Auditing Your nodes configuration

This guide was graciously contributed by [FRADA] ADA Made in France. If you find this guide useful, please consider staking to it (FRADA ticker).🙏

To make sure your Cardano nodes (relays and block-producer) are correctly configured, you can use an automated audit script that will do the following checks :

Cardano compliance

  • New 9.1.0 Cardano-Node version requirement for Chang hardfork

  • Cardano-node latest version verification

  • Cardano bootstrap check

  • Environment Variables

  • Systemd cardano-node file verification and parsing

  • Cardano startup script verification and parsing

  • Node operation mode (Block Producer ? Relay ?)

  • Topology mode (p2p enabled)

  • Topology configuration file parsing and compliance checks

  • Cardano security checks (hot keys permissions, cold keys detection)

  • KES keys rotation alert

Security and system checks

  • SSHD hardening

  • Null passwords check

  • Important services running (ufw, fail2ban, ntp server...)

  • Firewalling rules extract

  • sysctl.conf hardening check

Please note that this script is only intended to help you identify configuration and basic security issues. It does not guarantee that your server is fully protected.

How to use the Cardano Audit Script

Download the Audit Script

The script can be found on this GitHub repository by [FRADA] ADA Made In France

You can directly download the repository from your Cardano Nodes :

cd $HOME/git
mkdir audit-cardano-node
cd audit-cardano-node
wget --show-progress -q https://github.com/Kirael12/cardano-node-audit/releases/latest/download/audit-cardano-node.sh

Make script executable

cd $HOME/git/audit-cardano-node
chmod +x audit-cardano-node.sh

Run the script

The script must be ran with sudo and the -E option, to include your environment variables defined during the Coincashew guide (like $NODE_HOME or $NODE_CONFIG)

sudo -E ./audit-cardano-node.sh

You will be asked to select the type of your Cardano setup with a menu. Select COINCASHEW. You can also choose to perform only security checks.

You will then be asked if you want to export the results to a file.

Results

It takes 20 seconds for the script to complete. You'll get information about your node and will immediately be able to check whether your configuration is good or not, and make appropriate changes. Sample outputs :

Last updated