From e7bf3430484c35c477aa2a86025cedf49478e8b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S=C3=89RIE?= Date: Fri, 5 Jul 2019 10:12:24 +0200 Subject: [PATCH 01/10] Add is_debian_buster function --- evocheck.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 857b791..cf3bf3f 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -59,6 +59,7 @@ detect_os() { 7) DEBIAN_RELEASE="wheezy";; 8) DEBIAN_RELEASE="jessie";; 9) DEBIAN_RELEASE="stretch";; + 10) DEBIAN_RELEASE="buster";; esac fi elif [ "$(uname -s)" = "OpenBSD" ]; then @@ -85,6 +86,9 @@ is_debian_jessie() { is_debian_stretch() { test "${DEBIAN_RELEASE}" = "stretch" } +is_debian_buster() { + test "${DEBIAN_RELEASE}" = "buster" +} debian_release() { printf "%s" "${DEBIAN_RELEASE}" } -- 2.39.2 From bed8d9d59a287a40e17ccf2b11c2c19ad5c41164 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:22:38 +0200 Subject: [PATCH 02/10] check_sshpermitrootno: same check for buster as stretch --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index cf3bf3f..54255f7 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -1053,7 +1053,7 @@ check_usrsharescripts() { test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" } check_sshpermitrootno() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then if grep -q "^PermitRoot" /etc/ssh/sshd_config; then grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config || failed "IS_SSHPERMITROOTNO" fi -- 2.39.2 From ea005c273b224b71c7b7cbca466b24b8651e63e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:24:53 +0200 Subject: [PATCH 03/10] listchangesconf: Handle buster case --- evocheck.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 54255f7..24d0b8e 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -263,9 +263,9 @@ check_mountfstab() { fi } check_listchangesconf() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then if is_installed apt-listchanges; then - failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Stretch" + failed "IS_LISTCHANGESCONF" "apt-listchanges must not be installed on Debian >=9" fi else if [ -e "/etc/apt/listchanges.conf" ]; then -- 2.39.2 From bb2a5b5121877f948dcb3cfa0bf01ff34590370a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:31:46 +0200 Subject: [PATCH 04/10] alert5boot: Handle buster case --- evocheck.sh | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 24d0b8e..24d2413 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -292,10 +292,16 @@ check_tmoutprofile() { grep -sq "TMOUT=" /etc/profile /etc/profile.d/evolinux.sh || failed "IS_TMOUTPROFILE" "TMOUT is not set" } check_alert5boot() { - if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then - grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + if is_debian_buster; then + grep -qs "^date" /usr/share/scripts/alert5.sh || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + test -f /etc/systemd/system/alert5.service || failed "IS_ALERT5BOOT" "alert5 unit file is missing" + systemctl is-enabled alert5 -q || failed "IS_ALERT5BOOT" "alert5 unit is not enabled" else - failed "IS_ALERT5BOOT" "alert5 init script is missing" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^date" /etc/rc2.d/S*alert5 || failed "IS_ALERT5BOOT" "boot mail is not sent by alert5 init script" + else + failed "IS_ALERT5BOOT" "alert5 init script is missing" + fi fi } check_alert5minifw() { -- 2.39.2 From c094828affdc6bcdf7273f8b3bdb031c23422014 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:37:14 +0200 Subject: [PATCH 05/10] alert5minifw: Handle buster case --- evocheck.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 24d2413..2320605 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -305,11 +305,16 @@ check_alert5boot() { fi } check_alert5minifw() { - if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then - grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ - || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + if is_debian_buster; then + grep -qs "^/etc/init.d/minifirewall" /usr/share/scripts/alert5.sh \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 script or script is missing" else - failed "IS_ALERT5MINIFW" "alert5 init script is missing" + if [ -n "$(find /etc/rc2.d/ -name 'S*alert5')" ]; then + grep -q "^/etc/init.d/minifirewall" /etc/rc2.d/S*alert5 \ + || failed "IS_ALERT5MINIFW" "Minifirewall is not started by alert5 init script" + else + failed "IS_ALERT5MINIFW" "alert5 init script is missing" + fi fi } check_minifw() { -- 2.39.2 From a11e6f98778a132719675355b451391fa7f72c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:40:19 +0200 Subject: [PATCH 06/10] apachemunin: Handle buster case --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 2320605..2a980a8 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -356,7 +356,7 @@ check_grsecprocs() { } check_apachemunin() { if test -e /etc/apache2/apache2.conf; then - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then { test -h /etc/apache2/mods-enabled/status.load \ && test -h /etc/munin/plugins/apache_accesses \ && test -h /etc/munin/plugins/apache_processes \ -- 2.39.2 From b5d4f192008c562f37412d19f45d0279e9bed1d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:42:37 +0200 Subject: [PATCH 07/10] squid: Handle buster case --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 2a980a8..8cd2c03 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -414,7 +414,7 @@ check_muninlogrotate() { } # Verification de l'activation de Squid dans le cas d'un pack mail check_squid() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then squidconffile="/etc/squid/evolinux-custom.conf" else squidconffile="/etc/squid*/squid.conf" -- 2.39.2 From b493a13438566bc3b70200bb9f39085705f04fda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 10:43:57 +0200 Subject: [PATCH 08/10] log2mailapache: Handle buster case --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 8cd2c03..881aadc 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -455,7 +455,7 @@ check_log2mailrunning() { fi } check_log2mailapache() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then conf=/etc/log2mail/config/apache else conf=/etc/log2mail/config/default -- 2.39.2 From abd63fe248bae0f1f039122ebe559b44d90f128b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 15:22:30 +0200 Subject: [PATCH 09/10] All stretch checks must be enabled for buster too --- evocheck.sh | 151 +++++++++++++++++++++++++++++----------------------- 1 file changed, 85 insertions(+), 66 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 881aadc..9b5cbb5 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -163,7 +163,7 @@ check_dpkgwarning() { test -e /etc/apt/apt.conf \ && failed "IS_DPKGWARNING" "/etc/apt/apt.conf is missing" fi - elif is_debian_stretch; then + elif is_debian_stretch || is_debian_buster; then test -e /etc/apt/apt.conf.d/z-evolinux.conf \ || failed "IS_DPKGWARNING" "/etc/apt/apt.conf.d/z-evolinux.conf is missing" fi @@ -228,12 +228,12 @@ check_aptitudeonly() { fi } check_aptitude() { - if is_debian_jessie || is_debian_stretch; then + if is_debian_jessie || is_debian_stretch || is_debian_buster; then test -e /usr/bin/aptitude && failed "IS_APTITUDE" fi } check_aptgetbak() { - if is_debian_jessie || is_debian_stretch; then + if is_debian_jessie || is_debian_stretch || is_debian_buster; then test -e /usr/bin/apt-get.bak && failed "IS_APTGETBAK" fi } @@ -514,7 +514,7 @@ check_network_interfaces() { } # Verify if all if are in auto check_autoif() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ") else interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap)" | cut -d " " -f 1 |tr "\n" " ") @@ -727,7 +727,7 @@ check_tune2fs_m5() { done } check_evolinuxsudogroup() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then if grep -q "^evolinux-sudo:" /etc/group; then grep -q '^%evolinux-sudo ALL=(ALL:ALL) ALL' /etc/sudoers.d/evolinux \ || failed "IS_EVOLINUXSUDOGROUP" @@ -735,7 +735,7 @@ check_evolinuxsudogroup() { fi } check_userinadmgroup() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then users=$(grep "^evolinux-sudo:" /etc/group | awk -F: '{print $4}' | tr ',' ' ') for user in $users; do if ! groups "$user" | grep -q adm; then @@ -746,15 +746,17 @@ check_userinadmgroup() { fi } check_apache2evolinuxconf() { - if is_debian_stretch && test -d /etc/apache2; then - { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ - && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ - && test -f /etc/apache2/ipaddr_whitelist.conf; - } || failed "IS_APACHE2EVOLINUXCONF" + if is_debian_stretch || is_debian_buster; then + if test -d /etc/apache2; then + { test -L /etc/apache2/conf-enabled/z-evolinux-defaults.conf \ + && test -L /etc/apache2/conf-enabled/zzz-evolinux-custom.conf \ + && test -f /etc/apache2/ipaddr_whitelist.conf; + } || failed "IS_APACHE2EVOLINUXCONF" + fi fi } check_backportsconf() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then grep -qsE "^[^#].*backports" /etc/apt/sources.list \ && failed "IS_BACKPORTSCONF" "backports can't be in main sources list" if grep -qsE "^[^#].*backports" /etc/apt/sources.list.d/*.list; then @@ -764,15 +766,19 @@ check_backportsconf() { fi } check_bind9munin() { - if is_debian_stretch && is_installed bind9; then - { test -L /etc/munin/plugins/bind9 \ - && test -e /etc/munin/plugin-conf.d/bind9; - } || failed "IS_BIND9MUNIN" + if is_debian_stretch || is_debian_buster; then + if is_installed bind9; then + { test -L /etc/munin/plugins/bind9 \ + && test -e /etc/munin/plugin-conf.d/bind9; + } || failed "IS_BIND9MUNIN" + fi fi } check_bind9logrotate() { - if is_debian_stretch && is_installed bind9; then - test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" + if is_debian_stretch || is_debian_buster; then + if is_installed bind9; then + test -e /etc/logrotate.d/bind9 || failed "IS_BIND9LOGROTATE" + fi fi } check_broadcomfirmware() { @@ -803,7 +809,7 @@ check_hardwareraidtool() { fi } check_log2mailsystemdunit() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then { systemctl -q is-active log2mail.service \ && test -f /etc/systemd/system/log2mail.service \ && ! test -f /etc/init.d/log2mail; @@ -816,7 +822,7 @@ check_listupgrade() { } || failed "IS_LISTUPGRADE" } check_mariadbevolinuxconf() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then if is_installed mariadb-server; then { test -f /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf \ && test -f /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf; @@ -882,65 +888,78 @@ check_elastic_backup() { fi } check_mariadbsystemdunit() { - if is_debian_stretch && is_installed mariadb-server; then - { systemctl -q is-active mariadb.service \ - && test -f /etc/systemd/system/mariadb.service.d/evolinux.conf; - } || failed "IS_MARIADBSYSTEMDUNIT" + if is_debian_stretch || is_debian_buster; then + if is_installed mariadb-server; then + if systemctl -q is-active mariadb.service; then + test -f /etc/systemd/system/mariadb.service.d/evolinux.conf \ + || failed "IS_MARIADBSYSTEMDUNIT" + fi + fi fi } check_mysqlmunin() { - if is_debian_stretch && is_installed mariadb-server; then - for file in mysql_bytes mysql_queries mysql_slowqueries \ - mysql_threads mysql_connections mysql_files_tables \ - mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ - mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ - mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ - mysql_sorts mysql_tmp_tables; do - - if [[ ! -L /etc/munin/plugins/$file ]]; then - failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing" - test "${VERBOSE}" = 1 || break - fi - done + if is_debian_stretch || is_debian_buster; then + if is_installed mariadb-server; then + for file in mysql_bytes mysql_queries mysql_slowqueries \ + mysql_threads mysql_connections mysql_files_tables \ + mysql_innodb_bpool mysql_innodb_bpool_act mysql_innodb_io \ + mysql_innodb_log mysql_innodb_rows mysql_innodb_semaphores \ + mysql_myisam_indexes mysql_qcache mysql_qcache_mem \ + mysql_sorts mysql_tmp_tables; do + + if [[ ! -L /etc/munin/plugins/$file ]]; then + failed "IS_MYSQLMUNIN" "Munin plugin '$file' is missing" + test "${VERBOSE}" = 1 || break + fi + done + fi fi } check_mysqlnrpe() { - if is_debian_stretch && is_installed mariadb-server; then - nagios_file=~nagios/.my.cnf - - if ! test -f ${nagios_file}; then - failed "IS_MYSQLNRPE" "${nagios_file} is missing" - elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ - || [ "$(stat -c %a ${nagios_file})" != "600" ]; then - failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" - else - grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ - || failed "IS_MYSQLNRPE" "check_mysql is missing" + if is_debian_stretch || is_debian_buster; then + if is_installed mariadb-server; then + nagios_file=~nagios/.my.cnf + if ! test -f ${nagios_file}; then + failed "IS_MYSQLNRPE" "${nagios_file} is missing" + elif [ "$(stat -c %U ${nagios_file})" != "nagios" ] \ + || [ "$(stat -c %a ${nagios_file})" != "600" ]; then + failed "IS_MYSQLNRPE" "${nagios_file} has wrong permissions" + else + grep -q -F "command[check_mysql]=/usr/lib/nagios/plugins/check_mysql" /etc/nagios/nrpe.d/evolix.cfg \ + || failed "IS_MYSQLNRPE" "check_mysql is missing" + fi fi fi } check_phpevolinuxconf() { - if is_debian_stretch && is_installed php; then - { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini; - } || failed "IS_PHPEVOLINUXCONF" + if is_debian_stretch || is_debian_buster; then + if is_installed php; then + { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini + } || failed "IS_PHPEVOLINUXCONF" + fi fi } check_squidlogrotate() { - if is_debian_stretch && is_installed squid; then - grep -q monthly /etc/logrotate.d/squid || failed "IS_SQUIDLOGROTATE" + if is_debian_stretch || is_debian_buster; then + if is_installed squid; then + grep -q monthly /etc/logrotate.d/squid \ + || failed "IS_SQUIDLOGROTATE" + fi fi } check_squidevolinuxconf() { - if is_debian_stretch && is_installed squid; then - { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ - && test -f /etc/squid/evolinux-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-defaults.conf \ - && test -f /etc/squid/evolinux-whitelist-custom.conf \ - && test -f /etc/squid/evolinux-acl.conf \ - && test -f /etc/squid/evolinux-httpaccess.conf \ - && test -f /etc/squid/evolinux-custom.conf; - } || failed "IS_SQUIDEVOLINUXCONF" + if is_debian_stretch || is_debian_buster; then + if is_installed squid; then + { grep -qs "^CONFIG=/etc/squid/evolinux-defaults.conf$" /etc/default/squid \ + && test -f /etc/squid/evolinux-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-defaults.conf \ + && test -f /etc/squid/evolinux-whitelist-custom.conf \ + && test -f /etc/squid/evolinux-acl.conf \ + && test -f /etc/squid/evolinux-httpaccess.conf \ + && test -f /etc/squid/evolinux-custom.conf; + } || failed "IS_SQUIDEVOLINUXCONF" + fi fi } check_duplicate_fs_label() { @@ -1004,7 +1023,7 @@ check_apache_confenabled() { # Starting from Jessie and Apache 2.4, /etc/apache2/conf.d/ # must be replaced by conf-available/ and config files symlinked # to conf-enabled/ - if is_debian_jessie || is_debian_stretch; then + if is_debian_jessie || is_debian_stretch || is_debian_buster; then if [ -f /etc/apache2/apache2.conf ]; then test -d /etc/apache2/conf.d/ && failed "IS_APACHE_CONFENABLED" grep -q 'Include conf.d' /etc/apache2/apache2.conf && failed "IS_APACHE_CONFENABLED" @@ -1014,7 +1033,7 @@ check_apache_confenabled() { check_meltdown_spectre() { # For Stretch, detection is easy as the kernel use # /sys/devices/system/cpu/vulnerabilities/ - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then for vuln in meltdown spectre_v1 spectre_v2; do test -f "/sys/devices/system/cpu/vulnerabilities/$vuln" \ || failed "IS_MELTDOWN_SPECTRE" @@ -1073,7 +1092,7 @@ check_sshpermitrootno() { fi } check_evomaintenanceusers() { - if is_debian_stretch; then + if is_debian_stretch || is_debian_buster; then users=$(getent group evolinux-sudo | cut -d':' -f4 | tr ',' ' ') else if [ -f /etc/sudoers.d/evolinux ]; then -- 2.39.2 From 7e04cbec61f3e70cca04aa16ff05e861280c66bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Fri, 5 Jul 2019 15:27:59 +0200 Subject: [PATCH 10/10] phpevolinuxconf: Handle php 7.3 for buster --- evocheck.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 9b5cbb5..547edf3 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -933,9 +933,11 @@ check_mysqlnrpe() { } check_phpevolinuxconf() { if is_debian_stretch || is_debian_buster; then + is_debian_stretch && phpVersion="7.0" + is_debian_buster && phpVersion="7.3" if is_installed php; then - { test -f /etc/php/7.0/cli/conf.d/z-evolinux-defaults.ini \ - && test -f /etc/php/7.0/cli/conf.d/zzz-evolinux-custom.ini + { test -f /etc/php/${phpVersion}/cli/conf.d/z-evolinux-defaults.ini \ + && test -f /etc/php/${phpVersion}/cli/conf.d/zzz-evolinux-custom.ini } || failed "IS_PHPEVOLINUXCONF" fi fi -- 2.39.2