Add IS_NETWORKING_SERVICE check #137
13
CHANGELOG
13
CHANGELOG
|
@ -15,11 +15,22 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
|
|||
|
||||
### Security
|
||||
|
||||
## [22.06] 2022-06-03
|
||||
|
||||
### Added
|
||||
|
||||
* IS_AUTOIF: Ignore WireGuard interfaces
|
||||
* IS_NETWORKING_SERVICE: check if networking service is enabled
|
||||
|
||||
### Changed
|
||||
|
||||
* IS_DEBIANSECURITY: Fix Debian security repo for Bullseye, cf https://www.debian.org/releases/stable/errata
|
||||
|
||||
## [22.05] 2022-05-12
|
||||
|
||||
### Changed
|
||||
|
||||
IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
|
||||
* IS_EVOBACKUP_EXCLUDE_MOUNT: exclude scripts without Rsync command
|
||||
|
||||
## [22.04.1] 2022-04-25
|
||||
|
||||
|
|
32
evocheck.sh
32
evocheck.sh
|
@ -4,7 +4,7 @@
|
|||
# Script to verify compliance of a Debian/OpenBSD server
|
||||
# powered by Evolix
|
||||
|
||||
VERSION="22.05"
|
||||
VERSION="22.06"
|
||||
readonly VERSION
|
||||
|
||||
# base functions
|
||||
|
@ -236,11 +236,11 @@ check_debiansecurity() {
|
|||
if is_debian_bullseye; then
|
||||
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.html#security-archive
|
||||
# https://www.debian.org/security/
|
||||
pattern="^deb http://security\.debian\.org/debian-security/? bullseye-security main"
|
||||
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? bullseye-security main"
|
||||
elif is_debian_buster; then
|
||||
pattern="^deb http://security\.debian\.org/debian-security/? buster/updates main"
|
||||
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? buster/updates main"
|
||||
elif is_debian_stretch; then
|
||||
pattern="^deb http://security\.debian\.org/debian-security/? stretch/updates main"
|
||||
pattern="^deb ?(\[.*\])? ?http://security\.debian\.org/debian-security/? stretch/updates main"
|
||||
else
|
||||
pattern="^deb.*security"
|
||||
fi
|
||||
|
@ -363,7 +363,7 @@ check_alert5minifw() {
|
|||
}
|
||||
check_minifw() {
|
||||
/sbin/iptables -L -n | grep -q -E "^ACCEPT\s*all\s*--\s*31\.170\.8\.4\s*0\.0\.0\.0/0\s*$" \
|
||||
|| failed "IS_MINIFW" "minifirewall seems not starded"
|
||||
|| failed "IS_MINIFW" "minifirewall seems not started"
|
||||
}
|
||||
check_minifw_includes() {
|
||||
if is_debian_bullseye; then
|
||||
|
@ -577,7 +577,7 @@ check_network_interfaces() {
|
|||
# Verify if all if are in auto
|
||||
check_autoif() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
interfaces=$(/sbin/ip address show up | grep "^[0-9]*:" | grep -E -v "(lo|vnet|docker|veth|tun|tap|macvtap|vrrp|lxcbr|wg)" | cut -d " " -f 2 | tr -d : | cut -d@ -f1 | tr "\n" " ")
|
||||
else
|
||||
interfaces=$(/sbin/ifconfig -s | tail -n +2 | grep -E -v "^(lo|vnet|docker|veth|tun|tap|macvtap|vrrp)" | cut -d " " -f 1 |tr "\n" " ")
|
||||
fi
|
||||
|
@ -1217,14 +1217,20 @@ check_usrsharescripts() {
|
|||
test "$expected" = "$actual" || failed "IS_USRSHARESCRIPTS" "/usr/share/scripts must be $expected"
|
||||
}
|
||||
check_sshpermitrootno() {
|
||||
if is_debian_stretch || is_debian_buster || is_debian_bullseye; then
|
||||
if grep -q "^PermitRoot" /etc/ssh/sshd_config; then
|
||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
||||
fi
|
||||
sshd_args="-C addr=,user=,host=,laddr=,lport=0"
|
||||
if is_debian_jessie || is_debian_stretch; then
|
||||
# Noop, we'll use the default $sshd_args
|
||||
:
|
||||
elif is_debian_buster; then
|
||||
sshd_args="${sshd_args},rdomain="
|
||||
else
|
||||
grep -E -qi "PermitRoot.*no" /etc/ssh/sshd_config \
|
||||
|| failed "IS_SSHPERMITROOTNO" "PermitRoot should be set at no"
|
||||
# NOTE: From Debian Bullseye 11 onward, with OpenSSH 8.1, the argument
|
||||
# -T doesn't require the additional -C.
|
||||
sshd_args=
|
||||
fi
|
||||
# XXX: We want parameter expension here
|
||||
if ! (sshd -T $sshd_args | grep -q 'permitrootlogin no'); then
|
||||
failed "IS_SSHPERMITROOTNO" "PermitRoot should be set to no"
|
||||
fi
|
||||
}
|
||||
check_evomaintenanceusers() {
|
||||
|
|
Loading…
Reference in a new issue