Validation Scripts

Overview

This page documents validation scripts for Home Enterprise Linux workstations with automated security and compliance checking.

Available Scripts:

Pre-Flight Connectivity Check - Run BEFORE domain join or 802.1X configuration
ISE Session Monitoring - Check active ISE sessions and authentication status
Zero-Trust Validation - Verify dACL enforcement and network isolation
Compliance Checking - Validate workstation security configuration

Pre-Flight Connectivity Check

Run this script before domain join or 802.1X configuration to verify network prerequisites.

Quick Usage

chmod +x preflight-check.sh
sudo ./preflight-check.sh

Pre-Flight Script

#!/bin/bash
# Pre-Flight Connectivity Check for Linux 802.1X Deployment
# Run BEFORE domain join or EAP-TLS configuration

set -e

# Infrastructure endpoints (values from antora.yml attributes)
DC_HOST="home-dc01.inside.domusdigitalis.dev"
DC_IP="10.50.1.50"
ISE_HOST="ise-01.inside.domusdigitalis.dev"
ISE_IP="10.50.1.20"
DNS_PRIMARY="10.50.1.90"
DNS_SECONDARY="10.50.1.91"

PASS=0
FAIL=0

check() {
    local name="$1"
    local cmd="$2"
    if eval "$cmd" >/dev/null 2>&1; then
        echo "[✓] $name"
        ((PASS++))
    else
        echo "[✗] $name"
        ((FAIL++))
    fi
}

echo "=== Pre-Flight Connectivity Check ==="
echo "Hostname: $(hostname)"
echo "Date: $(date)"
echo ""

echo "--- DNS Resolution ---"
check "DNS server reachable" "ping -c 1 -W 2 $DNS_PRIMARY"
check "DC hostname resolves" "host $DC_HOST"
check "ISE hostname resolves" "host $ISE_HOST"

echo ""
echo "--- Kerberos Ports (TCP) ---"
check "DC Kerberos (88/tcp)" "nc -z -w 2 $DC_IP 88"
check "DC LDAP (389/tcp)" "nc -z -w 2 $DC_IP 389"
check "DC kpasswd (464/tcp)" "nc -z -w 2 $DC_IP 464"
check "DC LDAPS (636/tcp)" "nc -z -w 2 $DC_IP 636"

echo ""
echo "--- Kerberos Ports (UDP) ---"
check "DC Kerberos (88/udp)" "nc -zu -w 2 $DC_IP 88"
check "DC kpasswd (464/udp)" "nc -zu -w 2 $DC_IP 464"

echo ""
echo "--- ISE Connectivity ---"
check "ISE HTTPS (443/tcp)" "nc -z -w 2 $ISE_IP 443"
check "ISE Admin (8443/tcp)" "nc -z -w 2 $ISE_IP 8443"

echo ""
echo "--- NTP ---"
check "NTP sync" "timedatectl show | grep -q 'NTPSynchronized=yes'"

echo ""
echo "--- Package Prerequisites ---"
check "krb5 installed" "pacman -Q krb5"
check "sssd installed" "pacman -Q sssd"
check "samba installed" "pacman -Q samba"

echo ""
echo "=== Summary ==="
echo "Passed: $PASS"
echo "Failed: $FAIL"

if [ $FAIL -eq 0 ]; then
    echo ""
    echo "✓ Pre-flight checks passed. Ready for domain join."
    exit 0
else
    echo ""
    echo "✗ Pre-flight checks failed. Fix issues before proceeding."
    exit 1
fi

Field-validated: Port 464 (kpasswd) was blocked by firewall, causing domain join to fail silently. Always run pre-flight before attempting domain join.

Critical ports:

TCP 88 - Kerberos authentication
TCP/UDP 464 - Kerberos password change (domain join REQUIRES this)
TCP 389 - LDAP
TCP 636 - LDAPS

All scripts are available for download and can be embedded in your documentation.

ISE Session Monitoring

Monitor ISE sessions, authentication status, and endpoint registration.

