@ -4,7 +4,9 @@
# Script to verify compliance of a Linux (Debian) server
# Script to verify compliance of a Linux (Debian) server
# powered by Evolix
# powered by Evolix
VERSION = "23.04.01"
#set -x
VERSION = "24.01"
readonly VERSION
readonly VERSION
# base functions
# base functions
@ -68,6 +70,8 @@ detect_os() {
10) DEBIAN_RELEASE = "buster" ; ;
10) DEBIAN_RELEASE = "buster" ; ;
11) DEBIAN_RELEASE = "bullseye" ; ;
11) DEBIAN_RELEASE = "bullseye" ; ;
12) DEBIAN_RELEASE = "bookworm" ; ;
12) DEBIAN_RELEASE = "bookworm" ; ;
13) DEBIAN_RELEASE = "trixie" ; ;
14) DEBIAN_RELEASE = "forky" ; ;
esac
esac
fi
fi
fi
fi
@ -85,6 +89,12 @@ is_debian_bullseye() {
is_debian_bookworm( ) {
is_debian_bookworm( ) {
test " ${ DEBIAN_RELEASE } " = "bookworm"
test " ${ DEBIAN_RELEASE } " = "bookworm"
}
}
is_debian_trixie( ) {
test " ${ DEBIAN_RELEASE } " = "trixie"
}
is_debian_forky( ) {
test " ${ DEBIAN_RELEASE } " = "forky"
}
is_pack_web( ) {
is_pack_web( ) {
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
test -e /usr/share/scripts/web-add.sh || test -e /usr/share/scripts/evoadmin/web-add.sh
@ -148,13 +158,13 @@ check_dpkgwarning() {
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
# Check if localhost, localhost.localdomain and localhost.$mydomain are set in Postfix mydestination option.
check_postfix_mydestination( ) {
check_postfix_mydestination( ) {
# shellcheck disable=SC2016
# shellcheck disable=SC2016
if ! grep mydestination /etc/postfix/main.cf | grep --quiet -E 'localhost([[:blank:]]|$)' ; then
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --extended-regexp 'localhost([[:blank:]]|$)' ; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost' s missing in Postfix mydestination option."
failed "IS_POSTFIX_MYDESTINATION" "'localhost' i s missing in Postfix mydestination option."
fi
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost \ .localdomain'; then
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost .localdomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option."
failed "IS_POSTFIX_MYDESTINATION" "'localhost.localdomain' is missing in Postfix mydestination option."
fi
fi
if ! grep mydestination /etc/postfix/main.cf | grep --quiet 'localhost \ .\ $mydomain'; then
if ! grep mydestination /etc/postfix/main.cf | grep --quiet --fixed-strings 'localhost .$mydomain'; then
failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option."
failed "IS_POSTFIX_MYDESTINATION" "'localhost.\$mydomain' is missing in Postfix mydestination option."
fi
fi
}
}
@ -185,14 +195,86 @@ check_logrotateconf() {
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d"
test -e /etc/logrotate.d/zsyslog || failed "IS_LOGROTATECONF" "missing zsyslog in logrotate.d"
}
}
check_syslogconf( ) {
check_syslogconf( ) {
grep -q "^# Syslog for Pack Evolix serveur" /etc/*syslog.conf \
# Test for modern servers
|| failed "IS_SYSLOGCONF" "syslog evolix config file missing"
if [ ! -f /etc/rsyslog.d/10-evolinux-default.conf ] ; then
# Fallback test for legacy servers
if ! grep --quiet --ignore-case "Syslog for Pack Evolix" /etc/*syslog*/*.conf; then
failed "IS_SYSLOGCONF" "Evolix syslog config is missing"
fi
fi
}
}
check_debiansecurity( ) {
check_debiansecurity( ) {
# Look for enabled "Debian-Security" sources from the "Debian" origin
# Look for enabled "Debian-Security" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
test $? -eq 0 || failed "IS_DEBIANSECURITY" "missing Debian-Security repository"
}
}
check_debiansecurity_lxc( ) {
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
if [ -f /var/lib/lxc/${ container } /rootfs/etc/debian_version ] ; then
DEBIAN_LXC_VERSION = $( cut -d "." -f 1 < /var/lib/lxc/${ container } /rootfs/etc/debian_version)
if [ $DEBIAN_LXC_VERSION -ge 9 ] ; then
lxc-attach --name $container apt-cache policy | grep "\bl=Debian-Security\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 0 || failed "IS_DEBIANSECURITY_LXC" " missing Debian-Security repository in container ${ container } "
fi
fi
done
fi
}
check_backports_version( ) {
# Look for enabled "Debian Backports" sources from the "Debian" origin
apt-cache policy | grep "\bl=Debian Backports\b" | grep "\bo=Debian\b" | grep --quiet "\bc=main\b"
test $? -eq 1 || ( \
apt-cache policy | grep "\bl=Debian Backports\b" | grep --quiet " \bn= ${ DEBIAN_RELEASE } -backports\b " && \
test $? -eq 0 || failed "IS_BACKPORTS_VERSION" " Debian Backports enabled for another release than ${ DEBIAN_RELEASE } " )
}
check_oldpub( ) {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Stretch)
apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB" "Old pub.evolix.net repository is still enabled"
}
check_oldpub_lxc( ) {
# Look for enabled pub.evolix.net sources (supersed by pub.evolix.org since Buster as Sury safeguard)
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
APT_CACHE_BIN = $( lxc-attach --name $container -- bash -c "command -v apt-cache" )
if [ -x " ${ APT_CACHE_BIN } " ] ; then
lxc-attach --name $container apt-cache policy | grep --quiet pub.evolix.net
test $? -eq 1 || failed "IS_OLDPUB_LXC" " Old pub.evolix.net repository is still enabled in container ${ container } "
fi
done
fi
}
check_newpub( ) {
# Look for enabled pub.evolix.org sources
apt-cache policy | grep "\bl=Evolix\b" | grep --quiet -v php
test $? -eq 0 || failed "IS_NEWPUB" "New pub.evolix.org repository is missing"
}
check_sury( ) {
# Look for enabled packages.sury.org sources
apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ] ; then
apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY" "packages.sury.org is present but our safeguard pub.evolix.org repository is missing"
fi
}
check_sury_lxc( ) {
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
APT_CACHE_BIN = $( lxc-attach --name $container -- bash -c "command -v apt-cache" )
if [ -x " ${ APT_CACHE_BIN } " ] ; then
lxc-attach --name $container apt-cache policy | grep --quiet packages.sury.org
if [ $? -eq 0 ] ; then
lxc-attach --name $container apt-cache policy | grep "\bl=Evolix\b" | grep php --quiet
test $? -eq 0 || failed "IS_SURY_LXC" " packages.sury.org is present but our safeguard pub.evolix.org repository is missing in container ${ container } "
fi
fi
done
fi
}
check_aptitude( ) {
check_aptitude( ) {
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
test -e /usr/bin/aptitude && failed "IS_APTITUDE" "aptitude may not be installed on Debian >=8"
}
}
@ -231,8 +313,25 @@ check_customcrontab() {
test " $found_lines " = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
test " $found_lines " = 4 && failed "IS_CUSTOMCRONTAB" "missing custom field in crontab"
}
}
check_sshallowusers( ) {
check_sshallowusers( ) {
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d \
if is_debian_bookworm; then
if [ -d /etc/ssh/sshd_config.d/ ] ; then
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config.d/
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config.d/*"
fi
# AllowUsers or AllowGroups should not be in /etc/ssh/sshd_config
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
&& failed "IS_SSHALLOWUSERS" "AllowUsers or AllowGroups directive present in sshd_config"
else
# AllowUsers or AllowGroups should be in /etc/ssh/sshd_config or /etc/ssh/sshd_config.d/
if [ -d /etc/ssh/sshd_config.d/ ] ; then
grep -E -qir "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/ \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
else
grep -E -qi "(AllowUsers|AllowGroups)" /etc/ssh/sshd_config \
|| failed "IS_SSHALLOWUSERS" "missing AllowUsers or AllowGroups directive in sshd_config"
fi
fi
}
}
check_diskperf( ) {
check_diskperf( ) {
perfFile = "/root/disk-perf.txt"
perfFile = "/root/disk-perf.txt"
@ -276,11 +375,20 @@ check_alert5minifw() {
fi
fi
}
}
check_minifw( ) {
check_minifw( ) {
/sbin/iptables -L -n | grep -q -E " ^ACCEPT\s*(all|0)\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s* $" \
{
|| failed "IS_MINIFW" "minifirewall seems not started"
if [ -f /etc/systemd/system/minifirewall.service ] ; then
systemctl is-active minifirewall > /dev/null 2>& 1
else
if test -x /usr/share/scripts/minifirewall_status; then
/usr/share/scripts/minifirewall_status > /dev/null 2>& 1
else
/sbin/iptables -L -n 2> /dev/null | grep -q -E " ^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s* $"
fi
fi
} || failed "IS_MINIFW" "minifirewall seems not started"
}
}
check_minifw_includes( ) {
check_minifw_includes( ) {
if is_debian_bullseye; then
if { ! is_debian_stretch && ! is_debian_buster ; } ; then
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall" ; then
if grep -q -e '/sbin/iptables' -e '/sbin/ip6tables' "/etc/default/minifirewall" ; then
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
failed "IS_MINIFWINCLUDES" "minifirewall has direct iptables invocations in /etc/default/minifirewall that should go in /etc/minifirewall.d/"
fi
fi
@ -307,13 +415,13 @@ check_nrpedisks() {
test " $NRPEDISKS " = " $DFDISKS " || failed "IS_NRPEDISKS" " there must be $DFDISKS check_disk in nrpe.cfg "
test " $NRPEDISKS " = " $DFDISKS " || failed "IS_NRPEDISKS" " there must be $DFDISKS check_disk in nrpe.cfg "
}
}
check_nrpepid( ) {
check_nrpepid( ) {
if { is_debian_bullseye || is_debian_bookworm ; } ; then
if { is_debian_stretch || is_debian_buster ; } ; then
{ test -e /etc/nagios/nrpe.cfg \
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/ run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/ var/ run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
