4d2 dot org Proof of Security Client
====================================

The Proof of Security Client is a lightweight shell script that fetches current security status from the 4d2.su API. It also independently tests exchanged UUIDs to ensure they're in sync, something the web app can't do automatically. You can run the script on demand, or schedule it to run regularly on a system you control so you're automatically notified if the integrity of 4d2 dot org's network is in question. Download it here or see installation instructions below.

The client automatically updates whenever there are changes to our network. The update process relies on a quorum of servers and is resilient to single-machine security compromise. You can disable updates with a command line switch if you want to manually validate each update, but the script will stop working each time an update is published until you have a chance to do so. Most users should leave automatic updates on and run the script as an unprivileged user.

Compatible with Linux, *BSD, macOS (with curl and coreutils installed from Homebrew), and Windows (with WSL).

Installation
$ curl -o 4d2_security.sh https://4d2.su/4d2_security.sh
$ chmod +x 4d2_security.sh
$ ./4d2_security.sh -v
Documentation
Usage: ./4d2_security.sh [-h] [-n] [-v]

Fetches Proof of Security information from the 4d2.su API, and independently
tests the ephemeral UUIDs sent to 4d2.su by individual hosts to ensure they
match. Requires an internet connection and an accurate local clock.

When run without arguments, will output nothing and exit 0 on success, or
output an error message. This is ideal for cron jobs.

In verbose mode (-v), displays detailed status for each certificate and
host machine, and more details of any error that occurs.

This script will automatically update itself when required unless you
disable automatic updates (-n). The updater will check 3 separate
4d2 dot org servers, and the update will only be applied if the scripts
presented by all 3 servers are identical.

Exit Codes:
0 - All tests succeeded (we think we're secure)
1 - One or more security tests failed
2 - Invalid option specified or required files not found
3 - Network error
4 - Manual script update needed

Only exit code 1 should be interpreted as a possible security issue.

If run during the 0, 10, 20, 30, 40 or 50 minute of the hour, this
script will sleep up to 30 seconds to avoid false positives caused by
performing tests while server data updates are in progress. If running this
script in cron, you may want to avoid scheduling it during these minutes.

For support with this script visit https://4d2.su or https://4d2.org,
or message us in #support:4d2.org on Matrix.
Example Output
[sarah@compy ~]$ ./4d2_security.sh -v
4d2 dot org Proof of Security Client (20241024)
sarah@4d2.org, October 2024

CERTIFICATES:
Local and remote certificates for 4d2.link match.
Local and remote certificates for 4d2.org match.
Local and remote certificates for 4d2.social match.
Local and remote certificates for bayard.4d2.org match.
Local and remote certificates for cinny.4d2.org match.
Local and remote certificates for depot.4d2.org match.
Local and remote certificates for element.4d2.org match.
Local and remote certificates for jitsi.4d2.org match.
Local and remote certificates for matrix.4d2.org match.
Local and remote certificates for pad.4d2.org match.
Local and remote certificates for padsbx.4d2.org match.
Local and remote certificates for vault.4d2.org match.

HOST TRUST:
Host arthur is trusted.
      Last checked by 4d2.su server 143 seconds ago
      Local DNS: 152.53.50.155  DNS from 4d2.su: 152.53.50.155
      Linux arthur.4d2.org 6.11.4-1-aarch64-ARCH #1 SMP PREEMPT_DYNAMIC Thu Oct 17 17:10:25 MDT 2024 aarch64 GNU/Linux
      UUID received by 4d2.su server: bb85c6cf-7789-4c2d-80b8-cef4f5513133
      UUID fetched directly from host: bb85c6cf-7789-4c2d-80b8-cef4f5513133
Host bayard is trusted.
      Last checked by 4d2.su server 143 seconds ago
      Local DNS: 5.78.89.93  DNS from 4d2.su: 5.78.89.93
      FreeBSD bayard.4d2.org 14.1-RELEASE FreeBSD 14.1-RELEASE releng/14.1-n267679-10e31f0946d8 GENERIC amd64
      UUID received by 4d2.su server: 57090fc0-92a4-11ef-b68d-5d7b03522583
      UUID fetched directly from host: 57090fc0-92a4-11ef-b68d-5d7b03522583
Host zaphod is trusted.
      Last checked by 4d2.su server 142 seconds ago
      Local DNS: 193.227.129.249  DNS from 4d2.su: 193.227.129.249
      Linux zaphod.4d2.org 6.11.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Mon, 30 Sep 2024 23:49:50 +0000 x86_64 GNU/Linux
      UUID received by 4d2.su server: 8cefd15e-c700-49e1-aa63-d16314ae85a0
      UUID fetched directly from host: 8cefd15e-c700-49e1-aa63-d16314ae85a0
Host zarniwoop is trusted.
      Last checked by 4d2.su server 142 seconds ago
      Local DNS: 5.78.41.186  DNS from 4d2.su: 5.78.41.186
      Linux zarniwoop.4d2.org 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64 GNU/Linux
      UUID received by 4d2.su server: 8baafceb-8e42-4b39-888a-4b50d198d8d7
      UUID fetched directly from host: 8baafceb-8e42-4b39-888a-4b50d198d8d7

Overall Status: OK
Example crontab Entry
*/10   *   *   *   *   /home/sarah/4d2_security.sh

Back to Security Status
Back to 4d2 dot org