changelog shortlog tags branches changeset files revisions annotate raw help

Mercurial > hg > plan9front / rc/bin/netaudit

changeset 7243: 34f64dcbbc25
parent: d7243619aff6
author: cinap_lenrek@felloff.net
date: Fri, 17 May 2019 18:14:10 +0200
permissions: -rwxr-xr-x
description: 7l: don't hardcode 4k pagesize, use INITRND
1 #!/bin/rc
2 rfork e
3 fn checkhost {
4  if(~ $sysname ''){
5  echo 'sysname= env var is not set'
6  exit 'fail'
7  }
8  echo 'checking this host''s tuple:'
9  ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
10  if(~ $ip '')
11  echo ' no ip= entry'
12  if not
13  echo ' ip='$ip 'looks ok'
14  dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
15  if(~ $dom '')
16  echo ' no dom= entry'
17  if not {
18  for(i in $dom){
19  if(! ~ $i *.*)
20  echo ' dom='$i 'does not have a dot'
21  if not if(! ~ $i $sysname^.*)
22  echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
23  if not
24  echo ' dom='$i 'looks ok'
25  }
26  }
27  ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
28  if(~ $ether '')
29  echo ' no ether entry'
30  if not {
31  for(i in $ether){
32  if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
33  echo ' ether='$i 'has wrong format'
34  if not if(! grep -s $i /net/ether*/addr)
35  echo ' ether='$i 'does not belong to any network interface'
36  if not
37  echo ' ether='$i 'looks ok'
38  }
39  }
40 }
41 fn checknet {
42  echo 'checking the network tuple:'
43  ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
44  if(~ $ipnet ''){
45  echo ' we are not in an ipnet, so looking for entries in host tuple only'
46  }
47  if not
48  echo ' we are in ipnet='^$ipnet
49  ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
50  if(~ $ipgw '' '::'){
51  echo ' we do not have an internet gateway, no ipgw= entry'
52  }
53  if not {
54  if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
55  echo ' ipgw='$ipgw 'does not look like an ip address'
56  if not
57  echo ' ipgw='$ipgw 'looks ok'
58  }
59  dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
60  if(~ $dns '')
61  echo ' no dns= entry'
62  if not {
63  for(i in $dns){
64  if(! ip/ping -n 1 $i >/dev/null >[2=1])
65  echo ' dns='$i 'does not reply to ping'
66  if not
67  echo ' dns='$i 'looks ok'
68  }
69  }
70  auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
71  if(~ $auth '')
72  echo ' no auth= entry'
73  if not {
74  for(i in $auth){
75  if(! ip/ping -n 1 $i >/dev/null >[2=1])
76  echo ' auth='$i 'does not reply to ping'
77  if not {
78  authok=1
79  echo ' auth='$i 'looks ok'
80  }
81  }
82  }
83  fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
84  if(~ $fs '')
85  echo ' no fs= entry (needed for tls boot)'
86  if not {
87  for(i in $fs){
88  if(! ip/ping -n 1 $i >/dev/null >[2=1])
89  echo ' fs='$i 'does not reply to ping (needed for tls boot)'
90  if not
91  echo ' fs='$i 'looks ok'
92  }
93  }
94 }
95 fn checkauth {
96  echo 'checking auth server configuration:'
97  if(~ $auth ''){
98  echo ' no auth server'
99  exit fail
100  }
101  if not if(~ $sysname $auth){
102  echo ' we are the auth server'
103  authisus=1
104  }
105  if not if(~ $dom $auth){
106  echo ' we are the auth server'
107  authisus=1
108  }
109  if not if(~ $ip $auth){
110  echo ' we are the auth server'
111  authisus=1
112  }
113  if not {
114  echo ' we are not the auth server '^$auth
115  echo ' if this is a mistake, set auth='$sysname' or auth='$dom
116  if(~ $authok 1)
117  echo ' run auth/debug to test the auth server'
118  }
119  if(~ $authisus 1){
120  if(! grep -s keyfs <{ps})
121  echo ' auth/keyfs is not running, try reboot'
122  if not
123  echo ' auth/keyfs is running'
124  if(! grep -s 'Listen *567' <{netstat -n})
125  echo ' no one listening on port 567, try reboot'
126  if not {
127  echo ' someone is listening on port 567'
128  echo ' run auth/debug to test the auth server'
129  }
130  echo ' run auth/asaudit to verify auth server configuration'
131  }
132 
133 }
134 fn checksec {
135  echo 'checking basic security:'
136  if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
137  echo ' file server does not require auth for user '^`{cat '#c'/user}
138  if not
139  echo ' file server seems to require auth'
140 }
141 checkhost
142 checknet
143 checkauth
144 #checksec