X-Git-Url: https://git.lizzy.rs/?a=blobdiff_plain;f=rc%2Fbin%2Fnetaudit;h=926f2fed271ee7f5e62c83cd7546250db07eb685;hb=87e437a856f00ac412c0ded9b124b358b3eb10ce;hp=929085eb061b2da23a7656d3fcc1352d7e18a363;hpb=681f273489506895ac9d90b6adf955fdc20ce576;p=plan9front.git

diff --git a/rc/bin/netaudit b/rc/bin/netaudit
index 929085eb0..926f2fed2 100755
--- a/rc/bin/netaudit
+++ b/rc/bin/netaudit
@@ -5,69 +5,108 @@ fn checkhost {
 		echo 'sysname= env var is not set'
 		exit 'fail'
 	}
-	dom=`{ndb/query sys $sysname dom}
 	echo 'checking this host''s tuple:'
+	ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
+	if(~ $ip '')
+		echo '	no ip= entry'
+	if not
+		echo '	ip='$ip 'looks ok'
+	dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
 	if(~ $dom '')
 		echo '	no dom= entry'
-	if not if(! ~ $dom *.*)
-		echo '	dom='$dom 'does not have a dot'
-	if not if(! ~ $dom $sysname^.*)
-		echo '	dom='$dom 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
-	if not
-		echo '	dom='$dom 'looks ok'
-	ether=`{ndb/query sys $sysname ether}
+	if not {
+		for(i in $dom){
+			if(! ~ $i *.*)
+				echo '	dom='$i 'does not have a dot'
+			if not if(! ~ $i $sysname^.*)
+				echo '	dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
+			if not
+				echo '	dom='$i 'looks ok'
+		}
+	}
+	ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
 	if(~ $ether '')
 		echo '	no ether entry'
-	if not if(! ~ $ether [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
-		echo '	ether='$ether 'has wrong format'
-	if not if(! grep -s $ether /net/ether*/addr)
-		echo '	ether='$ether 'does not belong to any network interface'
-	if not
-		echo '	ether='$ether 'looks ok'
+	if not {
+		for(i in $ether){
+			if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
+				echo '	ether='$i 'has wrong format'
+			if not if(! grep -s $i /net/ether*/addr)
+				echo '	ether='$i 'does not belong to any network interface'
+			if not
+				echo '	ether='$i 'looks ok'
+		}
+	}
 }
 fn checknet {
 	echo 'checking the network tuple:'
-	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/^ipnet=//'}
+	ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
 	if(~ $ipnet ''){
-		echo '	we are not in an ipnet, check your ipnet= entry'
-		exit fail
+		echo '	we are not in an ipnet, so looking for entries in host tuple only'
 	}
 	if not
 		echo '	we are in ipnet='^$ipnet
-	dns=`{ndb/query ipnet $ipnet dns}
+	ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
+	if(~ $ipgw '' '::'){
+		echo '	we do not have an internet gateway, no ipgw= entry'
+	}
+	if not {
+		if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
+			echo '	ipgw='$ipgw 'does not look like an ip address'
+		if not
+			echo '	ipgw='$ipgw 'looks ok'
+	}
+	dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
 	if(~ $dns '')
 		echo '	no dns= entry'
-	if not if(! ip/ping -n 1 $dns >/dev/null >[2=1])
-		echo '	dns='$dns 'does not reply to ping'
-	if not
-		echo '	dns='$dns 'looks ok'
-	auth=`{ndb/query ipnet $ipnet auth}
+	if not {
+		for(i in $dns){
+			if(! ip/ping -n 1 $i >/dev/null >[2=1])
+				echo '	dns='$i 'does not reply to ping'
+			if not
+				echo '	dns='$i 'looks ok'
+		}
+	}
+	auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
 	if(~ $auth '')
 		echo '	no auth= entry'
-	if not if(! ip/ping -n 1 $auth >/dev/null >[2=1])
-		echo '	auth='$auth 'does not reply to ping'
 	if not {
-		authok=1
-		echo '	auth='$auth 'looks ok'
+		for(i in $auth){
+			if(! ip/ping -n 1 $i >/dev/null >[2=1])
+				echo '	auth='$i 'does not reply to ping'
+			if not {
+				authok=1
+				echo '	auth='$i 'looks ok'
+			}
+		}
+	}
+	fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
+	if(~ $fs '')
+		echo '	no fs= entry (needed for tls boot)'
+	if not {
+		for(i in $fs){
+			if(! ip/ping -n 1 $i >/dev/null >[2=1])
+				echo '	fs='$i 'does not reply to ping (needed for tls boot)'
+			if not
+				echo '	fs='$i 'looks ok'
+		}
 	}
-	authdom=`{ndb/query ipnet $ipnet authdom}
-	if(~ $authdom '')
-		echo '	no authdom= entry'
-	if not
-		echo '	authdom='$authdom 'looks ok'
 }
 fn checkauth {
 	echo 'checking auth server configuration:'
-	auth=`{ndb/query ipnet $ipnet auth}
 	if(~ $auth ''){
 		echo '	no auth server'
 		exit fail
 	}
-	if not if(~ $auth $sysname){
+	if not if(~ $sysname $auth){
+		echo '	we are the auth server'
+		authisus=1
+	}
+	if not if(~ $dom $auth){
 		echo '	we are the auth server'
 		authisus=1
 	}
-	if not if(~ $auth $dom){
+	if not if(~ $ip $auth){
 		echo '	we are the auth server'
 		authisus=1
 	}
@@ -88,6 +127,7 @@ fn checkauth {
 			echo '	someone is listening on port 567'
 			echo '	run auth/debug to test the auth server'
 		}
+		echo '	run auth/asaudit to verify auth server configuration'
 	}
 
 }
@@ -101,4 +141,4 @@ fn checksec {
 checkhost
 checknet
 checkauth
-checksec
+#checksec