shithub: riscv

Download patch

ref: 46bac13b16df5cbd92ea1da12cfef168201f0dad
parent: 98aefdfc7862e39b7b8fa1aefe9d7af3b676da36
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Jun 4 17:46:23 EDT 2023

netaudit: use new ndb/query flags instead of ndb/ipquery

Query ndb with ndb/query -x $net -cia.

This allows one to import a remote systems /net
and run a netaudit on it like:

rimport foobar /net /net.alt
netaudit /net.alt

--- a/rc/bin/netaudit
+++ b/rc/bin/netaudit
@@ -1,10 +1,16 @@
 #!/bin/rc
 rfork e
+net=/net
+if(~ $#* 1)
+	net=$1
+fn query {
+	ndb/query -x $net -cia $*
+}
 fn checkether {
 	echo -n '	'$1'='$2
 	if(! ~ $2 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
 		echo ' has wrong format'
-	if not if(! grep -s $i /net/ether*/addr)
+	if not if(! grep -s $i $net/ether*/addr)
 		echo ' does not belong to any network interface'
 	if not
 		echo ' looks ok'
@@ -39,7 +45,7 @@
 	}
 	checksys 'env var $sysname' $sysname
 	echo 'checking this host''s tuple:'
-	sys=`{ndb/ipquery sys $sysname sys | sed 's/sys=//g'}
+	sys=`{query sys $sysname sys}
 	if(! ~ $sysname $sys)
 		echo '	no sys= entry'
 	if not {
@@ -47,7 +53,7 @@
 			checksys sys $i
 		}
 	}
-	ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
+	ip=`{query sys $sysname ip}
 	if(~ $ip '')
 		echo '	no ip= entry'
 	if not {
@@ -55,7 +61,7 @@
 			checkip ip $i
 		}
 	}
-	dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
+	dom=`{query sys $sysname dom}
 	if(~ $dom '')
 		echo '	no dom= entry'
 	if not {
@@ -65,7 +71,7 @@
 				echo '	dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
 		}
 	}
-	ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
+	ether=`{query sys $sysname ether}
 	if(~ $ether '')
 		echo '	no ether entry'
 	if not {
@@ -76,7 +82,7 @@
 }
 fn checknet {
 	echo 'checking the network tuple:'
-	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
+	ipnet=`{query sys $sysname ipnet}
 	if(~ $ipnet ''){
 		echo '	we are not in an ipnet, so looking for entries in host tuple only'
 	}
@@ -83,7 +89,7 @@
 	if not {
 		echo '	we are in ' 'ipnet='^$ipnet
 	}
-	ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
+	ipgw=`{query sys $sysname ipgw}
 	if(~ $ipgw '' '::'){
 		echo '	we do not have an internet gateway, no ipgw= entry'
 	}
@@ -92,7 +98,7 @@
 			checkip ipgw $i
 		}
 	}
-	dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
+	dns=`{query sys $sysname dns}
 	if(~ $dns '')
 		echo '	no dns= entry'
 	if not {
@@ -103,7 +109,7 @@
 				echo '	dns='$i 'looks ok'
 		}
 	}
-	auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
+	auth=`{query sys $sysname auth}
 	if(~ $auth '')
 		echo '	no auth= entry'
 	if not {
@@ -116,7 +122,7 @@
 			}
 		}
 	}
-	fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
+	fs=`{query sys $sysname fs}
 	if(~ $fs '')
 		echo '	no fs= entry (needed for tls boot)'
 	if not {
@@ -147,7 +153,7 @@
 			echo '	auth/keyfs is not running, try reboot'
 		if not
 			echo '	auth/keyfs is running'
-		if(! grep -s 'Listen *567' <{netstat -n})
+		if(! grep -s 'Listen *567' <{netstat -n $net})
 			echo '	no one listening on port 567, try reboot'
 		if not {
 			echo '	someone is listening on port 567'
@@ -164,7 +170,7 @@
 }
 fn checksec {
 	echo 'checking basic security:'
-	for(fs in `{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}) @{
+	for(fs in `{query sys $sysname fs}) @{
 		rfork n
 		if(srv $fs netaudit.$pid >[2] /dev/null || srvtls $fs netaudit.$pid >[2] /dev/null){
 			if(mount -N /srv/netaudit.$pid /n/netaudit >/dev/null >[2=1])
--- a/sys/man/8/netaudit
+++ b/sys/man/8/netaudit
@@ -3,6 +3,9 @@
 netaudit - network configuration checker
 .SH SYNOPSIS
 netaudit
+[
+.I netmtpt
+]
 .SH DESCRIPTION
 .I Netaudit
 checks the effective network configuration on the