else
else
{ test -e /etc/nagios/nrpe.cfg \
{ test -e /etc/nagios/nrpe.cfg \
&& grep -q "^pid_file=/ var/ run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
&& grep -q "^pid_file=/ run/nagios/nrpe.pid" /etc/nagios/nrpe.cfg;
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
} || failed "IS_NRPEPID" "missing or wrong pid_file directive in nrpe.cfg"
fi
fi
}
}
@ -440,7 +548,11 @@ check_log2mailsquid() {
check_bindchroot( ) {
check_bindchroot( ) {
if is_installed bind9; then
if is_installed bind9; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)" ; then
if netstat -utpln | grep "/named" | grep :53 | grep -qvE "(127.0.0.1|::1)" ; then
if grep -q '^OPTIONS=".*-t' /etc/default/bind9 && grep -q '^OPTIONS=".*-u' /etc/default/bind9; then
default_conf = /etc/default/named
if is_debian_buster || is_debian_stretch; then
default_conf = /etc/default/bind9
fi
if grep -q '^OPTIONS=".*-t' " ${ default_conf } " && grep -q '^OPTIONS=".*-u' " ${ default_conf } " ; then
md5_original = $( md5sum /usr/sbin/named | cut -f 1 -d ' ' )
md5_original = $( md5sum /usr/sbin/named | cut -f 1 -d ' ' )
md5_chrooted = $( md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ' )
md5_chrooted = $( md5sum /var/chroot-bind/usr/sbin/named | cut -f 1 -d ' ' )
if [ " $md5_original " != " $md5_chrooted " ] ; then
if [ " $md5_original " != " $md5_chrooted " ] ; then
@ -518,7 +630,12 @@ check_evobackup_exclude_mount() {
# If rsync is not limited by "one-file-system"
# If rsync is not limited by "one-file-system"
# then we verify that every mount is excluded
# then we verify that every mount is excluded
if ! grep -q -- "^\s*--one-file-system" " ${ evobackup_file } " ; then
if ! grep -q -- "^\s*--one-file-system" " ${ evobackup_file } " ; then
# old releases of evobackups don't have version
if grep -q "^VERSION=" " ${ evobackup_file } " && dpkg --compare-versions " $( sed -E -n 's/VERSION="(.*)"/\1/p' " ${ evobackup_file } " ) " ge 22.12 ; then
sed -En '/RSYNC_EXCLUDES="/,/"/ {s/(RSYNC_EXCLUDES=|")//g;p}' " ${ evobackup_file } " > " ${ excludes_file } "
else
grep -- "--exclude " " ${ evobackup_file } " | grep -E -o "\"[^\"]+\"" | tr -d '"' > " ${ excludes_file } "
grep -- "--exclude " " ${ evobackup_file } " | grep -E -o "\"[^\"]+\"" | tr -d '"' > " ${ excludes_file } "
fi
not_excluded = $( findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f " ${ excludes_file } " )
not_excluded = $( findmnt --type nfs,nfs4,fuse.sshfs, -o target --noheadings | grep -v -f " ${ excludes_file } " )
for mount in ${ not_excluded } ; do
for mount in ${ not_excluded } ; do
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" " ${ mount } is not excluded from ${ evobackup_file } backup script "
failed "IS_EVOBACKUP_EXCLUDE_MOUNT" " ${ mount } is not excluded from ${ evobackup_file } backup script "
@ -571,7 +688,7 @@ check_apacheipinallow() {
check_muninapacheconf( ) {
check_muninapacheconf( ) {
muninconf = "/etc/apache2/conf-available/munin.conf"
muninconf = "/etc/apache2/conf-available/munin.conf"
if is_installed apache2; then
if is_installed apache2; then
test -e $muninconf && grep -vEq "^( |\t)*#" " $muninconf " \
test -e $muninconf && grep --invert-match --extended-regexp --quiet "^( |\t)*#" " $muninconf " \
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
&& failed "IS_MUNINAPACHECONF" "default munin configuration may be commented or disabled"
fi
fi
}
}
@ -580,17 +697,17 @@ check_phpmyadminapacheconf() {
phpmyadminconf0 = "/etc/apache2/conf-available/phpmyadmin.conf"
phpmyadminconf0 = "/etc/apache2/conf-available/phpmyadmin.conf"
phpmyadminconf1 = "/etc/apache2/conf-enabled/phpmyadmin.conf"
phpmyadminconf1 = "/etc/apache2/conf-enabled/phpmyadmin.conf"
if is_installed apache2; then
if is_installed apache2; then
test -e $phpmyadminconf0 && grep -vEq "^( |\t)*#" " $phpmyadminconf0 " \
test -e $phpmyadminconf0 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" " $phpmyadminconf0 " \
&& failed "IS_PHPMYADMINAPACHECONF" " default phpmyadmin configuration ( $phpmyadminconf0 ) may be commented or disabled"
&& failed "IS_PHPMYADMINAPACHECONF" " default phpmyadmin configuration ( $phpmyadminconf0 ) should be commented or disabled"
test -e $phpmyadminconf1 && grep -vEq "^( |\t)*#" " $phpmyadminconf1 " \
test -e $phpmyadminconf1 && grep --invert-match --extended-regexp --quiet "^( |\t)*#" " $phpmyadminconf1 " \
&& failed "IS_PHPMYADMINAPACHECONF" " default phpmyadmin configuration ( $phpmyadminconf1 ) may be commented or disabled"
&& failed "IS_PHPMYADMINAPACHECONF" " default phpmyadmin configuration ( $phpmyadminconf1 ) should be commented or disabled"
