plan9fox/rc/bin/netaudit

#!/bin/rc
rfork e
fn checkether {
	echo -n '	'$1'='$2
	if(! ~ $2 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
		echo ' has wrong format'
	if not if(! grep -s $i /net/ether*/addr)
		echo ' does not belong to any network interface'
	if not
		echo ' looks ok'
}
fn checkip {
	echo -n '	'$1'='$2
	if(! ~ $2 *.*.*.* *:*:*:*:*:*:*:* *::*)
		echo ' does not look like an ip address'
	if not
		echo ' looks ok'
}
fn checksys {
	echo -n '	'$1'='$2
	if(~ $2 *.*)
		echo ' contains a dot, it will be confused for a domain name or ip address'
	if not
		echo ' looks ok'
}
fn checkdom {
	echo -n '	'$1'='$2
	if(! ~ $2 *.*)
		echo ' does not have a dot'
	if not if(~ $2 *.)
		echo ' has a trailing period'
	if not
		echo ' looks ok'
}
fn checkhost {
	if(~ $sysname ''){
		echo 'env var $sysname is not set'
		exit 'fail'
	}
	checksys 'env var $sysname' $sysname
	echo 'checking this host''s tuple:'
	sys=`{ndb/ipquery sys $sysname sys | sed 's/sys=//g'}
	if(! ~ $sysname $sys)
		echo '	no sys= entry'
	if not {
		for(i in $sys){
			checksys sys $i
		}
	}
	ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
	if(~ $ip '')
		echo '	no ip= entry'
	if not {
		for(i in $ip){
			checkip ip $i
		}
	}
	dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
	if(~ $dom '')
		echo '	no dom= entry'
	if not {
		for(i in $dom){
			checkdom dom $i
			if(! ~ $i $sysname^.*)
				echo '	dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
		}
	}
	ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
	if(~ $ether '')
		echo '	no ether entry'
	if not {
		for(i in $ether){
			checkether ether $i
		}
	}
}
fn checknet {
	echo 'checking the network tuple:'
	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
	if(~ $ipnet ''){
		echo '	we are not in an ipnet, so looking for entries in host tuple only'
	}
	if not {
		echo '	we are in ' 'ipnet='^$ipnet
	}
	ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
	if(~ $ipgw '' '::'){
		echo '	we do not have an internet gateway, no ipgw= entry'
	}
	if not {
		for(i in $ipgw) {
			checkip ipgw $i
		}
	}
	dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
	if(~ $dns '')
		echo '	no dns= entry'
	if not {
		for(i in $dns){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	dns='$i 'does not reply to ping'
			if not
				echo '	dns='$i 'looks ok'
		}
	}
	auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
	if(~ $auth '')
		echo '	no auth= entry'
	if not {
		for(i in $auth){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	auth='$i 'does not reply to ping'
			if not {
				authok=1
				echo '	auth='$i 'looks ok'
			}
		}
	}
	fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
	if(~ $fs '')
		echo '	no fs= entry (needed for tls boot)'
	if not {
		for(i in $fs){
			if(! ip/ping -n 1 $i >/dev/null >[2=1])
				echo '	fs='$i 'does not reply to ping (needed for tls boot)'
			if not
				echo '	fs='$i 'looks ok'
		}
	}
}
fn checkauth {
	echo 'checking auth server configuration:'
	if(~ $auth ''){
		echo '	no auth server'
		exit fail
	}
	if not {
		for(i in $auth){
			if(~ $i $sys $dom $ip){
				echo '	we are the auth server '^$i
				authisus=1
			}
		}
	}
	if(~ $authisus 1){
		if(! grep -s keyfs <{ps})
			echo '	auth/keyfs is not running, try reboot'
		if not
			echo '	auth/keyfs is running'
		if(! grep -s 'Listen *567' <{netstat -n})
			echo '	no one listening on port 567, try reboot'
		if not {
			echo '	someone is listening on port 567'
			echo '	run auth/debug to test the auth server'
		}
		echo '	run auth/asaudit to verify auth server configuration'
	}
	if not {
		echo '	we are not the auth server(s):' $auth
		echo '	if this is a mistake, set auth='$sys(1) 'or auth='^($sys(2-) $dom)
		if(~ $authok 1)
			echo '	run auth/debug to test the auth server'
	}
}
fn checksec {
	echo 'checking basic security:'