Quick Usage

Download: ise-session-check.sh

# Download and run
chmod +x ise-session-check.sh
./ise-session-check.sh b4:e9:b8:f6:c8:17

Configuration Variables

The script uses these environment variables:

# Environment variables (override with environment)
ISE_PAN_IP="${ISE_PAN_IP:-10.50.1.21}"
ISE_API_USER="${ISE_API_USER:-domus_ers_admin}"
ISE_API_PASS="${ISE_API_PASS:-}"  # Load from dsec or environment
MAC_ADDRESS="${1:-}"

# Colors for output
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

Session Query (Partial Include Example)

Check if device has active ISE session:

# Check active session
echo -e "${YELLOW}→ Checking active session...${NC}"
if netapi ise mnt session "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Session found${NC}"
else
    echo -e "${RED}✗ No active session${NC}"
fi
echo ""

Authentication Status Check

Verify authentication succeeded:

# Check authentication status
echo -e "${YELLOW}→ Checking authentication status...${NC}"
if netapi ise mnt auth-status "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Authentication successful${NC}"
else
    echo -e "${RED}✗ Authentication failed or not found${NC}"
fi
echo ""

Endpoint Registration Check

Confirm endpoint is registered in ISE:

# Get endpoint details
echo -e "${YELLOW}→ Checking endpoint registration...${NC}"
if netapi ise get-endpoint "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Endpoint registered${NC}"
else
    echo -e "${RED}✗ Endpoint not registered${NC}"
fi
echo ""

Full Script

Complete script with all checks:

#!/bin/bash
# =============================================================================
# ISE Session Monitoring Script - Home Lab
# =============================================================================
# Purpose: Check active ISE sessions and authentication status
# Usage: ./ise-session-check.sh [MAC_ADDRESS]
# Requires: netapi CLI tool (pip install netapi)

set -euo pipefail

# tag::vars[]
# Environment variables (override with environment)
ISE_PAN_IP="${ISE_PAN_IP:-10.50.1.21}"
ISE_API_USER="${ISE_API_USER:-domus_ers_admin}"
ISE_API_PASS="${ISE_API_PASS:-}"  # Load from dsec or environment
MAC_ADDRESS="${1:-}"

# Colors for output
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# end::vars[]

# tag::validation[]
# Validate inputs
if [ -z "$MAC_ADDRESS" ]; then
    echo "Usage: $0 <MAC_ADDRESS>"
    echo "Example: $0 b4:e9:b8:f6:c8:17"
    exit 1
fi

if [ -z "$ISE_API_PASS" ]; then
    echo -e "${RED}Error: ISE_API_PASS not set${NC}"
    echo "Load credentials: dsource d000 dev/network"
    exit 1
fi
# end::validation[]

# tag::banner[]
echo "========================================"
echo "ISE Session Monitor - Home Lab"
echo "========================================"
echo "ISE PAN: $ISE_PAN_IP"
echo "Device: $MAC_ADDRESS"
echo "========================================"
echo ""
# end::banner[]

# tag::session-query[]
# Check active session
echo -e "${YELLOW}→ Checking active session...${NC}"
if netapi ise mnt session "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Session found${NC}"
else
    echo -e "${RED}✗ No active session${NC}"
fi
echo ""
# end::session-query[]

# tag::auth-status[]
# Check authentication status
echo -e "${YELLOW}→ Checking authentication status...${NC}"
if netapi ise mnt auth-status "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Authentication successful${NC}"
else
    echo -e "${RED}✗ Authentication failed or not found${NC}"
fi
echo ""
# end::auth-status[]

# tag::endpoint-info[]
# Get endpoint details
echo -e "${YELLOW}→ Checking endpoint registration...${NC}"
if netapi ise get-endpoint "$MAC_ADDRESS" 2>/dev/null; then
    echo -e "${GREEN}✓ Endpoint registered${NC}"
else
    echo -e "${RED}✗ Endpoint not registered${NC}"
fi
echo ""
# end::endpoint-info[]

# tag::recent-auth[]
# Check recent authentication history
echo -e "${YELLOW}→ Recent authentication attempts (last 10)...${NC}"
netapi ise dc auth-history "$MAC_ADDRESS" --limit 10 2>/dev/null || \
    echo -e "${RED}✗ DataConnect not available${NC}"
echo ""
# end::recent-auth[]

echo "========================================"
echo "Monitoring complete"
echo "========================================"

Download: ise-session-check.sh

Zero-Trust Network Validation

Validates that ISE dACL properly enforces zero-trust isolation.

