msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
44a1f50bc9cc56cfc35db49c1af7e851986d3589da9400b59b10a1f0d01f513f
CISS.debian.installer/func/cdi_4700_verification/4670_verify_system.sh
Marc S. Weidner 577827dc7a V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-25 20:14:53 +01:00

91 lines
4.0 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
verify_system() {
### Declare Arrays, HashMaps, and Variables.
do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
## Systemd & Identity Checks
###########################################
do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \
do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
###########################################
## crypttab & fstab Validation
###########################################
do_log "info" "file_only" "4100() Validating fstab and crypttab."
chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
###########################################
## Essential Services
###########################################
do_log "info" "file_only" "4100() Validating essential services."
chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
###########################################
## Init & Bootloader
###########################################
do_log "info" "file_only" "4100() Checking init and GRUB presence."
chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
###########################################
## /etc Configuration Checks
###########################################
do_log "info" "file_only" "4100() Validating core /etc configurations."
chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \
do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
###########################################
## Permissions & Security
###########################################
do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
###########################################
## dpkg & apt status
###########################################
do_log "info" "file_only" "4100() Verifying package integrity."
chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() apt-get check reported errors."
do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink