This would be a great script, just reading the items that you wrote made me curious about some things in my setup and would like to test them out, but manually it would be a chore on several of them of course.
micah On Fri, 29 Apr 2005, Oliver Dietz wrote: > Hi NG, > Hi Herbert, > > >>Is there a tool (like testme.sh) that tests the common (maybe also > >>uncommon) possibilities of misconfigurations (like the capabilities and > >>chroot-exploids) from inside the VServer? > > > >not yet, but sounds like something useful to me ... > > ok, lets do some brainstorming (comment: i'm no vserver specialist nor can > i write programs on linux): > > Output could be like this: > --- > # vserver test enter > [...] > context id is now ... > [...] > # vcapcheck > Checking environment ... > > conextid is: 4711 [OK] > effective userid is: 0 [OK] > real userid is: 0 [OK] > effective groupid is: 0 [OK] > real groupid is: 0 [OK] > > Checking posix capabilities ... > > i have CAP_CHOWN [OK] > i have CAP_KILL [OK] > [...] > i have CAP_LINUX_IMMUTABLE [WARN] > if you have locked some files because of unification, > you should assign the immutable-flag to an vps. > to remove this capability edit ... > i dont have CAP_NET_BROADCAST [OK] > i have CAP_SYS_BOOT [ERROR] > Warning: any vserver can reboot the read server > i dont have CAP_MKNOD [OK] > > Checking the Network Separation ... > > determining if someone other listens on my ip [WARN] > on port 22 (ssh) listens someone other, maybe > the host is configured to listen on 0:0:0:0 > trying to listen on localhost: no success [OK] > [...] > > Trying to break out the chroot-jail ... > > ... to access the hosts files: no success [OK] > ... to access other vservers: success [ERROR] > [...] > > Trying to mount hda/sda/...: no success [OK] > Checking dev-directory: nothing suspicious found > [OK] > Checking proc-fs [WARN] > found kmem-entry [...] > > Checking for the usable RAM space [512MB] > Checking for available disk space [10 G] > if the vserver is on the same partition as the real server > you should verify that the vserver can't grab all disk space > available > [...] > --- > > hm ... this list will get very long ... but i think its very useful when > configuring a vserver ... > > > ... Oliver > > _______________________________________________ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
