V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4700_verification/4670_verify_system.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+verify_system() {
+  ### Declare Arrays, HashMaps, and Variables.
+do_log "info" "file_only" "4100() Starting system integrity verification..."
+
+  ###########################################
+  ## Systemd & Identity Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
+
+  chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
+
+  chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \
+    do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
+
+  ###########################################
+  ## crypttab & fstab Validation
+  ###########################################
+  do_log "info" "file_only" "4100() Validating fstab and crypttab."
+
+  chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
+
+  chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
+
+  ###########################################
+  ## Essential Services
+  ###########################################
+  do_log "info" "file_only" "4100() Validating essential services."
+  chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## Init & Bootloader
+  ###########################################
+  do_log "info" "file_only" "4100() Checking init and GRUB presence."
+
+  chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
+
+  chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
+    do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
+
+  ###########################################
+  ## /etc Configuration Checks
+  ###########################################
+  do_log "info" "file_only" "4100() Validating core /etc configurations."
+
+  chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
+
+  chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \
+    do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
+
+  ###########################################
+  ## Permissions & Security
+  ###########################################
+  do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
+
+  chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
+  chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
+
+  ###########################################
+  ## dpkg & apt status
+  ###########################################
+  do_log "info" "file_only" "4100() Verifying package integrity."
+
+  chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
+  chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
+    do_log "warning" "file_only" "4100() apt-get check reported errors."
+
+  do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
+  guard_dir && return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh