KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1339705f9d8784464a0f4afb0d0c081123051b88
football/scripts/verify-system.sh
Charles N Wyble 1339705f9d progress snapshot
2026-01-21 08:33:09 -05:00

413 lines
11 KiB
Bash
Raw Blame History

#!/bin/bash
# Football System First-Boot Verification
# Verifies all functional requirements are met after installation
# Runs automatically on first boot
set -euo pipefail
LOG_FILE="/var/log/football-first-boot-verification.log"
STATUS_FILE="/var/lib/football/verification-status"
# Color codes for console output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'
# Logging function
log() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE"
}
# Pass function
pass() {
echo -e "${GREEN}[PASS]${NC} $1" | tee -a "$LOG_FILE"
return 0
}
# Fail function
fail() {
echo -e "${RED}[FAIL]${NC} $1" | tee -a "$LOG_FILE"
return 1
}
# Warn function
warn() {
echo -e "${YELLOW}[WARN]${NC} $1" | tee -a "$LOG_FILE"
return 0
}
# Check if this is first boot
check_first_boot() {
if [ -f "$STATUS_FILE" ]; then
log "Verification already completed. Skipping."
echo -e "${YELLOW}Skipping first-boot verification (already completed)${NC}"
return 1
fi
return 0
}
# Create status file to prevent re-running
mark_completed() {
mkdir -p "$(dirname "$STATUS_FILE")"
echo "Completed: $(date '+%Y-%m-%d %H:%M:%S')" > "$STATUS_FILE"
log "Verification marked as completed"
}
# ============================================================================
# Verification Functions
# ============================================================================
# FR-1: Remote Access to Privileged Infrastructure
verify_remote_access() {
log "FR-1: Verifying Remote Access to Privileged Infrastructure"
# Check Remmina is installed
if dpkg -l | grep -q remmina; then
pass "FR-1.1: Remmina is installed"
else
fail "FR-1.1: Remmina is NOT installed"
return 1
fi
# Check WireGuard is installed
if dpkg -l | grep -q wireguard-tools; then
pass "FR-1.2: WireGuard tools are installed"
else
fail "FR-1.2: WireGuard tools are NOT installed"
return 1
fi
# Check IceWM is installed
if dpkg -l | grep -q icewm; then
pass "FR-1.3: IceWM is installed"
else
fail "FR-1.3: IceWM is NOT installed"
return 1
fi
}
# FR-2: Network Isolation
verify_network_isolation() {
log "FR-2: Verifying Network Isolation"
# Check SSH is disabled
if systemctl is-enabled ssh >/dev/null 2>&1; then
fail "FR-2.1: SSH service is ENABLED (should be disabled)"
else
pass "FR-2.1: SSH service is disabled"
fi
if systemctl is-enabled sshd >/dev/null 2>&1; then
fail "FR-2.2: SSHD service is ENABLED (should be disabled)"
else
pass "FR-2.2: SSHD service is disabled"
fi
# Check firewall exists
if [ -f /etc/iptables/rules.v4 ] || [ -f /etc/nftables.conf ]; then
pass "FR-2.3: Firewall configuration exists"
else
fail "FR-2.3: Firewall configuration missing"
return 1
fi
# Check WireGuard config exists (in overlay)
if [ -f /etc/wireguard/wg0.conf ]; then
pass "FR-2.4: WireGuard configuration exists"
else
warn "FR-2.4: WireGuard configuration not found (user must configure)"
fi
}
# FR-3: Minimal User Interface
verify_minimal_ui() {
log "FR-3: Verifying Minimal User Interface"
# Check IceWM is default window manager
if [ -f /etc/X11/default-display-manager ]; then
pass "FR-3.1: Display manager configured"
else
pass "FR-3.1: Using default X session"
fi
