ref: 44fae0b28cb1a66a3becb5528f7813ac42bc7696
dir: /rc/bin/netaudit/
#!/bin/rc rfork e fn checkether { echo -n ' '$1'='$2 if(! ~ $2 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]) echo ' has wrong format' if not if(! grep -s $i /net/ether*/addr) echo ' does not belong to any network interface' if not echo ' looks ok' } fn checkip { echo -n ' '$1'='$2 if(! ~ $2 *.*.*.* *:*:*:*:*:*:*:* *::*) echo ' does not look like an ip address' if not echo ' looks ok' } fn checksys { echo -n ' '$1'='$2 if(~ $2 *.*) echo ' contains a dot, it will be confused for a domain name or ip address' if not echo ' looks ok' } fn checkdom { echo -n ' '$1'='$2 if(! ~ $2 *.*) echo ' does not have a dot' if not if(~ $2 *.) echo ' has a trailing period' if not echo ' looks ok' } fn checkhost { if(~ $sysname ''){ echo 'env var $sysname is not set' exit 'fail' } checksys 'env var $sysname' $sysname echo 'checking this host''s tuple:' sys=`{ndb/ipquery sys $sysname sys | sed 's/sys=//g'} if(! ~ $sysname $sys) echo ' no sys= entry' if not { for(i in $sys){ checksys sys $i } } ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'} if(~ $ip '') echo ' no ip= entry' if not { for(i in $ip){ checkip ip $i } } dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'} if(~ $dom '') echo ' no dom= entry' if not { for(i in $dom){ checkdom dom $i if(! ~ $i $sysname^.*) echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!' } } ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'} if(~ $ether '') echo ' no ether entry' if not { for(i in $ether){ checkether ether $i } } } fn checknet { echo 'checking the network tuple:' ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'} if(~ $ipnet ''){ echo ' we are not in an ipnet, so looking for entries in host tuple only' } if not { echo ' we are in ' 'ipnet='^$ipnet } ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'} if(~ $ipgw '' '::'){ echo ' we do not have an internet gateway, no ipgw= entry' } if not { for(i in $ipgw) { checkip ipgw $i } } dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'} if(~ $dns '') echo ' no dns= entry' if not { for(i in $dns){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' dns='$i 'does not reply to ping' if not echo ' dns='$i 'looks ok' } } auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'} if(~ $auth '') echo ' no auth= entry' if not { for(i in $auth){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' auth='$i 'does not reply to ping' if not { authok=1 echo ' auth='$i 'looks ok' } } } fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'} if(~ $fs '') echo ' no fs= entry (needed for tls boot)' if not { for(i in $fs){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' fs='$i 'does not reply to ping (needed for tls boot)' if not echo ' fs='$i 'looks ok' } } } fn checkauth { echo 'checking auth server configuration:' if(~ $auth ''){ echo ' no auth server' exit fail } if not { for(i in $auth){ if(~ $i $sys $dom $ip){ echo ' we are the auth server '^$i authisus=1 } } } if(~ $authisus 1){ if(! grep -s keyfs <{ps}) echo ' auth/keyfs is not running, try reboot' if not echo ' auth/keyfs is running' if(! grep -s 'Listen *567' <{netstat -n}) echo ' no one listening on port 567, try reboot' if not { echo ' someone is listening on port 567' echo ' run auth/debug to test the auth server' } echo ' run auth/asaudit to verify auth server configuration' } if not { echo ' we are not the auth server(s):' $auth echo ' if this is a mistake, set auth='$sys(1) 'or auth='^($sys(2-) $dom) if(~ $authok 1) echo ' run auth/debug to test the auth server' } } fn checksec { echo 'checking basic security:' if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]}) echo ' file server does not require auth for user '^`{cat '#c'/user} if not echo ' file server seems to require auth' } checkhost checknet checkauth #checksec