${CONFIGFILE}):"
conf=$(sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}")
if [ ! -z "${conf}" ]; then
sed -e '/^[[:blank:]]*#/d; s/#.*//; /^[[:blank:]]*$/d' "${CONFIGFILE}" | log
else
log "${CONFIGFILE} is empty."
fi
fi
# shellcheck disable=SC2086
main ${ARGS}