# Check Remmina is in autostart
if [ -f /home/user/.config/autostart/remmina.desktop ] || \
grep -q "remmina" /home/user/.xinitrc 2>/dev/null || \
grep -q "remmina" /home/user/.bash_profile 2>/dev/null; then
pass "FR-3.2: Remmina configured to auto-start"
else
warn "FR-3.3: Remmina auto-start may not be configured"
fi
}
# FR-5: Zero Remote Administration
verify_no_remote_admin() {
log "FR-5: Verifying Zero Remote Administration"
# Check SSH is masked
if systemctl is-enabled ssh >/dev/null 2>&1 || \
systemctl is-enabled sshd >/dev/null 2>&1; then
fail "FR-5.1: SSH or SSHD is enabled (should be disabled)"
else
pass "FR-5.1: SSH and SSHD are disabled"
fi
# Check telnet is not installed
if ! dpkg -l | grep -q telnet; then
pass "FR-5.2: Telnet is NOT installed"
else
fail "FR-5.2: Telnet IS installed (security issue)"
return 1
fi
}
# FR-6: System Hardening
verify_system_hardening() {
log "FR-6: Verifying System Hardening"
# Check AppArmor is installed
if dpkg -l | grep -q apparmor; then
pass "FR-6.1: AppArmor is installed"
else
fail "FR-6.1: AppArmor is NOT installed"
return 1
fi
# Check auditd is installed
if dpkg -l | grep -q auditd; then
pass "FR-6.2: Auditd is installed"
else
fail "FR-6.2: Auditd is NOT installed"
return 1
fi
# Check AIDE is installed
if dpkg -l | grep -q aide; then
pass "FR-6.3: AIDE is installed"
else
fail "FR-6.3: AIDE is NOT installed"
return 1
fi
# Check Secure Boot files exist
if [ -f /usr/lib/ISOLINUX/isohdpfx.bin ] || \
[ -f /usr/share/grub/x86_64-efi-signed/grubx64.efi ]; then
pass "FR-6.4: Secure Boot components present"
else
warn "FR-6.4: Secure Boot verification skipped"
fi
}
# FR-7: Integrity Verification
verify_integrity() {
log "FR-7: Verifying Integrity Verification"
# Check AIDE database exists
if [ -f /var/lib/aide/aide.db ] || [ -f /var/lib/aide/aide.db.new ]; then
pass "FR-7.1: AIDE database exists"
else
warn "FR-7.1: AIDE database not found (may need initialization)"
fi
# Check AIDE config exists
if [ -f /etc/aide.conf ]; then
pass "FR-7.2: AIDE configuration exists"
else
fail "FR-7.2: AIDE configuration missing"
return 1
fi
}
# FR-8: Firewall Configuration
verify_firewall() {
log "FR-8: Verifying Firewall Configuration"
# Check nftables or iptables is installed
if dpkg -l | grep -q nftables || dpkg -l | grep -q iptables; then
pass "FR-8.1: Firewall tools are installed"
else
fail "FR-8.1: Firewall tools NOT installed"
return 1
fi
# Check firewall service is enabled
if systemctl is-enabled nftables >/dev/null 2>&1 || \
systemctl is-enabled iptables-persistent >/dev/null 2>&1; then
pass "FR-8.2: Firewall service is enabled"
else
warn "FR-8.2: Firewall service may not be enabled"
fi
}
# FR-9: Boot Configuration
verify_boot_config() {
log "FR-9: Verifying Boot Configuration"
# Check GRUB is installed
if dpkg -l | grep -q grub-pc || dpkg -l | grep -q grub-efi-amd64; then
pass "FR-9.1: GRUB bootloader is installed"
else
fail "FR-9.1: GRUB bootloader NOT installed"
return 1
fi
# Check kernel is installed
if dpkg -l | grep -q linux-image; then
pass "FR-9.2: Linux kernel is installed"
else
fail "FR-9.2: Linux kernel NOT installed"
return 1
fi
}
# FR-10: Storage Configuration
verify_storage_config() {
log "FR-10: Verifying Storage Configuration"
# Check LVM is installed
if dpkg -l | grep -q lvm2; then
pass "FR-10.1: LVM is installed"
else
fail "FR-10.1: LVM is NOT installed"
