(This is another entry in our series of examples on how to use the new string presence check in Halo. For an introduction to this new feature, please see our previous Introduction to Search Expressions post.)
OK, this is the Big Kahuna. We’re going to first check that your routing table includes the correct IP address of your default gateway, and in a minute we’ll come back and make sure there are no other default routes that might funnel packets through a sniffing machine at your cloud provider.
First, the easy part. /proc/net/route contains your routing table in a hexadecimal form like this:
# cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT eth0 00000000 010110AC 0003 0 0 0 000000000 0 0 eth0 000110AC 00000000 0001 0 0 0 00FFFFFF0 0 0
It’s the same information you get when you run “route -n”, but “route -n” takes the time to make it human-readable.
The line we’re interested in is the first “eth0” line. Looking only at the 2nd, 3rd, and 7th columns, it says “if we want to go to any IP address (Destination=00000000 and Mask=00000000) that doesn’t have a more specific route, send the packet through 172.16.1.1 (Gateway=010110AC, reversed hexadecimal)”. That’s the right default gateway, so I want to be alerted if that ever changes. I want essentially that line, but I want to ignore everything but the 1st, 2nd, 3rd, and 7th columns. To do that, I’ll require 1 or more whitespace characters between most of the columns (“s+”). When we get to the block between columns 3 and 7, I’ll require 1 whitespace character, then any number of characters, 1 more whitespace, then the 00000000 Mask: “010110ACs.*s00000000”. Finally, we’ll need one more whitespace at the end of our check “s”, but not care what comes after that. Here’s the check:
/proc/net/route Contains ^eth0s+00000000s+010110ACs.*s00000000s
Like above, you’ll need to replace 010110AC with the reversed hexadecimal IP address of your default gateway.
There’s a little quirk to the above check. If your default route goes away for any reason, the Halo daemon may gladly remember that fact and be prepared to tell the grid that you need an alert. Unfortunately, at the moment it won’t be able to reach the grid because your network link is down. 🙁 The end effect is that a check like this can’t take the place of active external monitoring of your cloud servers.