audit.command.sh
· 6.4 KiB · Bash
Неформатований
#!/usr/bin/env bash
function cmd::audit::on_load() {
flag::register --fix
flag::register --peer
flag::register --type
}
function cmd::audit::help() {
cat <<EOF
Usage: wgctl audit [options]
Verify that all peers have the correct iptables firewall rules applied.
Checks expected rule count (including inherited rules and peer-specific blocks)
vs actual iptables state.
Options:
--peer <name> Audit specific peer only
--type <type> Audit peers of specific device type only
--fix Attempt to auto-repair missing or extra rules
Output:
✅ pass — peer has correct rule count
❌ fail — peer has missing rules (run --fix to repair)
⚠️ warn — peer has extra rules or configuration issues
Notes:
Fully blocked peers (removed from WireGuard) show 0 expected fw rules.
Restricted peers (peer-specific blocks) have their block rules included
in the expected count.
Examples:
wgctl audit
wgctl audit --peer phone-nuno
wgctl audit --type guest
wgctl audit --fix
EOF
}
function cmd::audit::run() {
local fix=false peer="" type=""
while [[ $# -gt 0 ]]; do
case "$1" in
--fix) fix=true; shift ;;
--peer)
if [[ -z "${2:-}" ]]; then
log::error "Flag --peer requires a value"
cmd::audit::help
return 1
fi
peer="$2"
shift 2
;;
--type) type="$2"; shift 2 ;;
--help) cmd::audit::help; return ;;
*)
log::error "Unknown flag: $1"
return 1
;;
esac
done
test::reset
log::section "WireGuard Audit"
# Precompute iptables counts via single Python call
declare -A peer_fw_counts
while IFS=":" read -r peer_name count; do
[[ -n "$peer_name" ]] && peer_fw_counts["$peer_name"]="$count"
done < <(json::audit_fw_counts "$(ctx::clients)")
test::section "Peer Rules"
while IFS= read -r peer_name; do
[[ -n "$peer" && "$peer_name" != "$peer" ]] && continue
[[ -n "$type" && "$peer_name" != "${type}-"* ]] && continue
cmd::audit::check_peer "$peer_name" "$fix" "${peer_fw_counts[$peer_name]:-0}"
done < <(peers::all)
test::section "WireGuard Server"
cmd::audit::check_wg "$fix" "$peer" "$type"
test::section "Rules"
cmd::audit::check_rules
test::summary
}
function cmd::audit::check_peer() {
local peer_name="$1" fix="$2" actual="${3:-0}"
local ip rule
ip=$(peers::get_ip "$peer_name")
rule=$(peers::get_meta "$peer_name" "rule")
if [[ -z "$rule" ]]; then
test::warn "$peer_name — no rule assigned (effective: $(peers::default_rule "$peer_name"))"
return 0
fi
if ! rule::exists "$rule"; then
test::fail "$peer_name — assigned rule '$rule' does not exist"
return 0
fi
# Blocked peers have no fw rules (removed from wg0)
if block::is_blocked "$peer_name" 2>/dev/null; then
if [[ "$actual" -eq 0 ]]; then
test::pass "$(printf "%-28s rule=%-15s blocked (no fw rules)" \
"$peer_name" "$rule")"
else
test::warn "$(printf "%-28s rule=%-15s blocked but has %s fw rules" \
"$peer_name" "$rule" "$actual")"
fi
return 0
fi
# Count expected rules from assigned rule (includes inheritance)
local block_ports block_ips allow_ports allow_ips
block_ports=$(json::count_resolved "$rule" "block_ports")
block_ips=$(json::count_resolved "$rule" "block_ips")
allow_ports=$(json::count_resolved "$rule" "allow_ports")
allow_ips=$(json::count_resolved "$rule" "allow_ips")
local expected=$(( (block_ports + block_ips) * 2 + allow_ports + allow_ips ))
# Add peer-specific block rules (each ip/port/subnet = 2 rules: NFLOG+DROP)
if block::has_specific_rules "$peer_name" 2>/dev/null; then
while IFS="|" read -r bname btype target port proto; do
