KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Complete repository reset for fresh start

Browse Source 
- Remove all project files and directories
- Keep git history intact
- Archive documentation in archive-docs/ directory

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-21 08:56:22 -05:00
parent b98a20cae8
commit 69d6c81e1c
40 changed files with 0 additions and 12299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
scripts/build-iso.sh
View File

@@ -1,276 +0,0 @@
#!/bin/bash
# Football ISO Build Script
# Creates Debian 13 ISO with embedded preseed configuration
# ALL work done in Docker container - no host operations
set -euo pipefail
BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
OUTPUT_DIR="$BUILD_DIR/output"
echo "================================================"
echo "Football ISO Build (Docker-only)"
echo "================================================"
echo ""
# Create output directory only (everything else in Docker)
mkdir -p "$OUTPUT_DIR"
# ============================================================================
# Run entire build process in single Docker container
# ============================================================================
docker run --rm \
--name football-iso-build \
-v "$BUILD_DIR:/build" \
debian:trixie \
bash -c '
set -e
echo "================================================"
echo "Football ISO Build"
echo "================================================"
echo ""
# ============================================================================
# Step 1: Download Debian ISO
# ============================================================================
echo "[1/5] Downloading Debian 13 Netboot ISO..."
# Create temporary directory inside container
ISO_DIR="/build/iso-tmp"
mkdir -p "$ISO_DIR"
cd "$ISO_DIR"
# Install required tools
echo "Installing required tools..."
apt-get update -qq
apt-get install -y -qq wget xorriso rsync isolinux
echo ""
echo "Downloading Debian 13.3.0 (trixie) Stable Netboot ISO..."
# Download Debian 13.3.0 (trixie) stable ISO
wget -q --show-progress \
-O debian-13.3.0-amd64-netinst.iso \
https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-13.3.0-amd64-netinst.iso
echo ""
echo "✅ ISO downloaded"
ls -lh "$ISO_DIR"/*.iso
echo ""
echo "✅ Step 1 complete"
echo ""
# ============================================================================
# Step 2: Extract ISO
# ============================================================================
echo "[2/5] Extracting ISO..."
echo "Extracting ISO contents..."
mkdir -p extracted
cd extracted
xorriso -osirrox on \
-indev "$ISO_DIR/debian-13.3.0-amd64-netinst.iso" \
-extract / ./
echo ""
echo "✅ ISO extracted"
echo "Files in extracted:"
ls -la | head -20
echo ""
echo "✅ Step 2 complete"
echo ""
# ============================================================================
# Step 3: Inject Preseed Configuration and Scripts
# ============================================================================
echo "[3/5] Injecting preseed configuration and scripts..."
echo "Copying preseed file..."
cp /build/config/preseed.cfg /build/iso-tmp/extracted/preseed.cfg
echo ""
echo "Copying verification and configuration scripts..."
# Create scripts and config directories on ISO
mkdir -p scripts config
# Copy scripts to ISO
cp /build/scripts/verify-system.sh scripts/
cp /build/config/disable-wifi-bt.sh config/
cp /build/config/security-config.sh config/
cp /build/config/football-first-boot.service config/
# Make scripts executable
chmod +x scripts/verify-system.sh
chmod +x config/disable-wifi-bt.sh
chmod +x config/security-config.sh
echo ""
echo "Modifying boot menu to use preseed..."
# Create preseed-enabled boot entry
if [ -f isolinux/isolinux.cfg ]; then
echo "Updating isolinux.cfg..."
# Back up original
cp isolinux/isolinux.cfg isolinux/isolinux.cfg.bak
# Add auto-install with preseed entry at top
cat > isolinux/isolinux-auto.cfg <<EOF
default football
timeout 5
label football
menu label ^Install Football Secure Access System
kernel /install.amd/vmlinuz
append vga=788 initrd=/install.amd/initrd.gz auto=true priority=critical file=/cdrom/preseed.cfg -- quiet
label manual
menu label ^Manual Install
kernel /install.amd/vmlinuz
append vga=788 initrd=/install.amd/initrd.gz -- quiet
label expert
menu label ^Expert Mode
kernel /install.amd/vmlinuz
append vga=788 initrd=/install.amd/initrd.gz priority=low -- quiet
label rescue
menu label ^Rescue Mode
kernel /install.amd/vmlinuz
append vga=788 initrd=/install.amd/initrd.gz rescue/enable=true -- quiet
EOF
# Copy to main cfg
cp isolinux/isolinux-auto.cfg isolinux/isolinux.cfg
echo "✅ Boot configuration updated"
fi
# Update GRUB for UEFI boot
if [ -f boot/grub/grub.cfg ]; then
echo "Updating grub.cfg for preseed..."
