Remove ap(1)

[plan9front.git] / rc / bin / netaudit

#!/bin/rc
rfork e
fn checkhost {
        if(~ $sysname ''){
                echo 'sysname= env var is not set'
                exit 'fail'
        }
        echo 'checking this host''s tuple:'
        ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
        if(~ $ip '')
                echo '  no ip= entry'
        if not
                echo '  ip='$ip 'looks ok'
        dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
        if(~ $dom '')
                echo '  no dom= entry'
        if not {
                for(i in $dom){
                        if(! ~ $i *.*)
                                echo '  dom='$i 'does not have a dot'
                        if not if(! ~ $i $sysname^.*)
                                echo '  dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
                        if not
                                echo '  dom='$i 'looks ok'
                }
        }
        ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
        if(~ $ether '')
                echo '  no ether entry'
        if not {
                for(i in $ether){
                        if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
                                echo '  ether='$i 'has wrong format'
                        if not if(! grep -s $i /net/ether*/addr)
                                echo '  ether='$i 'does not belong to any network interface'
                        if not
                                echo '  ether='$i 'looks ok'
                }
        }
}
fn checknet {
        echo 'checking the network tuple:'
        ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
        if(~ $ipnet ''){
                echo '  we are not in an ipnet, so looking for entries in host tuple only'
        }
        if not
                echo '  we are in ipnet='^$ipnet
        ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
        if(~ $ipgw '' '::'){
                echo '  we do not have an internet gateway, no ipgw= entry'
        }
        if not {
                if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
                        echo '  ipgw='$ipgw 'does not look like an ip address'
                if not
                        echo '  ipgw='$ipgw 'looks ok'
        }
        dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
        if(~ $dns '')
                echo '  no dns= entry'
        if not {
                for(i in $dns){
                        if(! ip/ping -n 1 $i >/dev/null >[2=1])
                                echo '  dns='$i 'does not reply to ping'
                        if not
                                echo '  dns='$i 'looks ok'
                }
        }
        auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
        if(~ $auth '')
                echo '  no auth= entry'
        if not {
                for(i in $auth){
                        if(! ip/ping -n 1 $i >/dev/null >[2=1])
                                echo '  auth='$i 'does not reply to ping'
                        if not {
                                authok=1
                                echo '  auth='$i 'looks ok'
                        }
                }
        }
        fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
        if(~ $fs '')
                echo '  no fs= entry (needed for tls boot)'
        if not {
                for(i in $fs){
                        if(! ip/ping -n 1 $i >/dev/null >[2=1])
                                echo '  fs='$i 'does not reply to ping (needed for tls boot)'
                        if not
                                echo '  fs='$i 'looks ok'
                }
        }
}
fn checkauth {
        echo 'checking auth server configuration:'
        if(~ $auth ''){
                echo '  no auth server'
                exit fail
        }
        if not if(~ $sysname $auth){
                echo '  we are the auth server'
                authisus=1
        }
        if not if(~ $dom $auth){
                echo '  we are the auth server'
                authisus=1
        }
        if not if(~ $ip $auth){
                echo '  we are the auth server'
                authisus=1
        }
        if not {
                echo '  we are not the auth server '^$auth
                echo '  if this is a mistake, set auth='$sysname' or auth='$dom
                if(~ $authok 1)
                        echo '  run auth/debug to test the auth server'
        }
        if(~ $authisus 1){
                if(! grep -s keyfs <{ps})
                        echo '  auth/keyfs is not running, try reboot'
                if not
                        echo '  auth/keyfs is running'
                if(! grep -s 'Listen *567' <{netstat -n})
                        echo '  no one listening on port 567, try reboot'
                if not {
                        echo '  someone is listening on port 567'
                        echo '  run auth/debug to test the auth server'
                }
                echo '  run auth/asaudit to verify auth server configuration'
        }

}
fn checksec {
        echo 'checking basic security:'
        if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
                echo '  file server does not require auth for user '^`{cat '#c'/user}
        if not
                echo '  file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec