Audit script for coincashew users

Hello there o/

I made an audit script for coincashew node installations.
This v1 collects information by running the following checks (the script doesn’t modify anything, of course !) :

  • Environnement Variables
  • Systemd cardano-node file verification and parsing
  • Cardano startup script verification and parsing
  • Node operation mode (Block Producer ? Relay ?)
  • Topology mode (p2p enabled ?)
  • Topology configuration
  • Keys
  • SSHD config file parsing for hardening
  • Null passwords check
  • Key services running
  • Firewalling rules extract

Capture d’écran 2023-04-10 à 20.40.11

Capture d’écran 2023-04-10 à 20.40.28

It can help SPOs improve the security of their servers, and check everything is fine.
It’s not perfect, i’m working on improvements to add features and more checks :slight_smile:

Here is my repository :

1 Like

Hello there o/

I just finished the script v2, which brings :

  • Improved Cardano config parsing accuracy
  • Improved KES files detection and checks
  • KES expiry calculation and alert
  • /etc/sysctl.conf hardening checks

On top of several minor improvements.

Capture d’écran 2023-06-06 à 13.51.31

Reminder : The Cardano config checks will work only for Coincashew installations. But, every other checks (security, system, sshd, etc) will work on any linux server (tested on Ubuntu 22.04.02)

You can try it there :

1 Like

I’m glad to announce that the Cardano Audit Script for coincashew users has been included in the Coincashew Guide ( section IV. Administration).

1 Like

Hello there o/

Newest version of the script is available (v5.0.0)

  • Cardano-node latest version verification
  • Cardano new P2P bootstrap check
  • Environment Variables
  • Systemd cardano-node file verification and parsing
  • Cardano startup script verification and parsing
  • Node operation mode (Block Producer ? Relay ?)
  • Topology mode (p2p enabled)
  • Topology configuration
  • Keys
  • SSHD hardening
  • Null passwords check
  • Important services running
  • Firewalling rules extract
  • KES expiry and rotation alert
  • sysctl.conf hardening check