[[ -z "$btype" || "$btype" == "full" ]] && continue
(( expected += 2 )) || true
done < <(block::get_rules "$peer_name")
fi
if [[ "$actual" -eq "$expected" ]]; then
test::pass "$(printf "%-28s rule=%-15s fw: %s/%s" \
"$peer_name" "$rule" "$actual" "$expected")"
elif [[ "$actual" -gt "$expected" ]]; then
test::warn "$(printf "%-28s rule=%-15s fw: %s/%s (extra rules)" \
"$peer_name" "$rule" "$actual" "$expected")"
if $fix; then
fw::flush_peer "$ip"
rule::apply "$rule" "$ip" "$peer_name"
block::restore_rules_for "$peer_name" "$ip"
test::pass " Fixed: $peer_name"
fi
else
test::fail "$(printf "%-28s rule=%-15s fw: %s/%s (missing rules)" \
"$peer_name" "$rule" "$actual" "$expected")"
if $fix; then
rule::apply "$rule" "$ip" "$peer_name"
block::restore_rules_for "$peer_name" "$ip"
test::pass " Fixed: $peer_name"
fi
fi
return 0
}
function cmd::audit::check_wg() {
local fix="$1" filter_peer="$2" filter_type="$3"
local wg_peers
wg_peers=$(wg show wg0 peers 2>/dev/null)
while IFS= read -r peer_name; do
[[ -n "$filter_peer" && "$peer_name" != "$filter_peer" ]] && continue
[[ -n "$filter_type" && "$peer_name" != "${filter_type}-"* ]] && continue
local pub_key
pub_key=$(keys::public "$peer_name" 2>/dev/null)
[[ -z "$pub_key" ]] && test::fail "$peer_name — missing public key" && continue
if peers::is_blocked "$peer_name"; then
if echo "$wg_peers" | grep -q "$pub_key"; then
test::fail "$peer_name — blocked but still in wg0"
$fix && peers::remove_from_server "$peer_name" && peers::reload
else
test::pass "$peer_name — correctly blocked (not in wg0)"
fi
else
if echo "$wg_peers" | grep -q "$pub_key"; then
test::pass "$peer_name — present in wg0"
else
test::fail "$peer_name — missing from wg0"
if $fix; then
local ip
ip=$(peers::get_ip "$peer_name")
peers::add_to_server "$peer_name" "$pub_key" "$ip"
peers::reload
fi
fi
fi
done < <(peers::all)
}
function cmd::audit::check_rules() {
local rules_dir
rules_dir="$(ctx::rules)"
# Precompute peer counts
declare -A rule_counts
while IFS= read -r peer_name; do
local r
r=$(peers::get_meta "$peer_name" "rule")
[[ -z "$r" ]] && continue
rule_counts["$r"]=$(( ${rule_counts["$r"]:-0} + 1 ))
done < <(peers::all)
for rule_file in "${rules_dir}"/*.rule; do
[[ -f "$rule_file" ]] || continue
local name
name=$(json::get "$rule_file" "name")
local count=${rule_counts["$name"]:-0}
test::pass "Rule '${name}' — ${count} peers assigned"
done
}
| 1 | #!/usr/bin/env bash |
| 2 | |
| 3 | function cmd::audit::on_load() { |
| 4 | flag::register --fix |
| 5 | flag::register --peer |
| 6 | flag::register --type |
| 7 | } |
| 8 | |
| 9 | function cmd::audit::help() { |
| 10 | cat <<EOF |
| 11 | Usage: wgctl audit [options] |
| 12 | |
| 13 | Verify that all peers have the correct iptables firewall rules applied. |
| 14 | Checks expected rule count (including inherited rules and peer-specific blocks) |
| 15 | vs actual iptables state. |
| 16 | |
| 17 | Options: |
| 18 | --peer <name> Audit specific peer only |
| 19 | --type <type> Audit peers of specific device type only |
| 20 | --fix Attempt to auto-repair missing or extra rules |
| 21 | |
| 22 | Output: |
| 23 | ✅ pass — peer has correct rule count |
| 24 | ❌ fail — peer has missing rules (run --fix to repair) |
| 25 | ⚠️ warn — peer has extra rules or configuration issues |
| 26 | |
| 27 | Notes: |
| 28 | Fully blocked peers (removed from WireGuard) show 0 expected fw rules. |