cp boot/grub/grub.cfg boot/grub/grub.cfg.bak
cat > boot/grub/grub-preseed.cfg <<EOF
set timeout=5
set default=0
menuentry "Install Football Secure Access System" {
linux /install.amd/vmlinuz auto=true priority=critical file=/cdrom/preseed.cfg
initrd /install.amd/initrd.gz
}
menuentry "Manual Install" {
linux /install.amd/vmlinuz
initrd /install.amd/initrd.gz
}
EOF
cp boot/grub/grub-preseed.cfg boot/grub/grub.cfg
echo "✅ GRUB configuration updated"
fi
echo ""
echo "✅ Preseed and scripts injected"
echo "Contents of scripts/:"
ls -la scripts/
echo ""
echo "Contents of config/:"
ls -la config/
echo ""
echo "✅ Step 3 complete"
echo ""
# ============================================================================
# Step 4: Create New ISO
# ============================================================================
echo "[4/5] Creating new ISO with preseed..."
# Ensure output directory exists
mkdir -p /build/output
# Create new ISO with preseed and scripts
xorriso -as mkisofs \
-r -V "Football Secure System" \
-o /build/output/football-installer.iso \
-J -l \
-b isolinux/isolinux.bin \
-c isolinux/boot.cat \
-no-emul-boot \
-boot-load-size 4 \
-boot-info-table \
-isohybrid-mbr /usr/lib/ISOLINUX/isohdpfx.bin \
-eltorito-alt-boot \
-e boot/grub/efi.img \
-no-emul-boot \
-isohybrid-gpt-basdat \
.
echo ""
echo "✅ ISO created"
ls -lh /build/output/football-installer.iso
echo ""
echo "✅ Step 4 complete"
echo ""
# ============================================================================
# Step 5: Verify ISO
# ============================================================================
echo "[5/5] Verifying ISO..."
echo "ISO information:"
file /build/output/football-installer.iso
echo ""
echo "ISO size:"
ls -lh /build/output/football-installer.iso
echo ""
echo "✅ Step 5 complete"
echo ""
# ============================================================================
# Cleanup
# ============================================================================
echo "Cleaning up temporary directories..."
cd /build
rm -rf "$ISO_DIR"
echo ""
echo "================================================"
echo "ISO BUILD COMPLETE"
echo "================================================"
echo ""
echo "Output file:"
echo " 📁 /build/output/football-installer.iso"
echo ""
echo "Usage:"
echo " 1. Write ISO to USB: sudo dd if=/build/output/football-installer.iso of=/dev/sdX bs=4M status=progress"
echo " 2. Boot from USB"
echo " 3. Installer will automatically use preseed configuration"
echo " 4. User only needs to provide:"
echo " - Username"
echo " - User password (min 12 chars, mixed case, numbers, special chars)"
echo " - Root password (min 12 chars, mixed case, numbers, special chars)"
echo " - Target disk for installation"
echo ""
echo "✅ BUILD COMPLETE!"
echo ""
'
echo ""
echo "================================================"
echo "Build finished on host"
echo "================================================"
echo ""
echo "ISO Location: $OUTPUT_DIR/football-installer.iso"
ls -lh "$OUTPUT_DIR/football-installer.iso"
echo ""

191
scripts/qvm.sh
View File

@@ -1,191 +0,0 @@
#!/bin/bash
# Football VM Control Script (libvirt/virsh)
# Manages QEMU VM for testing Football ISO
set -euo pipefail
BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
ISO_FILE="$BUILD_DIR/output/football-installer.iso"
DISK_FILE="$BUILD_DIR/output/football-vm-disk.qcow2"
VM_NAME="football-test"
XML_FILE="$BUILD_DIR/output/${VM_NAME}.xml"
# Create directories
mkdir -p "$(dirname "$ISO_FILE")"
mkdir -p "$(dirname "$DISK_FILE")"
mkdir -p "$(dirname "$XML_FILE")"
case "$1" in
define)
echo "Defining VM in libvirt..."
# Create disk if it doesn't exist
if [ ! -f "$DISK_FILE" ]; then
echo "Creating VM disk (8GB)..."
qemu-img create -f qcow2 "$DISK_FILE" 8G
fi
# Create libvirt XML
cat > "$XML_FILE" <<EOF
<domain type='kvm'>
<name>$VM_NAME</name>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/qemu/libosinfo/1.0">
<libosinfo:os id="http://debian.org/debian/13"/>
</libosinfo:libosinfo>
</metadata>
<memory unit='KiB'>2097152</memory>
<currentMemory unit='KiB'>2097152</currentMemory>
<vcpu placement='static'>2</vcpu>
<os>
<type arch='x86_64' machine='pc'>hvm</type>
<boot dev='cdrom'/>
</os>
<features>
<acpi/>
<apic/>
</features>
<cpu mode='host-passthrough' check='none' migratable='on'/>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='cdrom'>
<driver name='qemu' type='raw'/>
<source file='$ISO_FILE'/>
<target dev='sda' bus='sata'/>
<readonly/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2'/>
<source file='$DISK_FILE'/>
<target dev='sdb' bus='sata'/>
</disk>
<controller type='usb' index='0' model='qemu-xhci' ports='15'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05' function='0x0'/>
</controller>
<interface type='user'>
<mac address='52:54:00:00:00:01'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
<graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='16384' heads='1' primary='yes'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
</memballoon>
</devices>
</domain>
EOF
# Define VM in libvirt
virsh define "$XML_FILE"
echo "VM defined in libvirt"
echo ""
echo "Manage with:"
echo " virsh start $VM_NAME"
echo " virsh stop $VM_NAME"
echo " virt-manager (view in GUI)"
;;
undefine)
echo "Undefining VM from libvirt..."
virsh shutdown "$VM_NAME" 2>/dev/null || true
sleep 2
virsh undefine "$VM_NAME" && echo "VM undefined"
;;
start)
echo "Starting VM..."
virsh start "$VM_NAME"
echo ""
virsh list
echo ""
echo "VM is running. View in:"
echo " 1. virt-manager"
echo " 2. vncviewer localhost:5900"
;;
stop)
echo "Stopping VM..."
virsh shutdown "$VM_NAME" 2>/dev/null || true
# Wait for VM to actually stop (up to 30 seconds)
for _ in {1..30}; do
if ! virsh list --name | grep -q "^${VM_NAME}$"; then
echo "VM stopped"
break
fi
sleep 1
done
# If still running, force destroy
if virsh list --name | grep -q "^${VM_NAME}$"; then
virsh destroy "$VM_NAME" && echo "VM destroyed"
fi
;;
reboot)
echo "Rebooting VM..."
virsh reboot "$VM_NAME"
;;
status)
echo "Checking VM status..."
virsh list --all | grep -E "Name|$VM_NAME"
;;
console)
echo "Opening VNC console..."
if command -v vncviewer &> /dev/null; then
vncviewer localhost:5900
elif command -v remote-viewer &> /dev/null; then
remote-viewer vnc://localhost:5900
else
echo "Error: No VNC viewer found"
echo "Install: sudo apt-get install tigervnc-viewer virt-viewer"
fi
;;
delete)
echo "Deleting VM, disk, and ISO..."
# Stop VM
virsh destroy "$VM_NAME" 2>/dev/null || true
virsh undefine "$VM_NAME" 2>/dev/null || true
# Delete files
rm -f "$DISK_FILE"
rm -f "$ISO_FILE"
rm -f "$XML_FILE"
echo "VM, disk, and ISO deleted"
;;
*)
echo "Football VM Control Script (libvirt)"
echo ""
echo "Usage: $0 {define|undefine|start|stop|reboot|status|console|delete}"
echo ""
echo "Commands:"
echo " define - Create VM definition in libvirt"
echo " undefine - Remove VM from libvirt"
echo " start - Start VM"
echo " stop - Stop VM"
echo " reboot - Reboot VM"
echo " status - Check VM status"
echo " console - Open VNC console viewer"
echo " delete - Delete VM, disk, and ISO (CAUTION!)"
echo ""
echo "VM Details:"
echo " Name: $VM_NAME"
echo " Disk: $DISK_FILE"
echo " ISO: $ISO_FILE"
echo " XML: $XML_FILE"
;;
esac

180
scripts/test-iso.sh
View File

@@ -1,180 +0,0 @@
#!/bin/bash
# Football ISO Test Script
# Boots QEMU VM from ISO to test installation
# All work done in Docker container
set -euo pipefail
BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ISO_PATH="$BUILD_DIR/output/football-installer.iso"
DISK_PATH="$BUILD_DIR/output/test-vm-disk.qcow2"
CONSOLE_LOG="$BUILD_DIR/output/vm-console.log"
VM_PID_FILE="$BUILD_DIR/output/vm.pid"
echo "================================================"
echo "Football ISO Test - VM Boot"
echo "================================================"
echo ""
# ============================================================================
# Step 1: Verify ISO Exists
# ============================================================================
echo "[1/4] Verifying ISO..."
if [ ! -f "$ISO_PATH" ]; then
echo "❌ ISO not found: $ISO_PATH"
echo "Run ./build-iso.sh first"
exit 1
fi
docker run --rm \
-v "$BUILD_DIR:/build" \
debian:trixie \
bash -c "
echo 'ISO information:'
file /build/output/football-installer.iso
echo ''
echo 'ISO size:'
ls -lh /build/output/football-installer.iso
"
echo ""
echo "✅ ISO verified"
echo ""
# ============================================================================
# Step 2: Create Test Disk
# ============================================================================
echo "[2/4] Creating test disk..."
mkdir -p "$BUILD_DIR/output"
docker run --rm \
-v "$BUILD_DIR:/build" \
debian:trixie \
bash -c '
set -e
echo "Installing qemu-utils..."
apt-get update -qq
apt-get install -y -qq qemu-utils
echo ""
echo "Creating 16GB QCOW2 disk..."
cd /build/output
qemu-img create -f qcow2 test-vm-disk.qcow2 16G
echo ""
echo "✅ Test disk created"
ls -lh /build/output/test-vm-disk.qcow2
'
echo ""
echo "✅ Step 2 complete"
echo ""
# ============================================================================
# Step 3: Boot VM from ISO
# ============================================================================
echo "[3/4] Booting VM from ISO..."
echo ""
echo "VM Configuration:"
echo " CPU: 2 cores"
echo " RAM: 2GB"
echo " Disk: 16GB"
echo " Boot: $ISO_PATH"
echo ""
echo "NOTE: VM will boot in background mode"
echo "Console output will be saved to: $CONSOLE_LOG"
echo "To monitor console: tail -f $CONSOLE_LOG"
echo ""
# Start VM with QEMU using screen session
# Using screen to manage long-running QEMU process
screen -dmS football-iso-test \
qemu-system-x86_64 \
-m 2048 \
-smp 2 \
-drive file="$DISK_PATH",format=qcow2 \
-drive file="$ISO_PATH",media=cdrom,readonly=on \
-boot d \
-nographic \
-serial file:"$CONSOLE_LOG" \
-display none
# Save QEMU PID for later use
pgrep -f "qemu-system-x86_64.*$DISK_PATH" | head -1 > "$VM_PID_FILE"
echo "✅ VM started (PID: $(cat "$VM_PID_FILE" 2>/dev/null || echo 'unknown'))"
echo ""
# ============================================================================
# Step 4: Monitor Boot
# ============================================================================
echo "[4/4] Monitoring boot (waiting 120 seconds)..."
echo ""
for _ in {1..120}; do
if [ -f "$CONSOLE_LOG" ]; then
# Check for installation prompts
if grep -q "Choose the country" "$CONSOLE_LOG" 2>/dev/null; then
echo "🟢 Installer running - Country selection detected"
break
fi
# Check for errors
if grep -qi "error\|panic\|fatal" "$CONSOLE_LOG" 2>/dev/null; then
echo "⚠️ Error detected in console"
tail -20 "$CONSOLE_LOG"
break
fi
fi
sleep 1
done
echo ""
echo "==========================================="
echo "VM Status"
echo "==========================================="
echo ""
if [ -f "$VM_PID_FILE" ]; then
VM_PID=$(cat "$VM_PID_FILE" 2>/dev/null || echo 'unknown')
if kill -0 "$VM_PID" 2>/dev/null; then
echo "🟢 VM is running (PID: $VM_PID)"
else
echo "🔴 VM has stopped"
fi
fi
echo ""
echo "Recent console output (last 30 lines):"
if [ -f "$CONSOLE_LOG" ]; then
tail -30 "$CONSOLE_LOG"
else
echo "No console output yet"
fi
echo ""
echo "==========================================="
echo "Manual Access"
echo "==========================================="
echo ""
echo "To access VM console interactively:"
echo " 1. Stop current VM: kill \$(cat $VM_PID_FILE)"
echo " 2. Remove -nographic flag:"
echo " qemu-system-x86_64 \\"
echo " -m 4096 -smp 2 \\"
echo " -drive file=$DISK_PATH,format=qcow2 \\"
echo " -drive file=$ISO_PATH,media=cdrom,readonly=on \\"
echo " -boot d"
echo ""
echo "To stop VM:"
echo " kill \$(cat $VM_PID_FILE)"
echo ""
echo "Console log location: $CONSOLE_LOG"
echo ""

412
scripts/verify-system.sh
View File

@@ -1,412 +0,0 @@
#!/bin/bash
# Football System First-Boot Verification
# Verifies all functional requirements are met after installation
# Runs automatically on first boot
set -euo pipefail
LOG_FILE="/var/log/football-first-boot-verification.log"
STATUS_FILE="/var/lib/football/verification-status"
# Color codes for console output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Logging function
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# Pass function
pass() {
echo -e "${GREEN}[PASS]${NC} $1" | tee -a "$LOG_FILE"
return 0
}
# Fail function
fail() {
echo -e "${RED}[FAIL]${NC} $1" | tee -a "$LOG_FILE"
return 1
}
# Warn function
warn() {
echo -e "${YELLOW}[WARN]${NC} $1" | tee -a "$LOG_FILE"
return 0
}
# Check if this is first boot
check_first_boot() {
if [ -f "$STATUS_FILE" ]; then
log "Verification already completed. Skipping."
echo -e "${YELLOW}Skipping first-boot verification (already completed)${NC}"
return 1
fi
return 0
}
# Create status file to prevent re-running
mark_completed() {
mkdir -p "$(dirname "$STATUS_FILE")"
echo "Completed: $(date '+%Y-%m-%d %H:%M:%S')" > "$STATUS_FILE"
log "Verification marked as completed"
}
# ============================================================================
# Verification Functions
# ============================================================================
# FR-1: Remote Access to Privileged Infrastructure
verify_remote_access() {
log "FR-1: Verifying Remote Access to Privileged Infrastructure"
# Check Remmina is installed
if dpkg -l | grep -q remmina; then
pass "FR-1.1: Remmina is installed"
else
fail "FR-1.1: Remmina is NOT installed"
return 1
fi
# Check WireGuard is installed
if dpkg -l | grep -q wireguard-tools; then
pass "FR-1.2: WireGuard tools are installed"
else
fail "FR-1.2: WireGuard tools are NOT installed"
return 1
fi
# Check IceWM is installed
if dpkg -l | grep -q icewm; then
pass "FR-1.3: IceWM is installed"
else
fail "FR-1.3: IceWM is NOT installed"
return 1
fi
}
# FR-2: Network Isolation
verify_network_isolation() {
log "FR-2: Verifying Network Isolation"
# Check SSH is disabled
if systemctl is-enabled ssh >/dev/null 2>&1; then
fail "FR-2.1: SSH service is ENABLED (should be disabled)"
else
pass "FR-2.1: SSH service is disabled"
fi
if systemctl is-enabled sshd >/dev/null 2>&1; then
fail "FR-2.2: SSHD service is ENABLED (should be disabled)"
else
pass "FR-2.2: SSHD service is disabled"
fi
# Check firewall exists
if [ -f /etc/iptables/rules.v4 ] || [ -f /etc/nftables.conf ]; then
pass "FR-2.3: Firewall configuration exists"
else
fail "FR-2.3: Firewall configuration missing"
return 1
fi
# Check WireGuard config exists (in overlay)
if [ -f /etc/wireguard/wg0.conf ]; then
pass "FR-2.4: WireGuard configuration exists"
else
warn "FR-2.4: WireGuard configuration not found (user must configure)"
fi
}
# FR-3: Minimal User Interface
verify_minimal_ui() {
log "FR-3: Verifying Minimal User Interface"
# Check IceWM is default window manager
if [ -f /etc/X11/default-display-manager ]; then
pass "FR-3.1: Display manager configured"
else
pass "FR-3.1: Using default X session"
fi
# Check Remmina is in autostart
if [ -f /home/user/.config/autostart/remmina.desktop ] || \
grep -q "remmina" /home/user/.xinitrc 2>/dev/null || \
grep -q "remmina" /home/user/.bash_profile 2>/dev/null; then
pass "FR-3.2: Remmina configured to auto-start"
else
warn "FR-3.3: Remmina auto-start may not be configured"
fi
}
# FR-5: Zero Remote Administration
verify_no_remote_admin() {
log "FR-5: Verifying Zero Remote Administration"
# Check SSH is masked
if systemctl is-enabled ssh >/dev/null 2>&1 || \
systemctl is-enabled sshd >/dev/null 2>&1; then
fail "FR-5.1: SSH or SSHD is enabled (should be disabled)"
else
pass "FR-5.1: SSH and SSHD are disabled"
fi
# Check telnet is not installed
if ! dpkg -l | grep -q telnet; then
pass "FR-5.2: Telnet is NOT installed"
else
fail "FR-5.2: Telnet IS installed (security issue)"
return 1
fi
}
# FR-6: System Hardening
verify_system_hardening() {
log "FR-6: Verifying System Hardening"
# Check AppArmor is installed
if dpkg -l | grep -q apparmor; then
pass "FR-6.1: AppArmor is installed"
else
fail "FR-6.1: AppArmor is NOT installed"
return 1
fi
# Check auditd is installed
if dpkg -l | grep -q auditd; then
pass "FR-6.2: Auditd is installed"
else
fail "FR-6.2: Auditd is NOT installed"
return 1
fi
# Check AIDE is installed
if dpkg -l | grep -q aide; then
pass "FR-6.3: AIDE is installed"
else
fail "FR-6.3: AIDE is NOT installed"
return 1
fi
# Check Secure Boot files exist
if [ -f /usr/lib/ISOLINUX/isohdpfx.bin ] || \
[ -f /usr/share/grub/x86_64-efi-signed/grubx64.efi ]; then
pass "FR-6.4: Secure Boot components present"
else
warn "FR-6.4: Secure Boot verification skipped"
fi
}
# FR-7: Integrity Verification
verify_integrity() {
log "FR-7: Verifying Integrity Verification"
# Check AIDE database exists
if [ -f /var/lib/aide/aide.db ] || [ -f /var/lib/aide/aide.db.new ]; then
pass "FR-7.1: AIDE database exists"
else
warn "FR-7.1: AIDE database not found (may need initialization)"
fi
# Check AIDE config exists
if [ -f /etc/aide.conf ]; then
pass "FR-7.2: AIDE configuration exists"
else
fail "FR-7.2: AIDE configuration missing"
return 1
fi
}
# FR-8: Firewall Configuration
verify_firewall() {
log "FR-8: Verifying Firewall Configuration"
# Check nftables or iptables is installed
if dpkg -l | grep -q nftables || dpkg -l | grep -q iptables; then
pass "FR-8.1: Firewall tools are installed"
else
fail "FR-8.1: Firewall tools NOT installed"
return 1
fi
# Check firewall service is enabled
if systemctl is-enabled nftables >/dev/null 2>&1 || \
systemctl is-enabled iptables-persistent >/dev/null 2>&1; then
pass "FR-8.2: Firewall service is enabled"
else
warn "FR-8.2: Firewall service may not be enabled"
fi
}
# FR-9: Boot Configuration
verify_boot_config() {
log "FR-9: Verifying Boot Configuration"
# Check GRUB is installed
if dpkg -l | grep -q grub-pc || dpkg -l | grep -q grub-efi-amd64; then
pass "FR-9.1: GRUB bootloader is installed"
else
fail "FR-9.1: GRUB bootloader NOT installed"
return 1
fi
# Check kernel is installed
if dpkg -l | grep -q linux-image; then
pass "FR-9.2: Linux kernel is installed"
else
fail "FR-9.2: Linux kernel NOT installed"
return 1
fi
}
# FR-10: Storage Configuration
verify_storage_config() {
log "FR-10: Verifying Storage Configuration"
# Check LVM is installed
if dpkg -l | grep -q lvm2; then
pass "FR-10.1: LVM is installed"
else
fail "FR-10.1: LVM is NOT installed"
return 1
fi
# Check root filesystem exists
if mount | grep -q " on / "; then
pass "FR-10.2: Root filesystem is mounted"
else
fail "FR-10.2: Root filesystem not mounted (CRITICAL)"
return 1
fi
}
# FR-11: System Updates
verify_system_updates() {
log "FR-11: Verifying System Updates"
# Check APT is configured
if [ -f /etc/apt/sources.list ]; then
pass "FR-11.1: APT is configured"
else
fail "FR-11.1: APT configuration missing"
return 1
fi
# Check development tools are NOT installed
if dpkg -l | grep -q build-essential || dpkg -l | grep -q gcc; then
fail "FR-11.2: Development tools ARE installed (should not be)"
return 1
else
pass "FR-11.2: Development tools are NOT installed"
fi
}
# FR-12: Logging and Monitoring
verify_logging() {
log "FR-12: Verifying Logging and Monitoring"
# Check rsyslog is installed
if dpkg -l | grep -q rsyslog; then
pass "FR-12.1: Rsyslog is installed"
else
fail "FR-12.1: Rsyslog NOT installed"
return 1
fi
# Check logrotate is installed
if dpkg -l | grep -q logrotate; then
pass "FR-12.2: Logrotate is installed"
else
fail "FR-12.2: Logrotate NOT installed"
return 1
fi
# Check audit log exists
if [ -f /var/log/audit/audit.log ] || [ -d /var/log/audit ]; then
pass "FR-12.3: Audit logging is configured"
else
warn "FR-12.3: Audit log directory may not exist"
fi
}
# ============================================================================
# Main Execution
# ============================================================================
main() {
echo "================================================"
echo "Football First-Boot Verification"
echo "================================================"
echo ""
log "Starting first-boot verification"
# Check if this is first boot
if ! check_first_boot; then
exit 0
fi
# Track results
TOTAL=0
PASSED=0
FAILED=0
WARNED=0
# Run all verifications
verify_remote_access || true
verify_network_isolation || true
verify_minimal_ui || true
verify_no_remote_admin || true
verify_system_hardening || true
verify_integrity || true
verify_firewall || true
verify_boot_config || true
verify_storage_config || true
verify_system_updates || true
verify_logging || true
# Calculate results
TOTAL=$((PASSED + FAILED + WARNED))
PERCENTAGE=$((PASSED * 100 / TOTAL))
# Summary
echo ""
echo "================================================"
echo "Verification Summary"
echo "================================================"
echo ""
echo "Total Checks: $TOTAL"
echo -e "${GREEN}Passed: $PASSED${NC}"
echo -e "${RED}Failed: $FAILED${NC}"
echo -e "${YELLOW}Warnings: $WARNED${NC}"
echo ""
echo "Compliance: $PERCENTAGE%"
echo ""
# Overall status
if [ $FAILED -eq 0 ] && [ $PERCENTAGE -ge 95 ]; then
echo -e "${GREEN}✓ SYSTEM MEETS ALL FUNCTIONAL REQUIREMENTS${NC}"
echo ""
echo "The Football Secure Access System is properly configured."
echo "All functional requirements have been verified."
mark_completed
exit 0
elif [ $FAILED -eq 0 ]; then
echo -e "${YELLOW}⚠ SYSTEM MOSTLY COMPLIANT${NC}"
echo ""
echo "The system meets most functional requirements."
echo "Review warnings before production use."
mark_completed
exit 0
else
echo -e "${RED}✗ SYSTEM HAS CRITICAL ISSUES${NC}"
echo ""
echo "The system has failed functional requirements."
echo "Review failed checks and reconfigure before production use."
exit 1
fi
}
# Run main function
main