fi
fi
}
}
# Verification si le système doit redémarrer suite màj kernel.
# Verification si le système doit redémarrer suite màj kernel.
check_kerneluptodate( ) {
check_kerneluptodate( ) {
if is_installed linux-image*; then
if is_installed linux-image*; then
# shellcheck disable=SC2012
# shellcheck disable=SC2012
kernel_installed_at = $( date -d " $( ls --full-time -lcrt /boot | tail -n1 | awk '{print $6}' ) " +%s)
kernel_installed_at = $( date -d " $( ls --full-time -lcrt /boot/*lin* | tail -n1 | awk '{print $6}' ) " +%s)
last_reboot_at = $(( $( date +%s) - $( cut -f1 -d '.' /proc/uptime) ))
last_reboot_at = $(( $( date +%s) - $( cut -f1 -d '.' /proc/uptime) ))
if [ " $kernel_installed_at " -gt " $last_reboot_at " ] ; then
if [ " $kernel_installed_at " -gt " $last_reboot_at " ] ; then
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
failed "IS_KERNELUPTODATE" "machine is running an outdated kernel, reboot advised"
@ -657,6 +774,17 @@ check_etcgit() {
git rev-parse --is-inside-work-tree > /dev/null 2>& 1 \
git rev-parse --is-inside-work-tree > /dev/null 2>& 1 \
|| failed "IS_ETCGIT" "/etc is not a git repository"
|| failed "IS_ETCGIT" "/etc is not a git repository"
}
}
check_etcgit_lxc( ) {
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
export GIT_DIR = " /var/lib/lxc/ ${ container } /rootfs/etc/.git "
export GIT_WORK_TREE = " /var/lib/lxc/ ${ container } /rootfs/etc "
git rev-parse --is-inside-work-tree > /dev/null 2>& 1 \
|| failed "IS_ETCGIT_LXC" " /etc is not a git repository in container ${ container } "
done
fi
}
# Check if /etc/.git/ has read/write permissions for root only.
# Check if /etc/.git/ has read/write permissions for root only.
check_gitperms( ) {
check_gitperms( ) {
GIT_DIR = "/etc/.git"
GIT_DIR = "/etc/.git"
@ -666,6 +794,19 @@ check_gitperms() {
[ " $expected " = " $actual " ] || failed "IS_GITPERMS" " $GIT_DIR must be $expected "
[ " $expected " = " $actual " ] || failed "IS_GITPERMS" " $GIT_DIR must be $expected "
fi
fi
}
}
check_gitperms_lxc( ) {
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
GIT_DIR = " /var/lib/lxc/ ${ container } /rootfs/etc/.git "
if test -d $GIT_DIR ; then
expected = "700"
actual = $( stat -c "%a" $GIT_DIR )
[ " $expected " = " $actual " ] || failed "IS_GITPERMS_LXC" " $GIT_DIR must be $expected (in container ${ container } ) "