	if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
		echo '	file server does not require auth for user '^`{cat '#c'/user}
	if not
		echo '	file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec
added netaudit 2012-08-26 12:15:08 +00:00			`#!/bin/rc`
			`rfork e`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`fn checkether {`
			`echo -n ' '$1'='$2`
			`if(! ~ $2 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])`
			`echo ' has wrong format'`
			`if not if(! grep -s $i /net/ether*/addr)`
			`echo ' does not belong to any network interface'`
			`if not`
			`echo ' looks ok'`
			`}`
			`fn checkip {`
			`echo -n ' '$1'='$2`
			`if(! ~ $2 ... ::::::: ::)`
			`echo ' does not look like an ip address'`
			`if not`
			`echo ' looks ok'`
			`}`
netaudit: check for sys= attribute to be free of periods 2021-11-29 20:26:12 +00:00			`fn checksys {`
			`echo -n ' '$1'='$2`
			`if(~ $2 .)`
			`echo ' contains a dot, it will be confused for a domain name or ip address'`
			`if not`
			`echo ' looks ok'`
			`}`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`fn checkdom {`
			`echo -n ' '$1'='$2`
			`if(! ~ $2 .)`
			`echo ' does not have a dot'`
			`if not if(~ $2 *.)`
			`echo ' has a trailing period'`
			`if not`
			`echo ' looks ok'`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`fn checkhost {`
			`if(~ $sysname ''){`
netaudit: check for sys= attribute to be free of periods 2021-11-29 20:26:12 +00:00			`echo 'env var $sysname is not set'`
added netaudit 2012-08-26 12:15:08 +00:00			`exit 'fail'`
			`}`
netaudit: check for sys= attribute to be free of periods 2021-11-29 20:26:12 +00:00			`checksys 'env var $sysname' $sysname`
added netaudit 2012-08-26 12:15:08 +00:00			`echo 'checking this host''s tuple:'`
netaudit: check for sys= attribute to be free of periods 2021-11-29 20:26:12 +00:00			sys=`{ndb/ipquery sys $sysname sys \| sed 's/sys=//g'}
			`if(! ~ $sysname $sys)`
			`echo ' no sys= entry'`
			`if not {`
			`for(i in $sys){`
			`checksys sys $i`
			`}`
			`}`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			ip=`{ndb/ipquery sys $sysname ip \| sed 's/ip=//g'}
netaudit changes and manual page 2012-10-07 22:56:00 +00:00			`if(~ $ip '')`
			`echo ' no ip= entry'`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`if not {`
			`for(i in $ip){`
			`checkip ip $i`
			`}`
			`}`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			dom=`{ndb/ipquery sys $sysname dom \| sed 's/dom=//g'}
fixed netaudit blunder 2012-08-26 13:56:16 +00:00			`if(~ $dom '')`
added netaudit 2012-08-26 12:15:08 +00:00			`echo ' no dom= entry'`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`if not {`
			`for(i in $dom){`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`checkdom dom $i`
			`if(! ~ $i $sysname^.*)`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'`
			`}`
			`}`
			ether=`{ndb/ipquery sys $sysname ether \| sed 's/ether=//g'}
added netaudit 2012-08-26 12:15:08 +00:00			`if(~ $ether '')`
			`echo ' no ether entry'`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`if not {`
			`for(i in $ether){`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`checkether ether $i`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`}`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
			`fn checknet {`
			`echo 'checking the network tuple:'`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			ipnet=`{ndb/ipquery sys $sysname ipnet \| sed 's/ipnet=//g'}
added netaudit 2012-08-26 12:15:08 +00:00			`if(~ $ipnet ''){`
netaudit changes and manual page 2012-10-07 22:56:00 +00:00			`echo ' we are not in an ipnet, so looking for entries in host tuple only'`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`if not {`
			`echo ' we are in ' 'ipnet='^$ipnet`
			`}`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			ipgw=`{ndb/ipquery sys $sysname ipgw \| sed 's/ipgw=//g'}
netaudit: check if ipgw= is an ip address 2013-05-14 16:54:42 +00:00			`if(~ $ipgw '' '::'){`
			`echo ' we do not have an internet gateway, no ipgw= entry'`
			`}`
			`if not {`
netaudit, ndb(6): the dom= attribute in ndb should be specified without the trailing period 2021-11-29 20:07:04 +00:00			`for(i in $ipgw) {`
			`checkip ipgw $i`
			`}`
netaudit: check if ipgw= is an ip address 2013-05-14 16:54:42 +00:00			`}`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			dns=`{ndb/ipquery sys $sysname dns \| sed 's/dns=//g'}
added netaudit 2012-08-26 12:15:08 +00:00			`if(~ $dns '')`
			`echo ' no dns= entry'`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`if not {`
			`for(i in $dns){`
			`if(! ip/ping -n 1 $i >/dev/null >[2=1])`
			`echo ' dns='$i 'does not reply to ping'`
			`if not`
			`echo ' dns='$i 'looks ok'`
			`}`
			`}`
			auth=`{ndb/ipquery sys $sysname auth \| sed 's/auth=//g'}
added netaudit 2012-08-26 12:15:08 +00:00			`if(~ $auth '')`
			`echo ' no auth= entry'`
			`if not {`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`for(i in $auth){`
			`if(! ip/ping -n 1 $i >/dev/null >[2=1])`
			`echo ' auth='$i 'does not reply to ping'`
			`if not {`
			`authok=1`
			`echo ' auth='$i 'looks ok'`
			`}`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			fs=`{ndb/ipquery sys $sysname fs \| sed 's/fs=//g'}
check for fs= in netaudit 2017-10-04 15:56:53 +00:00			`if(~ $fs '')`
			`echo ' no fs= entry (needed for tls boot)'`
netaudit: handle multiple ip addresses 2018-09-16 10:40:48 +00:00			`if not {`
			`for(i in $fs){`
			`if(! ip/ping -n 1 $i >/dev/null >[2=1])`
			`echo ' fs='$i 'does not reply to ping (needed for tls boot)'`
			`if not`
			`echo ' fs='$i 'looks ok'`
			`}`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
			`fn checkauth {`
			`echo 'checking auth server configuration:'`
			`if(~ $auth ''){`
			`echo ' no auth server'`
			`exit fail`
			`}`
			`if not {`
netaudio: fix auth check, can have multiple auth servers! 2021-12-01 21:53:18 +00:00			`for(i in $auth){`
netaudit: simplify 2021-12-01 21:59:22 +00:00			`if(~ $i $sys $dom $ip){`
netaudio: fix auth check, can have multiple auth servers! 2021-12-01 21:53:18 +00:00			`echo ' we are the auth server '^$i`
			`authisus=1`
			`}`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
			`if(~ $authisus 1){`
			`if(! grep -s keyfs <{ps})`
			`echo ' auth/keyfs is not running, try reboot'`
			`if not`
			`echo ' auth/keyfs is running'`
			`if(! grep -s 'Listen *567' <{netstat -n})`
			`echo ' no one listening on port 567, try reboot'`
			`if not {`
			`echo ' someone is listening on port 567'`
			`echo ' run auth/debug to test the auth server'`
			`}`
asaudit: check factotum key ; netaudit: mention asaudit 2017-02-25 10:54:15 +00:00			`echo ' run auth/asaudit to verify auth server configuration'`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
netaudio: fix auth check, can have multiple auth servers! 2021-12-01 21:53:18 +00:00			`if not {`
			`echo ' we are not the auth server(s):' $auth`
			`echo ' if this is a mistake, set auth='$sys(1) 'or auth='^($sys(2-) $dom)`
			`if(~ $authok 1)`
			`echo ' run auth/debug to test the auth server'`
			`}`
added netaudit 2012-08-26 12:15:08 +00:00			`}`
			`fn checksec {`
			`echo 'checking basic security:'`
			`if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})`
more netaudit stuff 2012-08-26 14:10:01 +00:00			echo ' file server does not require auth for user '^`{cat '#c'/user}
added netaudit 2012-08-26 12:15:08 +00:00			`if not`
			`echo ' file server seems to require auth'`
			`}`
			`checkhost`
			`checknet`
			`checkauth`
netaudit: comment file server auth test (unreliable on cwfs) 2015-03-11 15:13:42 +00:00			`#checksec`