diff --git a/rc/bin/netaudit b/rc/bin/netaudit
new file mode 100755
index 000000000..acbafc68c
--- /dev/null
+++ b/rc/bin/netaudit
@@ -0,0 +1,104 @@
+#!/bin/rc
+rfork e
+fn checkhost {
+	if(~ $sysname ''){
+		echo 'sysname= env var is not set'
+		exit 'fail'
+	}
+	dom=`{ndb/ipquery sys $sysname dom | sed 's/^dom=//'}
+	echo 'checking this host''s tuple:'
+	if(~ dom '')
+		echo '	no dom= entry'
+	if not if(! ~ $dom *.*)
+		echo '	dom='$dom 'does not have a dot'
+	if not if(! ~ $dom $sysname^.*)
+		echo '	dom='$dom 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
+	if not
+		echo '	dom='$dom 'looks ok'
+	ether=`{ndb/ipquery sys $sysname ether | sed 's/^ether=//'}
+	if(~ $ether '')
+		echo '	no ether entry'
+	if not if(! ~ $ether [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
+		echo '	ether='$ether 'has wrong format'
+	if not if(! grep -s $ether /net/ether*/addr)
+		echo '	ether='$ether 'does not belong to any network interface'
+	if not
+		echo '	ether='$ether 'looks ok'
+}
+fn checknet {
+	echo 'checking the network tuple:'
+	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/^ipnet=//'}
+	if(~ $ipnet ''){
+		echo '	we are not in an ipnet, check your ipnet= entry'
+		exit fail
+	}
+	if not
+		echo '	we are in ipnet='^$ipnet
+	dns=`{ndb/query ipnet $ipnet dns | sed 's/^dns=//'}
+	if(~ $dns '')
+		echo '	no dns= entry'
+	if not if(! ip/ping -n 1 $dns >/dev/null >[2=1])
+		echo '	dns='$dns 'does not reply to ping'
+	if not
+		echo '	dns='$dns 'looks ok'
+	auth=`{ndb/query ipnet $ipnet auth | sed 's/^auth=//'}
+	if(~ $auth '')
+		echo '	no auth= entry'
+	if not if(! ip/ping -n 1 $auth >/dev/null >[2=1])
+		echo '	auth='$auth 'does not reply to ping'
+	if not {
+		authok=1
+		echo '	auth='$auth 'looks ok'
+	}
+	authdom=`{ndb/query ipnet $ipnet authdom | sed 's/^authdom=//'}
+	if(~ $authdom '')
+		echo '	no authdom= entry'
+	if not
+		echo '	authdom='$authdom 'looks ok'
+}
+fn checkauth {
+	echo 'checking auth server configuration:'
+	auth=`{ndb/ipquery ipnet $ipnet auth | sed 's/^auth=//' }
+	if(~ $auth ''){
+		echo '	no auth server'
+		exit fail
+	}
+	if not if(~ $auth $sysname){
+		echo '	we are the auth server'
+		authisus=1
+	}
+	if not if(~ $auth $dom){
+		echo '	we are the auth server'
+		authisus=1
+	}
+	if not {
+		echo '	we are not the auth server '^$auth
+		echo '	if this is a mistake, set auth='$sysname' or auth='$dom
+		if(~ $authok 1)
+			echo '	run auth/debug to test the auth server'
+	}
+	if(~ $authisus 1){
+		if(! grep -s keyfs <{ps})
+			echo '	auth/keyfs is not running, try reboot'
+		if not
+			echo '	auth/keyfs is running'
+		if(! grep -s 'Listen *567' <{netstat -n})
+			echo '	no one listening on port 567, try reboot'
+		if not {
+			echo '	someone is listening on port 567'
+			echo '	run auth/debug to test the auth server'
+		}
+	}
+
+}
+fn checksec {
+	echo 'checking basic security:'
+	if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
+		echo '	file server does not require auth'
+	if not
+		echo '	file server seems to require auth'
+}
+checkhost
+checknet
+checkauth
+checksec