| 29 | Restricted peers (peer-specific blocks) have their block rules included |
| 30 | in the expected count. |
| 31 | |
| 32 | Examples: |
| 33 | wgctl audit |
| 34 | wgctl audit --peer phone-nuno |
| 35 | wgctl audit --type guest |
| 36 | wgctl audit --fix |
| 37 | EOF |
| 38 | } |
| 39 | |
| 40 | function cmd::audit::run() { |
| 41 | local fix=false peer="" type="" |
| 42 | |
| 43 | while [[ $# -gt 0 ]]; do |
| 44 | case "$1" in |
| 45 | --fix) fix=true; shift ;; |
| 46 | --peer) |
| 47 | if [[ -z "${2:-}" ]]; then |
| 48 | log::error "Flag --peer requires a value" |
| 49 | cmd::audit::help |
| 50 | return 1 |
| 51 | fi |
| 52 | peer="$2" |
| 53 | shift 2 |
| 54 | ;; |
| 55 | --type) type="$2"; shift 2 ;; |
| 56 | --help) cmd::audit::help; return ;; |
| 57 | *) |
| 58 | log::error "Unknown flag: $1" |
| 59 | return 1 |
| 60 | ;; |
| 61 | esac |
| 62 | done |
| 63 | |
| 64 | test::reset |
| 65 | log::section "WireGuard Audit" |
| 66 | |
| 67 | # Precompute iptables counts via single Python call |
| 68 | declare -A peer_fw_counts |
| 69 | while IFS=":" read -r peer_name count; do |
| 70 | [[ -n "$peer_name" ]] && peer_fw_counts["$peer_name"]="$count" |
| 71 | done < <(json::audit_fw_counts "$(ctx::clients)") |
| 72 | |
| 73 | test::section "Peer Rules" |
| 74 | while IFS= read -r peer_name; do |
| 75 | [[ -n "$peer" && "$peer_name" != "$peer" ]] && continue |
| 76 | [[ -n "$type" && "$peer_name" != "${type}-"* ]] && continue |
| 77 | cmd::audit::check_peer "$peer_name" "$fix" "${peer_fw_counts[$peer_name]:-0}" |
| 78 | done < <(peers::all) |
| 79 | |
| 80 | test::section "WireGuard Server" |
| 81 | cmd::audit::check_wg "$fix" "$peer" "$type" |
| 82 | |
| 83 | test::section "Rules" |
| 84 | cmd::audit::check_rules |
| 85 | |
| 86 | test::summary |
| 87 | } |
| 88 | |
| 89 | function cmd::audit::check_peer() { |
| 90 | local peer_name="$1" fix="$2" actual="${3:-0}" |
| 91 | local ip rule |
| 92 | |
| 93 | ip=$(peers::get_ip "$peer_name") |
| 94 | rule=$(peers::get_meta "$peer_name" "rule") |
| 95 | |
| 96 | if [[ -z "$rule" ]]; then |
| 97 | test::warn "$peer_name — no rule assigned (effective: $(peers::default_rule "$peer_name"))" |
| 98 | return 0 |
| 99 | fi |
| 100 | |
| 101 | if ! rule::exists "$rule"; then |
| 102 | test::fail "$peer_name — assigned rule '$rule' does not exist" |
| 103 | return 0 |
| 104 | fi |
| 105 | |
| 106 | # Blocked peers have no fw rules (removed from wg0) |
| 107 | if block::is_blocked "$peer_name" 2>/dev/null; then |
| 108 | if [[ "$actual" -eq 0 ]]; then |
| 109 | test::pass "$(printf "%-28s rule=%-15s blocked (no fw rules)" \ |
| 110 | "$peer_name" "$rule")" |
| 111 | else |
| 112 | test::warn "$(printf "%-28s rule=%-15s blocked but has %s fw rules" \ |
| 113 | "$peer_name" "$rule" "$actual")" |
| 114 | fi |
| 115 | return 0 |
| 116 | fi |
| 117 | |
| 118 | # Count expected rules from assigned rule (includes inheritance) |
| 119 | local block_ports block_ips allow_ports allow_ips |
| 120 | block_ports=$(json::count_resolved "$rule" "block_ports") |
| 121 | block_ips=$(json::count_resolved "$rule" "block_ips") |
| 122 | allow_ports=$(json::count_resolved "$rule" "allow_ports") |
| 123 | allow_ips=$(json::count_resolved "$rule" "allow_ips") |
| 124 | local expected=$(( (block_ports + block_ips) * 2 + allow_ports + allow_ips )) |
| 125 | |
| 126 | # Add peer-specific block rules (each ip/port/subnet = 2 rules: NFLOG+DROP) |