fi
done
fi
}
# Check if no package has been upgraded since $limit.
# Check if no package has been upgraded since $limit.
check_notupgraded( ) {
check_notupgraded( ) {
last_upgrade = 0
last_upgrade = 0
@ -753,10 +894,6 @@ check_apache2evolinuxconf() {
check_backportsconf( ) {
check_backportsconf( ) {
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
grep -qsE "^[^#].*backports" /etc/apt/sources.list \
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
&& failed "IS_BACKPORTSCONF" "backports can't be in main sources list"
if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then
grep -qsE "^[^#].*backports" /etc/apt/preferences.d/* \
|| failed "IS_BACKPORTSCONF" "backports must have preferences"
fi
}
}
check_bind9munin( ) {
check_bind9munin( ) {
if is_installed bind9; then
if is_installed bind9; then
@ -770,12 +907,25 @@ check_bind9logrotate() {
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" "missing bind logrotate file"
fi
fi
}
}
check_drbd_two_primaries( ) {
if is_installed drbd-utils; then
if command -v drbd-overview >/dev/null; then
if drbd-overview 2>& 1 | grep -q "Primary/Primary" ; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
elif command -v drbdadm >/dev/null; then
if drbdadm role all 2>& 1 | grep -q 'Primary/Primary' ; then
failed "IS_DRBDTWOPRIMARIES" "Some DRBD ressources have two primaries, you risk a split brain!"
fi
fi
fi
}
check_broadcomfirmware( ) {
check_broadcomfirmware( ) {
LSPCI_BIN = $( command -v lspci)
LSPCI_BIN = $( command -v lspci)
if [ -x " ${ LSPCI_BIN } " ] ; then
if [ -x " ${ LSPCI_BIN } " ] ; then
if ${ LSPCI_BIN } | grep -q 'NetXtreme II' ; then
if ${ LSPCI_BIN } | grep -q 'NetXtreme II' ; then
{ is_installed firmware-bnx2 \
{ is_installed firmware-bnx2 \
&& grep -q "^deb http://mirror.evolix.org/debian.* non-free" /etc/apt/sources.list;
&& apt-cache policy | grep "\bl=Debian\b" | grep --quiet -v "\b,c=non-free\b"
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
} || failed "IS_BROADCOMFIRMWARE" "missing non-free repository"
fi
fi
else
else
@ -874,20 +1024,28 @@ check_ldap_backup() {
check_redis_backup( ) {
check_redis_backup( ) {
if is_installed redis-server; then
if is_installed redis-server; then
# You could change the default path in /etc/evocheck.cf
# You could change the default path in /etc/evocheck.cf
# REDIS_BACKUP_PATH may contain space-separated paths, example:
# REDIS_BACKUP_PATH may contain space-separated paths, for example:
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
# REDIS_BACKUP_PATH='/home/backup/redis-instance1/dump.rdb /home/backup/redis-instance2/dump.rdb'
# Old default path: /home/backup/dump.rdb
# Warning : this script doesn't handle spaces in file paths !
# New default path: /home/backup/redis/dump.rdb
if [ -z " ${ REDIS_BACKUP_PATH } " ] ; then
REDIS_BACKUP_PATH = " ${ REDIS_BACKUP_PATH :- $( find /home/backup/ -iname "*.rdb*" ) } "
if ! [ -f "/home/backup/dump.rdb" ] && ! [ -f "/home/backup/redis/dump.rdb" ] ; then
failed "IS_REDIS_BACKUP" "Redis dump is missing (/home/backup/dump.rdb or /home/backup/redis/dump.rdb)."
# Check number of dumps
n_instances = $( pgrep 'redis-server' | wc -l)
n_dumps = $( echo $REDIS_BACKUP_PATH | wc -w)
if [ ${ n_dumps } -lt ${ n_instances } ] ; then
failed "IS_REDIS_BACKUP" " Missing Redis dump : ${ n_instances } instance(s) found versus ${ n_dumps } dump(s) found. "
fi
# Check last dump date
age_threshold = $( date +"%s" -d "now - 2 days" )
for dump in ${ REDIS_BACKUP_PATH } ; do
last_update = $( stat -c "%Z" $dump )
if [ " ${ last_update } " -lt " ${ age_threshold } " ] ; then
failed "IS_REDIS_BACKUP" " Redis dump ${ dump } is older than 2 days. "
fi
fi
else
for file in ${ REDIS_BACKUP_PATH } ; do
test -f " ${ file } " || failed "IS_REDIS_BACKUP" " Redis dump ${ file } is missing. "
done
done
fi
fi
fi
}
}
check_elastic_backup( ) {
check_elastic_backup( ) {
if is_installed elasticsearch; then
if is_installed elasticsearch; then
@ -934,7 +1092,7 @@ check_mysqlnrpe() {
|| [ " $( stat -c %a ${ nagios_file } ) " != "600" ] ; then
|| [ " $( stat -c %a ${ nagios_file } ) " != "600" ] ; then
failed "IS_MYSQLNRPE" " ${ nagios_file } has wrong permissions "
failed "IS_MYSQLNRPE" " ${ nagios_file } has wrong permissions "
else
else
grep -q -F "command[check_mysql]= /usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
grep -q -E "command\[check_mysql\]=.* /usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
|| failed "IS_MYSQLNRPE" "check_mysql is missing"
fi
fi
fi
fi
@ -943,6 +1101,7 @@ check_phpevolinuxconf() {
is_debian_stretch && phpVersion = "7.0"
is_debian_stretch && phpVersion = "7.0"
is_debian_buster && phpVersion = "7.3"
is_debian_buster && phpVersion = "7.3"
is_debian_bullseye && phpVersion = "7.4"
is_debian_bullseye && phpVersion = "7.4"
is_debian_bookworm && phpVersion = "8.2"
if is_installed php; then
if is_installed php; then
{ test -f " /etc/php/ ${ phpVersion } /cli/conf.d/z-evolinux-defaults.ini " \
{ test -f " /etc/php/ ${ phpVersion } /cli/conf.d/z-evolinux-defaults.ini " \
&& test -f " /etc/php/ ${ phpVersion } /cli/conf.d/zzz-evolinux-custom.ini "
&& test -f " /etc/php/ ${ phpVersion } /cli/conf.d/zzz-evolinux-custom.ini "
@ -994,6 +1153,13 @@ check_evolix_user() {
grep -q -E "^evolix:" /etc/passwd \
grep -q -E "^evolix:" /etc/passwd \
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
&& failed "IS_EVOLIX_USER" "evolix user should be deleted, used only for install"
}
}
check_evolix_group( ) {
users = $( grep ":20..:20..:" /etc/passwd | cut -d ":" -f 1)
for user in ${ users } ; do
grep -E "^evolix:" /etc/group | grep -q -E " \b ${ user } \b " \
|| failed "IS_EVOLIX_GROUP" " user \` ${ user } ' should be in \`evolix' group "
done
}
check_evoacme_cron( ) {
check_evoacme_cron( ) {
if [ -f "/usr/local/sbin/evoacme" ] ; then
if [ -f "/usr/local/sbin/evoacme" ] ; then
# Old cron file, should be deleted
# Old cron file, should be deleted
@ -1074,16 +1240,10 @@ check_usrsharescripts() {
test " $expected " = " $actual " || failed "IS_USRSHARESCRIPTS" " /usr/share/scripts must be $expected "
test " $expected " = " $actual " || failed "IS_USRSHARESCRIPTS" " /usr/share/scripts must be $expected "
}
}
check_sshpermitrootno( ) {
check_sshpermitrootno( ) {
sshd_args = "-C addr=,user=,host=,laddr=,lport=0"
# You could change the SSH port in /etc/evocheck.cf
if is_debian_stretch; then
sshd_args = " -C addr=,user=,host=,laddr=,lport= ${ SSH_PORT :- 22 } "
# Noop, we'll use the default $sshd_args
if is_debian_buster; then
:
elif is_debian_buster; then
sshd_args = " ${ sshd_args } ,rdomain= "
sshd_args = " ${ sshd_args } ,rdomain= "
else
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
# -T doesn't require the additional -C.
sshd_args =
fi
fi
# shellcheck disable=SC2086
# shellcheck disable=SC2086
if ! ( sshd -T ${ sshd_args } 2> /dev/null | grep -qi 'permitrootlogin no' ) ; then
if ! ( sshd -T ${ sshd_args } 2> /dev/null | grep -qi 'permitrootlogin no' ) ; then
@ -1201,7 +1361,7 @@ check_nginx_letsencrypt_uptodate() {
}
}
check_lxc_container_resolv_conf( ) {
check_lxc_container_resolv_conf( ) {
if is_installed lxc; then
if is_installed lxc; then
container_list = $( lxc-ls)
container_list = $( lxc-ls --active )
current_resolvers = $( grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
current_resolvers = $( grep nameserver /etc/resolv.conf | sed 's/nameserver//g' )
for container in $container_list ; do
for container in $container_list ; do
@ -1222,16 +1382,16 @@ check_lxc_container_resolv_conf() {
# Check that there are containers if lxc is installed.
# Check that there are containers if lxc is installed.
check_no_lxc_container( ) {
check_no_lxc_container( ) {
if is_installed lxc; then
if is_installed lxc; then
containers_count = $( lxc-ls | wc -l)
containers_count = $( lxc-ls --active | wc -l)
if [ " $containers_count " -eq 0 ] ; then
if [ " $containers_count " -eq 0 ] ; then
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no container. Consider removing it."
failed "IS_NO_LXC_CONTAINER" "LXC is installed but have no active container. Consider removing it."