Quick Usage

Download: test-zero-trust.sh

# Run as root
sudo ./test-zero-trust.sh

Expected Results:

[1] DNS Query (essential): ✓ PASS
[2] ISE Posture (port 8443): ✓ PASS
[3] AD LDAP (port 389): ✓ PASS
[4] NAS Access: ✓ PASS
[5] Random Internal IP (zero-trust): ✓ PASS - Internal blocked
[6] Internet HTTPS: ✓ PASS
[7] SSH to Internet (security block): ✓ PASS - SSH blocked

Infrastructure Variables

Home Enterprise infrastructure being tested:

# Home Lab Infrastructure
ISE_PAN="10.50.1.21"
DNS_PRIMARY="10.50.1.1"
AD_DC="10.50.2.11"
NAS="10.50.100.10"

# Test targets
INTERNAL_TARGET="10.50.2.50"     # Random internal IP (should be BLOCKED)
INTERNET_TARGET="www.google.com" # Internet (should be ALLOWED)

# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'

Essential Services Tests

DNS, ISE, and AD must be reachable:

# Test 1: DNS (Should PASS - essential service)
echo -n "[1] DNS Query (essential): "
if dig @${DNS_PRIMARY} inside.domusdigitalis.dev +short > /dev/null 2>&1; then
    echo -e "${GREEN}✓ PASS${NC} - DNS working"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - DNS blocked (critical!)"
    FAIL=$((FAIL+1))
fi

# Test 2: ISE Posture (Should PASS - essential service)
echo -n "[2] ISE Posture (port 8443): "
if timeout 2 bash -c "echo > /dev/tcp/${ISE_PAN}/8443" 2>/dev/null; then
    echo -e "${GREEN}✓ PASS${NC} - ISE reachable"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - ISE blocked (critical!)"
    FAIL=$((FAIL+1))
fi

# Test 3: AD LDAP (Should PASS - essential service)
echo -n "[3] AD LDAP (port 389): "
if timeout 2 bash -c "echo > /dev/tcp/${AD_DC}/389" 2>/dev/null; then
    echo -e "${GREEN}✓ PASS${NC} - AD reachable"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - AD blocked (critical!)"
    FAIL=$((FAIL+1))
fi

Zero-Trust Isolation Tests

Lateral movement should be BLOCKED:

# Test 5: Random Internal IP (Should FAIL - zero-trust blocks lateral movement)
echo -n "[5] Random Internal IP (zero-trust): "
if ping -c 1 -W 2 ${INTERNAL_TARGET} > /dev/null 2>&1; then
    echo -e "${RED}✗ FAIL${NC} - Internal access allowed (SECURITY ISSUE!)"
    FAIL=$((FAIL+1))
else
    echo -e "${GREEN}✓ PASS${NC} - Internal blocked (zero-trust working)"
    PASS=$((PASS+1))
fi

Internet HTTPS should be ALLOWED:

# Test 6: HTTPS to Internet (Should PASS - allowed)
echo -n "[6] Internet HTTPS: "
if curl -s --connect-timeout 5 https://${INTERNET_TARGET} > /dev/null 2>&1; then
    echo -e "${GREEN}✓ PASS${NC} - Internet allowed"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - Internet blocked"
    FAIL=$((FAIL+1))
fi

SSH to internet should be BLOCKED for security:

# Test 7: SSH to Internet (Should FAIL - blocked for security)
echo -n "[7] SSH to Internet (security block): "
if timeout 2 bash -c "echo > /dev/tcp/github.com/22" 2>/dev/null; then
    echo -e "${RED}✗ FAIL${NC} - SSH allowed (SECURITY ISSUE!)"
    FAIL=$((FAIL+1))
else
    echo -e "${GREEN}✓ PASS${NC} - SSH blocked (secure)"
    PASS=$((PASS+1))
fi

Advanced: First 30 Lines Only

Show only script header and setup (using line numbers):

include::example$test-zero-trust.sh[lines=1..30]  (1)

1	Include only lines 1-30

Full Zero-Trust Script

Complete validation script:

#!/bin/bash
# =============================================================================
# Zero-Trust Network Validation - Home Lab
# =============================================================================
# Purpose: Validate that ISE dACL properly enforces zero-trust isolation
# Usage: sudo ./test-zero-trust.sh
# Expected: Internal RFC1918 blocked, essential services + internet allowed

set -euo pipefail

# tag::vars[]
# Home Lab Infrastructure
ISE_PAN="10.50.1.21"
DNS_PRIMARY="10.50.1.1"
AD_DC="10.50.2.11"
NAS="10.50.100.10"

# Test targets
INTERNAL_TARGET="10.50.2.50"     # Random internal IP (should be BLOCKED)
INTERNET_TARGET="www.google.com" # Internet (should be ALLOWED)