return 1
fi
# Check root filesystem exists
if mount | grep -q " on / "; then
pass "FR-10.2: Root filesystem is mounted"
else
fail "FR-10.2: Root filesystem not mounted (CRITICAL)"
return 1
fi
}
# FR-11: System Updates
verify_system_updates() {
log "FR-11: Verifying System Updates"
# Check APT is configured
if [ -f /etc/apt/sources.list ]; then
pass "FR-11.1: APT is configured"
else
fail "FR-11.1: APT configuration missing"
return 1
fi
# Check development tools are NOT installed
if dpkg -l | grep -q build-essential || dpkg -l | grep -q gcc; then
fail "FR-11.2: Development tools ARE installed (should not be)"
return 1
else
pass "FR-11.2: Development tools are NOT installed"
fi
}
# FR-12: Logging and Monitoring
verify_logging() {
log "FR-12: Verifying Logging and Monitoring"
# Check rsyslog is installed
if dpkg -l | grep -q rsyslog; then
pass "FR-12.1: Rsyslog is installed"
else
fail "FR-12.1: Rsyslog NOT installed"
return 1
fi
# Check logrotate is installed
if dpkg -l | grep -q logrotate; then
pass "FR-12.2: Logrotate is installed"
else
fail "FR-12.2: Logrotate NOT installed"
return 1
fi
# Check audit log exists
if [ -f /var/log/audit/audit.log ] || [ -d /var/log/audit ]; then
pass "FR-12.3: Audit logging is configured"
else
warn "FR-12.3: Audit log directory may not exist"
fi
}
# ============================================================================
# Main Execution
# ============================================================================
main() {
echo "================================================"
echo "Football First-Boot Verification"
echo "================================================"
echo ""
log "Starting first-boot verification"
# Check if this is first boot
if ! check_first_boot; then
exit 0
fi
# Track results
TOTAL=0
PASSED=0
FAILED=0
WARNED=0
# Run all verifications
verify_remote_access || true
verify_network_isolation || true
verify_minimal_ui || true
verify_no_remote_admin || true
verify_system_hardening || true
verify_integrity || true
verify_firewall || true
verify_boot_config || true
verify_storage_config || true
verify_system_updates || true
verify_logging || true
# Calculate results
TOTAL=$((PASSED + FAILED + WARNED))
PERCENTAGE=$((PASSED * 100 / TOTAL))
# Summary
echo ""
echo "================================================"
echo "Verification Summary"
echo "================================================"
echo ""
echo "Total Checks: $TOTAL"
echo -e "${GREEN}Passed: $PASSED${NC}"
echo -e "${RED}Failed: $FAILED${NC}"
echo -e "${YELLOW}Warnings: $WARNED${NC}"
echo ""
echo "Compliance: $PERCENTAGE%"
echo ""
# Overall status
if [ $FAILED -eq 0 ] && [ $PERCENTAGE -ge 95 ]; then
echo -e "${GREEN}✓ SYSTEM MEETS ALL FUNCTIONAL REQUIREMENTS${NC}"
echo ""
echo "The Football Secure Access System is properly configured."
echo "All functional requirements have been verified."
mark_completed
exit 0
elif [ $FAILED -eq 0 ]; then
echo -e "${YELLOW}⚠ SYSTEM MOSTLY COMPLIANT${NC}"
echo ""
echo "The system meets most functional requirements."
echo "Review warnings before production use."
mark_completed
exit 0
else
echo -e "${RED}✗ SYSTEM HAS CRITICAL ISSUES${NC}"
echo ""
echo "The system has failed functional requirements."
echo "Review failed checks and reconfigure before production use."
exit 1
fi
}
# Run main function
main
Reference in New Issue View Git Blame Copy Permalink