blob: 926f2fed271ee7f5e62c83cd7546250db07eb685 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
#!/bin/rc
rfork e
fn checkhost {
if(~ $sysname ''){
echo 'sysname= env var is not set'
exit 'fail'
}
echo 'checking this host''s tuple:'
ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
if(~ $ip '')
echo ' no ip= entry'
if not
echo ' ip='$ip 'looks ok'
dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
if(~ $dom '')
echo ' no dom= entry'
if not {
for(i in $dom){
if(! ~ $i *.*)
echo ' dom='$i 'does not have a dot'
if not if(! ~ $i $sysname^.*)
echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
if not
echo ' dom='$i 'looks ok'
}
}
ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
if(~ $ether '')
echo ' no ether entry'
if not {
for(i in $ether){
if(! ~ $i [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
echo ' ether='$i 'has wrong format'
if not if(! grep -s $i /net/ether*/addr)
echo ' ether='$i 'does not belong to any network interface'
if not
echo ' ether='$i 'looks ok'
}
}
}
fn checknet {
echo 'checking the network tuple:'
ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
if(~ $ipnet ''){
echo ' we are not in an ipnet, so looking for entries in host tuple only'
}
if not
echo ' we are in ipnet='^$ipnet
ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
if(~ $ipgw '' '::'){
echo ' we do not have an internet gateway, no ipgw= entry'
}
if not {
if(! ~ $ipgw *.*.*.* *:*:*:*:*:*:*:* *::*)
echo ' ipgw='$ipgw 'does not look like an ip address'
if not
echo ' ipgw='$ipgw 'looks ok'
}
dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
if(~ $dns '')
echo ' no dns= entry'
if not {
for(i in $dns){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' dns='$i 'does not reply to ping'
if not
echo ' dns='$i 'looks ok'
}
}
auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
if(~ $auth '')
echo ' no auth= entry'
if not {
for(i in $auth){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' auth='$i 'does not reply to ping'
if not {
authok=1
echo ' auth='$i 'looks ok'
}
}
}
fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
if(~ $fs '')
echo ' no fs= entry (needed for tls boot)'
if not {
for(i in $fs){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' fs='$i 'does not reply to ping (needed for tls boot)'
if not
echo ' fs='$i 'looks ok'
}
}
}
fn checkauth {
echo 'checking auth server configuration:'
if(~ $auth ''){
echo ' no auth server'
exit fail
}
if not if(~ $sysname $auth){
echo ' we are the auth server'
authisus=1
}
if not if(~ $dom $auth){
echo ' we are the auth server'
authisus=1
}
if not if(~ $ip $auth){
echo ' we are the auth server'
authisus=1
}
if not {
echo ' we are not the auth server '^$auth
echo ' if this is a mistake, set auth='$sysname' or auth='$dom
if(~ $authok 1)
echo ' run auth/debug to test the auth server'
}
if(~ $authisus 1){
if(! grep -s keyfs <{ps})
echo ' auth/keyfs is not running, try reboot'
if not
echo ' auth/keyfs is running'
if(! grep -s 'Listen *567' <{netstat -n})
echo ' no one listening on port 567, try reboot'
if not {
echo ' someone is listening on port 567'
echo ' run auth/debug to test the auth server'
}
echo ' run auth/asaudit to verify auth server configuration'
}
}
fn checksec {
echo 'checking basic security:'
if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
echo ' file server does not require auth for user '^`{cat '#c'/user}
if not
echo ' file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec
|