# Colors
GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
# end::vars[]

# tag::banner[]
echo "========================================"
echo "Zero-Trust Validation - Home Lab"
echo "========================================"
echo "Testing dACL enforcement..."
echo ""
# end::banner[]

PASS=0
FAIL=0

# tag::dns-test[]
# Test 1: DNS (Should PASS - essential service)
echo -n "[1] DNS Query (essential): "
if dig @${DNS_PRIMARY} inside.domusdigitalis.dev +short > /dev/null 2>&1; then
    echo -e "${GREEN}✓ PASS${NC} - DNS working"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - DNS blocked (critical!)"
    FAIL=$((FAIL+1))
fi
# end::dns-test[]

# tag::ise-test[]
# Test 2: ISE Posture (Should PASS - essential service)
echo -n "[2] ISE Posture (port 8443): "
if timeout 2 bash -c "echo > /dev/tcp/${ISE_PAN}/8443" 2>/dev/null; then
    echo -e "${GREEN}✓ PASS${NC} - ISE reachable"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - ISE blocked (critical!)"
    FAIL=$((FAIL+1))
fi
# end::ise-test[]

# tag::ad-test[]
# Test 3: AD LDAP (Should PASS - essential service)
echo -n "[3] AD LDAP (port 389): "
if timeout 2 bash -c "echo > /dev/tcp/${AD_DC}/389" 2>/dev/null; then
    echo -e "${GREEN}✓ PASS${NC} - AD reachable"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - AD blocked (critical!)"
    FAIL=$((FAIL+1))
fi
# end::ad-test[]

# tag::nas-test[]
# Test 4: NAS Access (Should PASS - allowed by dACL)
echo -n "[4] NAS Access: "
if ping -c 1 -W 2 ${NAS} > /dev/null 2>&1; then
    echo -e "${GREEN}✓ PASS${NC} - NAS reachable"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - NAS blocked"
    FAIL=$((FAIL+1))
fi
# end::nas-test[]

# tag::internal-block-test[]
# Test 5: Random Internal IP (Should FAIL - zero-trust blocks lateral movement)
echo -n "[5] Random Internal IP (zero-trust): "
if ping -c 1 -W 2 ${INTERNAL_TARGET} > /dev/null 2>&1; then
    echo -e "${RED}✗ FAIL${NC} - Internal access allowed (SECURITY ISSUE!)"
    FAIL=$((FAIL+1))
else
    echo -e "${GREEN}✓ PASS${NC} - Internal blocked (zero-trust working)"
    PASS=$((PASS+1))
fi
# end::internal-block-test[]

# tag::https-test[]
# Test 6: HTTPS to Internet (Should PASS - allowed)
echo -n "[6] Internet HTTPS: "
if curl -s --connect-timeout 5 https://${INTERNET_TARGET} > /dev/null 2>&1; then
    echo -e "${GREEN}✓ PASS${NC} - Internet allowed"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ FAIL${NC} - Internet blocked"
    FAIL=$((FAIL+1))
fi
# end::https-test[]

# tag::ssh-block-test[]
# Test 7: SSH to Internet (Should FAIL - blocked for security)
echo -n "[7] SSH to Internet (security block): "
if timeout 2 bash -c "echo > /dev/tcp/github.com/22" 2>/dev/null; then
    echo -e "${RED}✗ FAIL${NC} - SSH allowed (SECURITY ISSUE!)"
    FAIL=$((FAIL+1))
else
    echo -e "${GREEN}✓ PASS${NC} - SSH blocked (secure)"
    PASS=$((PASS+1))
fi
# end::ssh-block-test[]

# tag::summary[]
echo ""
echo "========================================"
echo "Summary: $PASS passed, $FAIL failed"
echo "========================================"

if [ $FAIL -eq 0 ]; then
    echo -e "${GREEN}✓ Zero-trust properly configured!${NC}"
    exit 0
else
    echo -e "${RED}✗ Zero-trust issues detected${NC}"
    exit 1
fi
# end::summary[]

Download: test-zero-trust.sh

Compliance Checking

Validates workstation meets Home Enterprise security requirements.

Quick Usage

Download: compliance-check.sh

# Run as root
sudo ./compliance-check.sh

Expected Output:

[1] LUKS Encryption: ✓ ENABLED
[2] /etc/crypttab: ✓ EXISTS
[3] AD Domain Join (inside.domusdigitalis.dev): ✓ JOINED
[4] SSSD Service: ✓ RUNNING
[5] NetworkManager: ✓ RUNNING
[6] CA Certificates: ✓ ALL INSTALLED
[7] Machine Certificate: ✓ INSTALLED
[8] 802.1X NetworkManager Connection: ✓ CONFIGURED
[9] Zabbix Monitoring: ~ OPTIONAL (not running)

Summary: 8 passed, 0 failed
✓ Workstation compliant!

LUKS Encryption Check

Disk encryption is mandatory:

# 1. LUKS Encryption
echo -n "[1] LUKS Encryption: "
if lsblk -f | grep -q crypto_LUKS; then
    echo -e "${GREEN}✓ ENABLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT DETECTED${NC}"
    FAIL=$((FAIL+1))
fi

Active Directory Check

Domain join validation:

# 3. AD Domain Join
echo -n "[3] AD Domain Join ($DOMAIN): "
if realm list 2>/dev/null | grep -q "$DOMAIN"; then
    echo -e "${GREEN}✓ JOINED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT JOINED${NC}"
    FAIL=$((FAIL+1))
fi

Certificate Validation

CA and machine certificates:

# 6. CA Certificates
echo -n "[6] CA Certificates: "
MISSING_CERTS=()
for cert in "${REQUIRED_CERTS[@]}"; do
    if [ ! -f "${CERT_DIR}/${cert}" ]; then
        MISSING_CERTS+=("$cert")
    fi
done

if [ ${#MISSING_CERTS[@]} -eq 0 ]; then
    echo -e "${GREEN}✓ ALL INSTALLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ MISSING: ${MISSING_CERTS[*]}${NC}"
    FAIL=$((FAIL+1))
fi

# 7. Machine Certificate
echo -n "[7] Machine Certificate: "
HOSTNAME_SHORT=$(hostname -s)
MACHINE_CERT="${CERT_DIR}/${HOSTNAME_SHORT}-eaptls.pem"
MACHINE_KEY="${KEY_DIR}/${HOSTNAME_SHORT}-eaptls.key"

if [ -f "$MACHINE_CERT" ] && [ -f "$MACHINE_KEY" ]; then
    echo -e "${GREEN}✓ INSTALLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ MISSING${NC}"
    FAIL=$((FAIL+1))
fi

802.1X Configuration

NetworkManager connection check:

# 8. 802.1X Configuration
echo -n "[8] 802.1X NetworkManager Connection: "
if nmcli connection show | grep -q "802.1X\|802-1x\|Wired.*EAP"; then
    echo -e "${GREEN}✓ CONFIGURED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT CONFIGURED${NC}"
    FAIL=$((FAIL+1))
fi

Full Compliance Script

Complete compliance validation:

#!/bin/bash
# =============================================================================
# Linux Workstation Compliance Check - Home Lab
# =============================================================================
# Purpose: Verify workstation meets security requirements
# Usage: sudo ./compliance-check.sh
# Requirements: Run as root or with sudo

set -euo pipefail

# tag::vars[]
DOMAIN="inside.domusdigitalis.dev"
REQUIRED_CERTS=("HOME-ROOT-CA.pem" "DOMUS-ROOT-CA.pem")
CERT_DIR="/etc/ssl/certs"
KEY_DIR="/etc/ssl/private"

GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
NC='\033[0m'
# end::vars[]

# tag::banner[]
echo "========================================"
echo "Linux Compliance Check - Home Lab"
echo "========================================"
echo "Date: $(date)"
echo "Hostname: $(hostname -f)"
echo ""
# end::banner[]

PASS=0
FAIL=0

# tag::luks-check[]
# 1. LUKS Encryption
echo -n "[1] LUKS Encryption: "
if lsblk -f | grep -q crypto_LUKS; then
    echo -e "${GREEN}✓ ENABLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT DETECTED${NC}"
    FAIL=$((FAIL+1))
fi
# end::luks-check[]

# tag::crypttab-check[]
# 2. /etc/crypttab exists
echo -n "[2] /etc/crypttab: "
if [ -f /etc/crypttab ] && [ -s /etc/crypttab ]; then
    echo -e "${GREEN}✓ EXISTS${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ MISSING${NC}"
    FAIL=$((FAIL+1))
fi
# end::crypttab-check[]

# tag::ad-check[]
# 3. AD Domain Join
echo -n "[3] AD Domain Join ($DOMAIN): "
if realm list 2>/dev/null | grep -q "$DOMAIN"; then
    echo -e "${GREEN}✓ JOINED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT JOINED${NC}"
    FAIL=$((FAIL+1))
fi
# end::ad-check[]

# tag::sssd-check[]
# 4. SSSD Service
echo -n "[4] SSSD Service: "
if systemctl is-active --quiet sssd; then
    echo -e "${GREEN}✓ RUNNING${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT RUNNING${NC}"
    FAIL=$((FAIL+1))
fi
# end::sssd-check[]

# tag::networkmanager-check[]
# 5. NetworkManager
echo -n "[5] NetworkManager: "
if systemctl is-active --quiet NetworkManager; then
    echo -e "${GREEN}✓ RUNNING${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT RUNNING${NC}"
    FAIL=$((FAIL+1))
fi
# end::networkmanager-check[]

# tag::cert-check[]
# 6. CA Certificates
echo -n "[6] CA Certificates: "
MISSING_CERTS=()
for cert in "${REQUIRED_CERTS[@]}"; do
    if [ ! -f "${CERT_DIR}/${cert}" ]; then
        MISSING_CERTS+=("$cert")
    fi
done

if [ ${#MISSING_CERTS[@]} -eq 0 ]; then
    echo -e "${GREEN}✓ ALL INSTALLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ MISSING: ${MISSING_CERTS[*]}${NC}"
    FAIL=$((FAIL+1))
fi
# end::cert-check[]

# tag::machine-cert-check[]
# 7. Machine Certificate
echo -n "[7] Machine Certificate: "
HOSTNAME_SHORT=$(hostname -s)
MACHINE_CERT="${CERT_DIR}/${HOSTNAME_SHORT}-eaptls.pem"
MACHINE_KEY="${KEY_DIR}/${HOSTNAME_SHORT}-eaptls.key"

if [ -f "$MACHINE_CERT" ] && [ -f "$MACHINE_KEY" ]; then
    echo -e "${GREEN}✓ INSTALLED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ MISSING${NC}"
    FAIL=$((FAIL+1))
fi
# end::machine-cert-check[]

# tag::8021x-check[]
# 8. 802.1X Configuration
echo -n "[8] 802.1X NetworkManager Connection: "
if nmcli connection show | grep -q "802.1X\|802-1x\|Wired.*EAP"; then
    echo -e "${GREEN}✓ CONFIGURED${NC}"
    PASS=$((PASS+1))
else
    echo -e "${RED}✗ NOT CONFIGURED${NC}"
    FAIL=$((FAIL+1))
fi
# end::8021x-check[]

# tag::zabbix-check[]
# 9. Zabbix Agent (Optional)
echo -n "[9] Zabbix Monitoring: "
if systemctl is-active --quiet zabbix-agent2; then
    echo -e "${GREEN}✓ RUNNING${NC}"
    PASS=$((PASS+1))
else
    echo -e "${YELLOW}~ OPTIONAL (not running)${NC}"
fi
# end::zabbix-check[]

# tag::summary[]
echo ""
echo "========================================"
echo "Summary: $PASS passed, $FAIL failed"
echo "========================================"

if [ $FAIL -eq 0 ]; then
    echo -e "${GREEN}✓ Workstation compliant!${NC}"
    exit 0
else
    echo -e "${RED}✗ Compliance issues detected${NC}"
    echo "Review failed checks above"
    exit 1
fi
# end::summary[]

Download: compliance-check.sh

Advanced Include Patterns

Pattern 1: Full Script Include

Include entire script:

[source,bash]
----
include::example$script.sh[]
----

Pattern 2: Tagged Sections

Include specific tagged sections:

[source,bash]
----
include::example$script.sh[tag=section-name]
----

Tags in script:

# tag::section-name[]
...code here...
# end::section-name[]

Pattern 3: Line Number Filtering

Include specific line ranges:

[source,bash]
----
\include::example$script.sh[lines=1..10]      // First 10 lines
\include::example$script.sh[lines=50..100]    // Lines 50-100
\include::example$script.sh[lines=200..-1]    // Line 200 to end
----

Pattern 4: Downloadable Attachments

Provide download links:

Download: xref:attachment$script.sh[script.sh]

Summary

All scripts follow these conventions:

Location: modules/ROOT/examples/ (embedded in docs)
Downloads: modules/ROOT/attachments/ (user downloads)
Tags: All scripts use // tag::name[] for partial includes
Environment: Use environment variables for flexibility
Attributes: Reference infrastructure via 10.50.1.20, 10.50.1.90, etc.

Best Practice: Use partial includes (tags) when explaining specific functionality, full includes when users need the complete script.