Checks that ensure the correct basic configuration of the host

script/check/host/all/app_docker-compose_is_installed.check.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+_CURRENT_APP='docker compose version'
+
+${_CURRENT_APP} > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/app_docker_is_installed.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+docker --version > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/app_nginx_is_installed.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+nginx -v > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/app_nginx_starts_reliable.check.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Fail because of unnecessary custom config
+grep "Wants=network-online.target" /lib/systemd/system/nginx.service > /dev/null 2>&1 \
+    && [ -f "/etc/systemd/system/nginx.service" ] \
+    && exit 1
+
+# Success if system config is ok
+grep "Wants=network-online.target" /lib/systemd/system/nginx.service > /dev/null 2>&1 \
+    && exit 0
+
+# Success if custom config fixes system config
+grep "Wants=network-online.target" /etc/systemd/system/nginx.service > /dev/null 2>&1 \
+    && exit 0
+
+exit 1

script/check/host/all/core_cron_starts_setup_as_fallback.check.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+crontab -l | grep -E "[0-9]{1,2}[ \*]{8}[[:blank:]]*\/cis\/setupCoreOntoThisHost.sh" > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/core_git_app_is_installed.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+git --version > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/core_hostname_is_long.check.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+_CURRENT_FILE='/etc/hostname'
+
+#The file must be readable, then
+#the number of lines containing a '.' must be zero.
+[ -r "${_CURRENT_FILE}" ] \
+    && [ "$(grep -cF '.' "${_CURRENT_FILE}")" -gt 0 ] \
+    && exit 0
+exit 1

script/check/host/all/core_ssh_app_is_installed.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+ssh -V > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/core_ssh_authorized_keys_of_jenkins_points_to_definitions.check.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+_CURRENT_FILE='/home/jenkins/.ssh/authorized_keys'
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+#File has to be readable, then
+#search for '/definitions/' in the path of current file, after readlink expanded a potential symlink.
+[ -r "${_CURRENT_FILE}" ] \
+    && readlink -f "${_CURRENT_FILE}" | grep -q "/definitions/" \
+    && exit 0
+
+exit 1

script/check/host/all/core_ssh_authorized_keys_of_root_is_empty_or_points_to_definitions.check.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+_CURRENT_FILE='/root/.ssh/authorized_keys'
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+#No file is ok
+[ ! -e "${_CURRENT_FILE}" ] \
+    && exit 0
+
+#The file must be readable, then
+#all comments and all blank lines are removed, after which the number of remaining lines must be zero.
+[ -r "${_CURRENT_FILE}" ] \
+    && [ "0" == "$(cat "${_CURRENT_FILE}" | sed 's/[[:blank:]]*#.*//' | sed '/^$/d' | grep -c .)" ] \
+    && exit 0
+
+#File has to be readable, then
+#search for '/definitions/' in the path of current file, after readlink expanded a potential symlink.
+[ -r "${_CURRENT_FILE}" ] \
+    && readlink -f "${_CURRENT_FILE}" | grep -q "/definitions/" \
+    && exit 0
+
+exit 1

script/check/host/all/core_ssh_key_of_root_exists_as_expected.check.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+_CURRENT_FILE='/root/.ssh/id_ed25519'
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+#File has to be readable and no passphrase should be needed.
+ssh-keygen -y -P "" -f "${_CURRENT_FILE}" &> /dev/null \
+    && exit 0
+
+exit 1

script/check/host/all/core_sudoers_file_of_jenkins_points_to_definitions.check.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+_CURRENT_FILE='/etc/sudoers.d/allow-jenkins-updateRepositories'
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+#File has to be readable, then
+#search for '/definitions/' in the path of current file, after readlink expanded a potential symlink.
+[ -r "${_CURRENT_FILE}" ] \
+    && readlink -f "${_CURRENT_FILE}" | grep -q "/definitions/" \
+    && exit 0
+
+exit 1

