Add IS_NETWORKING_SERVICE check #137
13
CHANGELOG
13
CHANGELOG
|
@ -15,11 +15,22 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
|
||||||
|
|
||||||
### Security
|
### Security
|
||||||
|
|
||||||
|
## [22.06] 2022-06-03
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
* IS_AUTOIF: Ignore WireGuard interfaces
|
||||||
|
* IS_NETWORKING_SERVICE: check if networking service is enabled
|
||||||
|
|
||||||
|
### Changed
|
||||||
|
|
||||||
|
* IS_DEBIANSECURITY: Fix Debian security repo for Bullseye, cf https://www.debian.org/releases/stable/errata
|
||||||
|
|
||||||
## [22.05] 2022-05-12
|
## [22.05] 2022-05-12
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
||||||
IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
|
* IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
|
||||||
|
|
||||||
## [22.04.1] 2022-04-25
|
## [22.04.1] 2022-04-25
|
||||||
|
|
||||||
|
|
32
evocheck.sh
32
evocheck.sh
|
@ -4,7 +4,7 @@
|
||||||
# Script to verify compliance of a Debian/OpenBSD server
|
# Script to verify compliance of a Debian/OpenBSD server
|
||||||
# powered by Evolix
|
# powered by Evolix
|
||||||
|
|
||||||
VERSION="22.05"
|
VERSION="22.06"
|
||||||
readonly VERSION
|
readonly VERSION
|
||||||
|
|
||||||
# base functions
|
# base functions
|
||||||
|
@ -236,11 +236,11 @@ check_debiansecurity() {
|
||||||
if is_debian_bullseye; then
|
if is_debian_bullseye; then
|
||||||
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
||||||
# https://www.debian.org/security/
|
# https://www.debian.org/security/
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
|
||||||
elif is_debian_buster; then
|
elif is_debian_buster; then
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
|
||||||
elif is_debian_stretch; then
|
elif is_debian_stretch; then
|
||||||
pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
|
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
|
||||||
else
|
else
|
||||||
pattern="^deb.*security"
|
pattern="^deb.*security"
|
||||||
fi
|
fi
|
||||||
|
@ -363,7 +363,7 @@ check_alert5minifw() {
|
||||||
}
|
}
|
||||||
check_minifw() {
|
check_minifw() {
|
||||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||||
|| failed "IS_MINIFW" "minifirewall seems not starded"
|
|| failed "IS_MINIFW" "minifirewall seems not started"
|
||||||
}
|
}
|
||||||
check_minifw_includes() {
|
check_minifw_includes() {
|
||||||
if is_debian_bullseye; then
|
if is_debian_bullseye; then
|
||||||
|
@ -577,7 +577,7 @@ check_network_interfaces() {
|
||||||
# Verify if all if are in auto
|
# Verify if all if are in auto
|
||||||
check_autoif() {
|
check_autoif() {
|
||||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||||
else
|
else
|
||||||
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
||||||
fi
|
fi
|
||||||
|
@ -1217,14 +1217,20 @@ check_usrsharescripts() {
|
||||||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
||||||
}
|
}
|
||||||
check_sshpermitrootno() {
|
check_sshpermitrootno() {
|
||||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
|
||||||
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
if is_debian_jessie || is_debian_stretch; then
|
||||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
# Noop, we'll use the default $sshd_args
|
||||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
:
|
||||||
fi
|
elif is_debian_buster; then
|
||||||
|
sshd_args="${sshd_args},rdomain="
|
||||||
else
|
else
|
||||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
# -T doesn't require the additional -C.
|
||||||
|
sshd_args=
|
||||||
|
fi
|
||||||
|
# XXX: We want parameter expension here
|
||||||
|
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
|
||||||
|
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
check_evomaintenanceusers() {
|
check_evomaintenanceusers() {
|
||||||
|
|
Loading…
Reference in a new issue