ref: 4b9ccb2de0466dd3cabc50b2e8e9d709b94d9bb9
dir: /rc/bin/netaudit/
#!/bin/rc rfork e fn checkhost { if(~ $sysname ''){ echo 'sysname= env var is not set' exit 'fail' } echo 'checking this host''s tuple:' ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'} if(~ $ip '') echo ' no ip= entry' if not echo ' ip='$ip 'looks ok' dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'} if(~ $dom '') echo ' no dom= entry' if not { for(i in $dom){ if(! ~ $i *.*) echo ' dom='$i 'does not have a dot' if not if(! ~ $i $sysname^.*) echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!' if not echo ' dom='$i 'looks ok' } } ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'} if(~ $ether '') echo ' no ether entry' if not { for(i in $ether){ if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]) echo ' ether='$i 'has wrong format' if not if(! grep -s $i /net/ether*/addr) echo ' ether='$i 'does not belong to any network interface' if not echo ' ether='$i 'looks ok' } } } fn checknet { echo 'checking the network tuple:' ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'} if(~ $ipnet ''){ echo ' we are not in an ipnet, so looking for entries in host tuple only' } if not echo ' we are in ipnet='^$ipnet ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'} if(~ $ipgw '' '::'){ echo ' we do not have an internet gateway, no ipgw= entry' } if not { if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*) echo ' ipgw='$ipgw 'does not look like an ip address' if not echo ' ipgw='$ipgw 'looks ok' } dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'} if(~ $dns '') echo ' no dns= entry' if not { for(i in $dns){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' dns='$i 'does not reply to ping' if not echo ' dns='$i 'looks ok' } } auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'} if(~ $auth '') echo ' no auth= entry' if not { for(i in $auth){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' auth='$i 'does not reply to ping' if not { authok=1 echo ' auth='$i 'looks ok' } } } fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'} if(~ $fs '') echo ' no fs= entry (needed for tls boot)' if not { for(i in $fs){ if(! ip/ping -n 1 $i >/dev/null >[2=1]) echo ' fs='$i 'does not reply to ping (needed for tls boot)' if not echo ' fs='$i 'looks ok' } } } fn checkauth { echo 'checking auth server configuration:' if(~ $auth ''){ echo ' no auth server' exit fail } if not if(~ $sysname $auth){ echo ' we are the auth server' authisus=1 } if not if(~ $dom $auth){ echo ' we are the auth server' authisus=1 } if not if(~ $ip $auth){ echo ' we are the auth server' authisus=1 } if not { echo ' we are not the auth server '^$auth echo ' if this is a mistake, set auth='$sysname' or auth='$dom if(~ $authok 1) echo ' run auth/debug to test the auth server' } if(~ $authisus 1){ if(! grep -s keyfs <{ps}) echo ' auth/keyfs is not running, try reboot' if not echo ' auth/keyfs is running' if(! grep -s 'Listen *567' <{netstat -n}) echo ' no one listening on port 567, try reboot' if not { echo ' someone is listening on port 567' echo ' run auth/debug to test the auth server' } echo ' run auth/asaudit to verify auth server configuration' } } fn checksec { echo 'checking basic security:' if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]}) echo ' file server does not require auth for user '^`{cat '#c'/user} if not echo ' file server seems to require auth' } checkhost checknet checkauth #checksec