script/check/host/all/core_user_jenkins_exists.check.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+_CURRENT_USER='jenkins'
+
+[ "$(id -u)" != "0" ] \
+    && printf "(INSUFFICENT RIGHTS) " \
+    && exit 1
+
+id -u "${_CURRENT_USER}" > /dev/null 2>&1 \
+    && exit 0
+
+exit 1

script/check/host/all/system_localtime_contains_cet_and_cest.check.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+_CURRENT_FILE='/etc/localtime'
+
+#The file must be readable, then
+#the number of lines containing "CET" must be greater than zero, and
+#the number of lines containing "CEST" must also be greater than zero.
+[ -r "${_CURRENT_FILE}" ] \
+    && [ "$(zdump -v "${_CURRENT_FILE}" | head -n 10 | grep 'CET' | grep -c .)" -gt "0" ] \
+    && [ "$(zdump -v "${_CURRENT_FILE}" | head -n 10 | grep 'CEST' | grep -c .)" -gt "0" ] \
+    && exit 0
+exit 1

script/check/host/all/system_timezone_is_berlin.check.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+_CURRENT_FILE='/etc/timezone'
+
+#The file must be readable, then
+#the number of lines containing "Europe/Berlin" must be one.
+[ -r "${_CURRENT_FILE}" ] \
+    && [ "1" == "$(cat "${_CURRENT_FILE}" | grep 'Europe/Berlin' | grep -c .)" ] \
+    && exit 0
+exit 1

script/check/host/all/system_unattended_upgrades_are_disabled.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+! systemctl is-enabled unattended-upgrades.service > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/system_zfs_app_is_installed.check.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+zfs --version > /dev/null 2>&1 \
+    && exit 0
+exit 1

script/check/host/all/system_zfs_atime_of_rootfs_zpool1.check.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+_CURRENT_POOL='zpool1'
+
+#Check if the tool 'zfs' is available, then
+#retrieve the property 'atime' from 'zpool1', without header and compare the result with 'off'
+#because this the feature 'atime' logs each access, there are many avoidable writes.
+
+#Set with: 'zfs set atime=off zpool1'
+zfs version &> /dev/null  \
+    && [ "$(zfs get atime -Ho value ${_CURRENT_POOL} 2> /dev/null)" == "off" ] \
+    && exit 0
+exit 1

script/check/host/all/system_zfs_compression_of_rootfs_zpool1.check.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+_CURRENT_POOL='zpool1'
+
+#Check if the tool 'zfs' is available, then
+#retrieve the property 'compression' from 'zpool1', without header and compare the result with 'lz4'
+
+#Set with: 'zfs set compression=lz4 zpool1'
+zfs version &> /dev/null  \
+    && [ "$(zfs get compression -Ho value ${_CURRENT_POOL} 2> /dev/null)" == "lz4" ] \
+    && exit 0
+exit 1

script/check/host/all/system_zfs_mountpoint_of_rootfs_zpool1.check.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+_CURRENT_ZFS='zpool1'
+
+#Check if the tool 'zfs' is available, then
+#retrieve the property 'mountpoint' from 'zpool1', without header and compare the result with '/zpool1'
+
+#Set with: 'zfs set mountpount=default'
+zfs version &> /dev/null \
+    && [ "$(zfs get mountpoint -Ho value ${_CURRENT_ZFS} 2> /dev/null)" == "/${_CURRENT_ZFS}" ] \
+    && exit 0
+exit 1

script/check/host/all/system_zpool_alignment_of_pool.check.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+_CURRENT_POOL='zpool1'
+
+#Check if the tool 'zpool' is available, then
+#retrieve the property 'ashift' from 'zpool1', without header and compare the result with '12'
+zpool version &> /dev/null \
+    && [ "$(zpool get ashift -Ho value ${_CURRENT_POOL} 2> /dev/null)" == "12" ] \
+    && exit 0
+exit 1