#!/bin/bash # Football System First-Boot Verification # Verifies all functional requirements are met after installation # Runs automatically on first boot set -euo pipefail LOG_FILE="/var/log/football-first-boot-verification.log" STATUS_FILE="/var/lib/football/verification-status" # Color codes for console output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # Logging function log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } # Pass function pass() { echo -e "${GREEN}[PASS]${NC} $1" | tee -a "$LOG_FILE" return 0 } # Fail function fail() { echo -e "${RED}[FAIL]${NC} $1" | tee -a "$LOG_FILE" return 1 } # Warn function warn() { echo -e "${YELLOW}[WARN]${NC} $1" | tee -a "$LOG_FILE" return 0 } # Check if this is first boot check_first_boot() { if [ -f "$STATUS_FILE" ]; then log "Verification already completed. Skipping." echo -e "${YELLOW}Skipping first-boot verification (already completed)${NC}" return 1 fi return 0 } # Create status file to prevent re-running mark_completed() { mkdir -p "$(dirname "$STATUS_FILE")" echo "Completed: $(date '+%Y-%m-%d %H:%M:%S')" > "$STATUS_FILE" log "Verification marked as completed" } # ============================================================================ # Verification Functions # ============================================================================ # FR-1: Remote Access to Privileged Infrastructure verify_remote_access() { log "FR-1: Verifying Remote Access to Privileged Infrastructure" # Check Remmina is installed if dpkg -l | grep -q remmina; then pass "FR-1.1: Remmina is installed" else fail "FR-1.1: Remmina is NOT installed" return 1 fi # Check WireGuard is installed if dpkg -l | grep -q wireguard-tools; then pass "FR-1.2: WireGuard tools are installed" else fail "FR-1.2: WireGuard tools are NOT installed" return 1 fi # Check IceWM is installed if dpkg -l | grep -q icewm; then pass "FR-1.3: IceWM is installed" else fail "FR-1.3: IceWM is NOT installed" return 1 fi } # FR-2: Network Isolation verify_network_isolation() { log "FR-2: Verifying Network Isolation" # Check SSH is disabled if systemctl is-enabled ssh >/dev/null 2>&1; then fail "FR-2.1: SSH service is ENABLED (should be disabled)" else pass "FR-2.1: SSH service is disabled" fi if systemctl is-enabled sshd >/dev/null 2>&1; then fail "FR-2.2: SSHD service is ENABLED (should be disabled)" else pass "FR-2.2: SSHD service is disabled" fi # Check firewall exists if [ -f /etc/iptables/rules.v4 ] || [ -f /etc/nftables.conf ]; then pass "FR-2.3: Firewall configuration exists" else fail "FR-2.3: Firewall configuration missing" return 1 fi # Check WireGuard config exists (in overlay) if [ -f /etc/wireguard/wg0.conf ]; then pass "FR-2.4: WireGuard configuration exists" else warn "FR-2.4: WireGuard configuration not found (user must configure)" fi } # FR-3: Minimal User Interface verify_minimal_ui() { log "FR-3: Verifying Minimal User Interface" # Check IceWM is default window manager if [ -f /etc/X11/default-display-manager ]; then pass "FR-3.1: Display manager configured" else pass "FR-3.1: Using default X session" fi # Check Remmina is in autostart if [ -f /home/user/.config/autostart/remmina.desktop ] || \ grep -q "remmina" /home/user/.xinitrc 2>/dev/null || \ grep -q "remmina" /home/user/.bash_profile 2>/dev/null; then pass "FR-3.2: Remmina configured to auto-start" else warn "FR-3.3: Remmina auto-start may not be configured" fi } # FR-5: Zero Remote Administration verify_no_remote_admin() { log "FR-5: Verifying Zero Remote Administration" # Check SSH is masked if systemctl is-enabled ssh >/dev/null 2>&1 || \ systemctl is-enabled sshd >/dev/null 2>&1; then fail "FR-5.1: SSH or SSHD is enabled (should be disabled)" else pass "FR-5.1: SSH and SSHD are disabled" fi # Check telnet is not installed if ! dpkg -l | grep -q telnet; then pass "FR-5.2: Telnet is NOT installed" else fail "FR-5.2: Telnet IS installed (security issue)" return 1 fi } # FR-6: System Hardening verify_system_hardening() { log "FR-6: Verifying System Hardening" # Check AppArmor is installed if dpkg -l | grep -q apparmor; then pass "FR-6.1: AppArmor is installed" else fail "FR-6.1: AppArmor is NOT installed" return 1 fi # Check auditd is installed if dpkg -l | grep -q auditd; then pass "FR-6.2: Auditd is installed" else fail "FR-6.2: Auditd is NOT installed" return 1 fi # Check AIDE is installed if dpkg -l | grep -q aide; then pass "FR-6.3: AIDE is installed" else fail "FR-6.3: AIDE is NOT installed" return 1 fi # Check Secure Boot files exist if [ -f /usr/lib/ISOLINUX/isohdpfx.bin ] || \ [ -f /usr/share/grub/x86_64-efi-signed/grubx64.efi ]; then pass "FR-6.4: Secure Boot components present" else warn "FR-6.4: Secure Boot verification skipped" fi } # FR-7: Integrity Verification verify_integrity() { log "FR-7: Verifying Integrity Verification" # Check AIDE database exists if [ -f /var/lib/aide/aide.db ] || [ -f /var/lib/aide/aide.db.new ]; then pass "FR-7.1: AIDE database exists" else warn "FR-7.1: AIDE database not found (may need initialization)" fi # Check AIDE config exists if [ -f /etc/aide.conf ]; then pass "FR-7.2: AIDE configuration exists" else fail "FR-7.2: AIDE configuration missing" return 1 fi } # FR-8: Firewall Configuration verify_firewall() { log "FR-8: Verifying Firewall Configuration" # Check nftables or iptables is installed if dpkg -l | grep -q nftables || dpkg -l | grep -q iptables; then pass "FR-8.1: Firewall tools are installed" else fail "FR-8.1: Firewall tools NOT installed" return 1 fi # Check firewall service is enabled if systemctl is-enabled nftables >/dev/null 2>&1 || \ systemctl is-enabled iptables-persistent >/dev/null 2>&1; then pass "FR-8.2: Firewall service is enabled" else warn "FR-8.2: Firewall service may not be enabled" fi } # FR-9: Boot Configuration verify_boot_config() { log "FR-9: Verifying Boot Configuration" # Check GRUB is installed if dpkg -l | grep -q grub-pc || dpkg -l | grep -q grub-efi-amd64; then pass "FR-9.1: GRUB bootloader is installed" else fail "FR-9.1: GRUB bootloader NOT installed" return 1 fi # Check kernel is installed if dpkg -l | grep -q linux-image; then pass "FR-9.2: Linux kernel is installed" else fail "FR-9.2: Linux kernel NOT installed" return 1 fi } # FR-10: Storage Configuration verify_storage_config() { log "FR-10: Verifying Storage Configuration" # Check LVM is installed if dpkg -l | grep -q lvm2; then pass "FR-10.1: LVM is installed" else fail "FR-10.1: LVM is NOT installed" return 1 fi # Check root filesystem exists if mount | grep -q " on / "; then pass "FR-10.2: Root filesystem is mounted" else fail "FR-10.2: Root filesystem not mounted (CRITICAL)" return 1 fi } # FR-11: System Updates verify_system_updates() { log "FR-11: Verifying System Updates" # Check APT is configured if [ -f /etc/apt/sources.list ]; then pass "FR-11.1: APT is configured" else fail "FR-11.1: APT configuration missing" return 1 fi # Check development tools are NOT installed if dpkg -l | grep -q build-essential || dpkg -l | grep -q gcc; then fail "FR-11.2: Development tools ARE installed (should not be)" return 1 else pass "FR-11.2: Development tools are NOT installed" fi } # FR-12: Logging and Monitoring verify_logging() { log "FR-12: Verifying Logging and Monitoring" # Check rsyslog is installed if dpkg -l | grep -q rsyslog; then pass "FR-12.1: Rsyslog is installed" else fail "FR-12.1: Rsyslog NOT installed" return 1 fi # Check logrotate is installed if dpkg -l | grep -q logrotate; then pass "FR-12.2: Logrotate is installed" else fail "FR-12.2: Logrotate NOT installed" return 1 fi # Check audit log exists if [ -f /var/log/audit/audit.log ] || [ -d /var/log/audit ]; then pass "FR-12.3: Audit logging is configured" else warn "FR-12.3: Audit log directory may not exist" fi } # ============================================================================ # Main Execution # ============================================================================ main() { echo "================================================" echo "Football First-Boot Verification" echo "================================================" echo "" log "Starting first-boot verification" # Check if this is first boot if ! check_first_boot; then exit 0 fi # Track results TOTAL=0 PASSED=0 FAILED=0 WARNED=0 # Run all verifications verify_remote_access || true verify_network_isolation || true verify_minimal_ui || true verify_no_remote_admin || true verify_system_hardening || true verify_integrity || true verify_firewall || true verify_boot_config || true verify_storage_config || true verify_system_updates || true verify_logging || true # Calculate results TOTAL=$((PASSED + FAILED + WARNED)) PERCENTAGE=$((PASSED * 100 / TOTAL)) # Summary echo "" echo "================================================" echo "Verification Summary" echo "================================================" echo "" echo "Total Checks: $TOTAL" echo -e "${GREEN}Passed: $PASSED${NC}" echo -e "${RED}Failed: $FAILED${NC}" echo -e "${YELLOW}Warnings: $WARNED${NC}" echo "" echo "Compliance: $PERCENTAGE%" echo "" # Overall status if [ $FAILED -eq 0 ] && [ $PERCENTAGE -ge 95 ]; then echo -e "${GREEN}✓ SYSTEM MEETS ALL FUNCTIONAL REQUIREMENTS${NC}" echo "" echo "The Football Secure Access System is properly configured." echo "All functional requirements have been verified." mark_completed exit 0 elif [ $FAILED -eq 0 ]; then echo -e "${YELLOW}⚠ SYSTEM MOSTLY COMPLIANT${NC}" echo "" echo "The system meets most functional requirements." echo "Review warnings before production use." mark_completed exit 0 else echo -e "${RED}✗ SYSTEM HAS CRITICAL ISSUES${NC}" echo "" echo "The system has failed functional requirements." echo "Review failed checks and reconfigure before production use." exit 1 fi } # Run main function main