| 127 | if block::has_specific_rules "$peer_name" 2>/dev/null; then |
| 128 | while IFS="|" read -r bname btype target port proto; do |
| 129 | [[ -z "$btype" || "$btype" == "full" ]] && continue |
| 130 | (( expected += 2 )) || true |
| 131 | done < <(block::get_rules "$peer_name") |
| 132 | fi |
| 133 | |
| 134 | if [[ "$actual" -eq "$expected" ]]; then |
| 135 | test::pass "$(printf "%-28s rule=%-15s fw: %s/%s" \ |
| 136 | "$peer_name" "$rule" "$actual" "$expected")" |
| 137 | elif [[ "$actual" -gt "$expected" ]]; then |
| 138 | test::warn "$(printf "%-28s rule=%-15s fw: %s/%s (extra rules)" \ |
| 139 | "$peer_name" "$rule" "$actual" "$expected")" |
| 140 | if $fix; then |
| 141 | fw::flush_peer "$ip" |
| 142 | rule::apply "$rule" "$ip" "$peer_name" |
| 143 | block::restore_rules_for "$peer_name" "$ip" |
| 144 | test::pass " Fixed: $peer_name" |
| 145 | fi |
| 146 | else |
| 147 | test::fail "$(printf "%-28s rule=%-15s fw: %s/%s (missing rules)" \ |
| 148 | "$peer_name" "$rule" "$actual" "$expected")" |
| 149 | if $fix; then |
| 150 | rule::apply "$rule" "$ip" "$peer_name" |
| 151 | block::restore_rules_for "$peer_name" "$ip" |
| 152 | test::pass " Fixed: $peer_name" |
| 153 | fi |
| 154 | fi |
| 155 | return 0 |
| 156 | } |
| 157 | |
| 158 | function cmd::audit::check_wg() { |
| 159 | local fix="$1" filter_peer="$2" filter_type="$3" |
| 160 | local wg_peers |
| 161 | wg_peers=$(wg show wg0 peers 2>/dev/null) |
| 162 | |
| 163 | while IFS= read -r peer_name; do |
| 164 | [[ -n "$filter_peer" && "$peer_name" != "$filter_peer" ]] && continue |
| 165 | [[ -n "$filter_type" && "$peer_name" != "${filter_type}-"* ]] && continue |
| 166 | |
| 167 | local pub_key |
| 168 | pub_key=$(keys::public "$peer_name" 2>/dev/null) |
| 169 | [[ -z "$pub_key" ]] && test::fail "$peer_name — missing public key" && continue |
| 170 | |
| 171 | if peers::is_blocked "$peer_name"; then |
| 172 | if echo "$wg_peers" | grep -q "$pub_key"; then |
| 173 | test::fail "$peer_name — blocked but still in wg0" |
| 174 | $fix && peers::remove_from_server "$peer_name" && peers::reload |
| 175 | else |
| 176 | test::pass "$peer_name — correctly blocked (not in wg0)" |
| 177 | fi |
| 178 | else |
| 179 | if echo "$wg_peers" | grep -q "$pub_key"; then |
| 180 | test::pass "$peer_name — present in wg0" |
| 181 | else |
| 182 | test::fail "$peer_name — missing from wg0" |
| 183 | if $fix; then |
| 184 | local ip |
| 185 | ip=$(peers::get_ip "$peer_name") |
| 186 | peers::add_to_server "$peer_name" "$pub_key" "$ip" |
| 187 | peers::reload |
| 188 | fi |
| 189 | fi |
| 190 | fi |
| 191 | done < <(peers::all) |
| 192 | } |
| 193 | |
| 194 | function cmd::audit::check_rules() { |
| 195 | local rules_dir |
| 196 | rules_dir="$(ctx::rules)" |
| 197 | |
| 198 | # Precompute peer counts |
| 199 | declare -A rule_counts |
| 200 | while IFS= read -r peer_name; do |
| 201 | local r |
| 202 | r=$(peers::get_meta "$peer_name" "rule") |
| 203 | [[ -z "$r" ]] && continue |
| 204 | rule_counts["$r"]=$(( ${rule_counts["$r"]:-0} + 1 )) |
| 205 | done < <(peers::all) |
| 206 | |
| 207 | for rule_file in "${rules_dir}"/*.rule; do |
| 208 | [[ -f "$rule_file" ]] || continue |
| 209 | local name |
| 210 | name=$(json::get "$rule_file" "name") |
| 211 | local count=${rule_counts["$name"]:-0} |
| 212 | test::pass "Rule '${name}' — ${count} peers assigned" |
| 213 | done |
| 214 | } |