fi
fi
fi
fi
}
}
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
# Check that in LXC containers, phpXX-fpm services have UMask set to 0007.
check_lxc_php_fpm_service_umask_set( ) {
check_lxc_php_fpm_service_umask_set( ) {
if is_installed lxc; then
if is_installed lxc; then
php_containers_list = $( lxc-ls --filter php)
php_containers_list = $( lxc-ls --active -- filter php)
missing_umask = ""
missing_umask = ""
for container in $php_containers_list ; do
for container in $php_containers_list ; do
# Translate container name in service name
# Translate container name in service name
@ -1250,6 +1410,34 @@ check_lxc_php_fpm_service_umask_set() {
fi
fi
fi
fi
}
}
# Check that LXC containers have the proper Debian version.
check_lxc_php_bad_debian_version( ) {
if is_installed lxc; then
php_containers_list = $( lxc-ls --active --filter php)
missing_umask = ""
for container in $php_containers_list ; do
if [ " $container " = "php56" ] ; then
grep --quiet 'VERSION_ID="8"' /var/lib/lxc/${ container } /rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" " Container ${ container } should use Jessie "
elif [ " $container " = "php70" ] ; then
grep --quiet 'VERSION_ID="9"' /var/lib/lxc/${ container } /rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" " Container ${ container } should use Stretch "
elif [ " $container " = "php73" ] ; then
grep --quiet 'VERSION_ID="10"' /var/lib/lxc/${ container } /rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" " Container ${ container } should use Buster "
elif [ " $container " = "php74" ] ; then
grep --quiet 'VERSION_ID="11"' /var/lib/lxc/${ container } /rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" " Container ${ container } should use Bullseye "
elif [ " $container " = "php82" ] ; then
grep --quiet 'VERSION_ID="12"' /var/lib/lxc/${ container } /rootfs/etc/os-release || failed "IS_LXC_PHP_BAD_DEBIAN_VERSION" " Container ${ container } should use Bookworm "
fi
done
fi
}
check_lxc_openssh( ) {
if is_installed lxc; then
container_list = $( lxc-ls --active)
for container in $container_list ; do
test -e /var/lib/lxc/${ container } /rootfs/usr/sbin/sshd && failed "IS_LXC_OPENSSH" " openssh-server should not be installed in container ${ container } "
done
fi
}
download_versions( ) {
download_versions( ) {
local file
local file
@ -1403,6 +1591,13 @@ main() {
test " ${ IS_LOGROTATECONF : =1 } " = 1 && check_logrotateconf
test " ${ IS_LOGROTATECONF : =1 } " = 1 && check_logrotateconf
test " ${ IS_SYSLOGCONF : =1 } " = 1 && check_syslogconf
test " ${ IS_SYSLOGCONF : =1 } " = 1 && check_syslogconf
test " ${ IS_DEBIANSECURITY : =1 } " = 1 && check_debiansecurity
test " ${ IS_DEBIANSECURITY : =1 } " = 1 && check_debiansecurity
test " ${ IS_DEBIANSECURITY_LXC : =1 } " = 1 && check_debiansecurity_lxc
test " ${ IS_BACKPORTS_VERSION : =1 } " = 1 && check_backports_version
test " ${ IS_OLDPUB : =1 } " = 1 && check_oldpub
test " ${ IS_OLDPUB_LXC : =1 } " = 1 && check_oldpub_lxc
test " ${ IS_NEWPUB : =1 } " = 1 && check_newpub
test " ${ IS_SURY : =1 } " = 1 && check_sury
test " ${ IS_SURY_LXC : =1 } " = 1 && check_sury_lxc
test " ${ IS_APTITUDE : =1 } " = 1 && check_aptitude
test " ${ IS_APTITUDE : =1 } " = 1 && check_aptitude
test " ${ IS_APTGETBAK : =1 } " = 1 && check_aptgetbak
test " ${ IS_APTGETBAK : =1 } " = 1 && check_aptgetbak
test " ${ IS_USRRO : =1 } " = 1 && check_usrro
test " ${ IS_USRRO : =1 } " = 1 && check_usrro
@ -1455,7 +1650,9 @@ main() {
test " ${ IS_MUNINRUNNING : =1 } " = 1 && check_muninrunning
test " ${ IS_MUNINRUNNING : =1 } " = 1 && check_muninrunning
test " ${ IS_BACKUPUPTODATE : =1 } " = 1 && check_backupuptodate
test " ${ IS_BACKUPUPTODATE : =1 } " = 1 && check_backupuptodate
test " ${ IS_ETCGIT : =1 } " = 1 && check_etcgit
test " ${ IS_ETCGIT : =1 } " = 1 && check_etcgit
test " ${ IS_ETCGIT_LXC : =1 } " = 1 && check_etcgit_lxc
test " ${ IS_GITPERMS : =1 } " = 1 && check_gitperms
test " ${ IS_GITPERMS : =1 } " = 1 && check_gitperms
test " ${ IS_GITPERMS_LXC : =1 } " = 1 && check_gitperms_lxc
test " ${ IS_NOTUPGRADED : =1 } " = 1 && check_notupgraded
test " ${ IS_NOTUPGRADED : =1 } " = 1 && check_notupgraded
test " ${ IS_TUNE2FS_M5 : =1 } " = 1 && check_tune2fs_m5
test " ${ IS_TUNE2FS_M5 : =1 } " = 1 && check_tune2fs_m5
test " ${ IS_EVOLINUXSUDOGROUP : =1 } " = 1 && check_evolinuxsudogroup
test " ${ IS_EVOLINUXSUDOGROUP : =1 } " = 1 && check_evolinuxsudogroup
@ -1464,6 +1661,7 @@ main() {
test " ${ IS_BACKPORTSCONF : =1 } " = 1 && check_backportsconf
test " ${ IS_BACKPORTSCONF : =1 } " = 1 && check_backportsconf
test " ${ IS_BIND9MUNIN : =1 } " = 1 && check_bind9munin
test " ${ IS_BIND9MUNIN : =1 } " = 1 && check_bind9munin
test " ${ IS_BIND9LOGROTATE : =1 } " = 1 && check_bind9logrotate
test " ${ IS_BIND9LOGROTATE : =1 } " = 1 && check_bind9logrotate
test " ${ IS_DRBDTWOPRIMARIES : =1 } " = 1 && check_drbd_two_primaries
test " ${ IS_BROADCOMFIRMWARE : =1 } " = 1 && check_broadcomfirmware
test " ${ IS_BROADCOMFIRMWARE : =1 } " = 1 && check_broadcomfirmware
test " ${ IS_HARDWARERAIDTOOL : =1 } " = 1 && check_hardwareraidtool
test " ${ IS_HARDWARERAIDTOOL : =1 } " = 1 && check_hardwareraidtool
test " ${ IS_LOG2MAILSYSTEMDUNIT : =1 } " = 1 && check_log2mailsystemdunit
test " ${ IS_LOG2MAILSYSTEMDUNIT : =1 } " = 1 && check_log2mailsystemdunit
@ -1483,6 +1681,7 @@ main() {
test " ${ IS_SQUIDEVOLINUXCONF : =1 } " = 1 && check_squidevolinuxconf
test " ${ IS_SQUIDEVOLINUXCONF : =1 } " = 1 && check_squidevolinuxconf
test " ${ IS_DUPLICATE_FS_LABEL : =1 } " = 1 && check_duplicate_fs_label
test " ${ IS_DUPLICATE_FS_LABEL : =1 } " = 1 && check_duplicate_fs_label
test " ${ IS_EVOLIX_USER : =1 } " = 1 && check_evolix_user
test " ${ IS_EVOLIX_USER : =1 } " = 1 && check_evolix_user
test " ${ IS_EVOLIX_GROUP : =1 } " = 1 && check_evolix_group
test " ${ IS_EVOACME_CRON : =1 } " = 1 && check_evoacme_cron
test " ${ IS_EVOACME_CRON : =1 } " = 1 && check_evoacme_cron
test " ${ IS_EVOACME_LIVELINKS : =1 } " = 1 && check_evoacme_livelinks
test " ${ IS_EVOACME_LIVELINKS : =1 } " = 1 && check_evoacme_livelinks
test " ${ IS_APACHE_CONFENABLED : =1 } " = 1 && check_apache_confenabled
test " ${ IS_APACHE_CONFENABLED : =1 } " = 1 && check_apache_confenabled
@ -1496,6 +1695,8 @@ main() {
test " ${ IS_LXC_CONTAINER_RESOLV_CONF : =1 } " = 1 && check_lxc_container_resolv_conf
test " ${ IS_LXC_CONTAINER_RESOLV_CONF : =1 } " = 1 && check_lxc_container_resolv_conf
test " ${ IS_NO_LXC_CONTAINER : =1 } " = 1 && check_no_lxc_container
test " ${ IS_NO_LXC_CONTAINER : =1 } " = 1 && check_no_lxc_container
test " ${ IS_LXC_PHP_FPM_SERVICE_UMASK_SET : =1 } " = 1 && check_lxc_php_fpm_service_umask_set
test " ${ IS_LXC_PHP_FPM_SERVICE_UMASK_SET : =1 } " = 1 && check_lxc_php_fpm_service_umask_set
test " ${ IS_LXC_PHP_BAD_DEBIAN_VERSION : =1 } " = 1 && check_lxc_php_bad_debian_version
test " ${ IS_LXC_OPENSSH : =1 } " = 1 && check_lxc_openssh
test " ${ IS_CHECK_VERSIONS : =1 } " = 1 && check_versions
test " ${ IS_CHECK_VERSIONS : =1 } " = 1 && check_versions
if [ -f " ${ main_output_file } " ] ; then
if [ -f " ${ main_output_file } " ] ; then
@ -1511,7 +1712,7 @@ main() {
}
}
cleanup( ) {
cleanup( ) {
# Cleanup tmp files
# Cleanup tmp files
# shellcheck disable=SC20 8 6,SC2317
# shellcheck disable=SC20 68 ,SC2317
rm -f ${ files_to_cleanup [@] }
rm -f ${ files_to_cleanup [@] }
log " $PROGNAME exit. "
log " $PROGNAME exit. "