ref: 5a807265a819206f8342ab3a23b940a0c75049fc
dir: /rc/bin/netaudit/
#!/bin/rc
rfork e
fn checkhost {
if(~ $sysname ''){
echo 'sysname= env var is not set'
exit 'fail'
}
echo 'checking this host''s tuple:'
ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
if(~ $ip '')
echo ' no ip= entry'
if not
echo ' ip='$ip 'looks ok'
dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
if(~ $dom '')
echo ' no dom= entry'
if not {
for(i in $dom){
if(! ~ $i *.*)
echo ' dom='$i 'does not have a dot'
if not if(! ~ $i $sysname^.*)
echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
if not
echo ' dom='$i 'looks ok'
}
}
ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
if(~ $ether '')
echo ' no ether entry'
if not {
for(i in $ether){
if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
echo ' ether='$i 'has wrong format'
if not if(! grep -s $i /net/ether*/addr)
echo ' ether='$i 'does not belong to any network interface'
if not
echo ' ether='$i 'looks ok'
}
}
}
fn checknet {
echo 'checking the network tuple:'
ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
if(~ $ipnet ''){
echo ' we are not in an ipnet, so looking for entries in host tuple only'
}
if not
echo ' we are in ipnet='^$ipnet
ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
if(~ $ipgw '' '::'){
echo ' we do not have an internet gateway, no ipgw= entry'
}
if not {
if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
echo ' ipgw='$ipgw 'does not look like an ip address'
if not
echo ' ipgw='$ipgw 'looks ok'
}
dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
if(~ $dns '')
echo ' no dns= entry'
if not {
for(i in $dns){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' dns='$i 'does not reply to ping'
if not
echo ' dns='$i 'looks ok'
}
}
auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
if(~ $auth '')
echo ' no auth= entry'
if not {
for(i in $auth){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' auth='$i 'does not reply to ping'
if not {
authok=1
echo ' auth='$i 'looks ok'
}
}
}
fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
if(~ $fs '')
echo ' no fs= entry (needed for tls boot)'
if not {
for(i in $fs){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' fs='$i 'does not reply to ping (needed for tls boot)'
if not
echo ' fs='$i 'looks ok'
}
}
}
fn checkauth {
echo 'checking auth server configuration:'
if(~ $auth ''){
echo ' no auth server'
exit fail
}
if not if(~ $sysname $auth){
echo ' we are the auth server'
authisus=1
}
if not if(~ $dom $auth){
echo ' we are the auth server'
authisus=1
}
if not if(~ $ip $auth){
echo ' we are the auth server'
authisus=1
}
if not {
echo ' we are not the auth server '^$auth
echo ' if this is a mistake, set auth='$sysname' or auth='$dom
if(~ $authok 1)
echo ' run auth/debug to test the auth server'
}
if(~ $authisus 1){
if(! grep -s keyfs <{ps})
echo ' auth/keyfs is not running, try reboot'
if not
echo ' auth/keyfs is running'
if(! grep -s 'Listen *567' <{netstat -n})
echo ' no one listening on port 567, try reboot'
if not {
echo ' someone is listening on port 567'
echo ' run auth/debug to test the auth server'
}
echo ' run auth/asaudit to verify auth server configuration'
}
}
fn checksec {
echo 'checking basic security:'
if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
echo ' file server does not require auth for user '^`{cat '#c'/user}
if not
echo ' file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec