shithub: riscv

ref: 286ee3ba34ac6cb69e016f94c2709759f1fb94df
dir: /rc/bin/netaudit/

View raw version
#!/bin/rc
rfork e
fn checkhost {
	if(~ $sysname ''){
		echo 'sysname= env var is not set'
		exit 'fail'
	}
	echo 'checking this host''s tuple:'
	ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
	if(~ $ip '')
		echo '	no ip= entry'
	if not
		echo '	ip='$ip 'looks ok'
	dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
	if(~ $dom '')
		echo '	no dom= entry'
	if not {
		for(i in $dom){
			if(! ~ $i *.*)
				echo '	dom='$i 'does not have a dot'
			if not if(! ~ $i $sysname^.*)
				echo '	dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
			if not
				echo '	dom='$i 'looks ok'
		}
	}
	ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
	if(~ $ether '')
		echo '	no ether entry'
	if not {
		for(i in $ether){
			if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
				echo '	ether='$i 'has wrong format'
			if not if(! grep -s $i /net/ether*/addr)
				echo '	ether='$i 'does not belong to any network interface'
			if not
				echo '	ether='$i 'looks ok'
		}
	}
}
fn checknet {
	echo 'checking the network tuple:'
	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
	if(~ $ipnet ''){
		echo '	we are not in an ipnet, so looking for entries in host tuple only'
	}
	if not
		echo '	we are in ipnet='^$ipnet
	ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
	if(~ $ipgw '' '::'){
		echo '	we do not have an internet gateway, no ipgw= entry'
	}
	if not {
		if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
			echo '	ipgw='$ipgw 'does not look like an ip address'
		if not
			echo '	ipgw='$ipgw 'looks ok'
	}
	dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
	if(~ $dns '')
		echo '	no dns= entry'
	if not {
		for(i in $dns){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	dns='$i 'does not reply to ping'
			if not
				echo '	dns='$i 'looks ok'
		}
	}
	auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
	if(~ $auth '')
		echo '	no auth= entry'
	if not {
		for(i in $auth){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	auth='$i 'does not reply to ping'
			if not {
				authok=1
				echo '	auth='$i 'looks ok'
			}
		}
	}
	fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
	if(~ $fs '')
		echo '	no fs= entry (needed for tls boot)'
	if not {
		for(i in $fs){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	fs='$i 'does not reply to ping (needed for tls boot)'
			if not
				echo '	fs='$i 'looks ok'
		}
	}
}
fn checkauth {
	echo 'checking auth server configuration:'
	if(~ $auth ''){
		echo '	no auth server'
		exit fail
	}
	if not if(~ $sysname $auth){
		echo '	we are the auth server'
		authisus=1
	}
	if not if(~ $dom $auth){
		echo '	we are the auth server'
		authisus=1
	}
	if not if(~ $ip $auth){
		echo '	we are the auth server'
		authisus=1
	}
	if not {
		echo '	we are not the auth server '^$auth
		echo '	if this is a mistake, set auth='$sysname' or auth='$dom
		if(~ $authok 1)
			echo '	run auth/debug to test the auth server'
	}
	if(~ $authisus 1){
		if(! grep -s keyfs <{ps})
			echo '	auth/keyfs is not running, try reboot'
		if not
			echo '	auth/keyfs is running'
		if(! grep -s 'Listen *567' <{netstat -n})
			echo '	no one listening on port 567, try reboot'
		if not {
			echo '	someone is listening on port 567'
			echo '	run auth/debug to test the auth server'
		}
		echo '	run auth/asaudit to verify auth server configuration'
	}

}
fn checksec {
	echo 'checking basic security:'
	if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
		echo '	file server does not require auth for user '^`{cat '#c'/user}
	if not
		echo '	file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec