blob: 112f0fec425a776aa2235abbe8bcbb39b25fc8a3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
#!/bin/rc
rfork e
fn checkether {
echo -n ' '$1'='$2
if(! ~ $2 [0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f])
echo ' has wrong format'
if not if(! grep -s $i /net/ether*/addr)
echo ' does not belong to any network interface'
if not
echo ' looks ok'
}
fn checkip {
echo -n ' '$1'='$2
if(! ~ $2 *.*.*.* *:*:*:*:*:*:*:* *::*)
echo ' does not look like an ip address'
if not
echo ' looks ok'
}
fn checksys {
echo -n ' '$1'='$2
if(~ $2 *.*)
echo ' contains a dot, it will be confused for a domain name or ip address'
if not
echo ' looks ok'
}
fn checkdom {
echo -n ' '$1'='$2
if(! ~ $2 *.*)
echo ' does not have a dot'
if not if(~ $2 *.)
echo ' has a trailing period'
if not
echo ' looks ok'
}
fn checkhost {
if(~ $sysname ''){
echo 'env var $sysname is not set'
exit 'fail'
}
checksys 'env var $sysname' $sysname
echo 'checking this host''s tuple:'
sys=`{ndb/ipquery sys $sysname sys | sed 's/sys=//g'}
if(! ~ $sysname $sys)
echo ' no sys= entry'
if not {
for(i in $sys){
checksys sys $i
}
}
ip=`{ndb/ipquery sys $sysname ip | sed 's/ip=//g'}
if(~ $ip '')
echo ' no ip= entry'
if not {
for(i in $ip){
checkip ip $i
}
}
dom=`{ndb/ipquery sys $sysname dom | sed 's/dom=//g'}
if(~ $dom '')
echo ' no dom= entry'
if not {
for(i in $dom){
checkdom dom $i
if(! ~ $i $sysname^.*)
echo ' dom='$i 'does not start with' $sysname^'; it''s supposed to be the FQDN, not the domain name!'
}
}
ether=`{ndb/ipquery sys $sysname ether | sed 's/ether=//g'}
if(~ $ether '')
echo ' no ether entry'
if not {
for(i in $ether){
checkether ether $i
}
}
}
fn checknet {
echo 'checking the network tuple:'
ipnet=`{ndb/ipquery sys $sysname ipnet | sed 's/ipnet=//g'}
if(~ $ipnet ''){
echo ' we are not in an ipnet, so looking for entries in host tuple only'
}
if not {
echo ' we are in ' 'ipnet='^$ipnet
}
ipgw=`{ndb/ipquery sys $sysname ipgw | sed 's/ipgw=//g'}
if(~ $ipgw '' '::'){
echo ' we do not have an internet gateway, no ipgw= entry'
}
if not {
for(i in $ipgw) {
checkip ipgw $i
}
}
dns=`{ndb/ipquery sys $sysname dns | sed 's/dns=//g'}
if(~ $dns '')
echo ' no dns= entry'
if not {
for(i in $dns){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' dns='$i 'does not reply to ping'
if not
echo ' dns='$i 'looks ok'
}
}
auth=`{ndb/ipquery sys $sysname auth | sed 's/auth=//g'}
if(~ $auth '')
echo ' no auth= entry'
if not {
for(i in $auth){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' auth='$i 'does not reply to ping'
if not {
authok=1
echo ' auth='$i 'looks ok'
}
}
}
fs=`{ndb/ipquery sys $sysname fs | sed 's/fs=//g'}
if(~ $fs '')
echo ' no fs= entry (needed for tls boot)'
if not {
for(i in $fs){
if(! ip/ping -n 1 $i >/dev/null >[2=1])
echo ' fs='$i 'does not reply to ping (needed for tls boot)'
if not
echo ' fs='$i 'looks ok'
}
}
}
fn checkauth {
echo 'checking auth server configuration:'
if(~ $auth ''){
echo ' no auth server'
exit fail
}
if not {
for(i in $auth){
if(~ $i $sys $dom $ip){
echo ' we are the auth server '^$i
authisus=1
}
}
}
if(~ $authisus 1){
if(! grep -s keyfs <{ps})
echo ' auth/keyfs is not running, try reboot'
if not
echo ' auth/keyfs is running'
if(! grep -s 'Listen *567' <{netstat -n})
echo ' no one listening on port 567, try reboot'
if not {
echo ' someone is listening on port 567'
echo ' run auth/debug to test the auth server'
}
echo ' run auth/asaudit to verify auth server configuration'
}
if not {
echo ' we are not the auth server(s):' $auth
echo ' if this is a mistake, set auth='$sys(1) 'or auth='^($sys(2-) $dom)
if(~ $authok 1)
echo ' run auth/debug to test the auth server'
}
}
fn checksec {
echo 'checking basic security:'
if(@{rfork n; mount -n /srv/boot /root >/dev/null >[2=1]})
echo ' file server does not require auth for user '^`{cat '#c'/user}
if not
echo ' file server seems to require auth'
}
checkhost
checknet
checkauth
#checksec
|
