#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### verify_system() { ### Declare Arrays, HashMaps, and Variables. do_log "info" "file_only" "4100() Starting system integrity verification..." ########################################### ## Systemd & Identity Checks ########################################### do_log "info" "file_only" "4100() Checking systemd installation and machine-id." chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() systemd or systemctl not properly installed." chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \ do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id." ########################################### ## crypttab & fstab Validation ########################################### do_log "info" "file_only" "4100() Validating fstab and crypttab." chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}." chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies." ########################################### ## Essential Services ########################################### do_log "info" "file_only" "4100() Validating essential services." chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1 ########################################### ## Init & Bootloader ########################################### do_log "info" "file_only" "4100() Checking init and GRUB presence." chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() /sbin/init is missing or invalid." chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \ do_log "warning" "file_only" "4100() GRUB config or EFI binary not found." ########################################### ## /etc Configuration Checks ########################################### do_log "info" "file_only" "4100() Validating core /etc configurations." chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts." chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \ do_log "warning" "file_only" "4100() /etc/hostname is missing or empty." ########################################### ## Permissions & Security ########################################### do_log "info" "file_only" "4100() Auditing /root permissions and login shell." chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1 chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1 ########################################### ## dpkg & apt status ########################################### do_log "info" "file_only" "4100() Verifying package integrity." chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \ do_log "warning" "file_only" "4100() apt-get check reported errors." do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}." guard_dir && return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh