#!/bin/bash # ============================================================================= # Linux Workstation Compliance Check - Home Lab # ============================================================================= # Purpose: Verify workstation meets security requirements # Usage: sudo ./compliance-check.sh # Requirements: Run as root or with sudo set -euo pipefail # tag::vars[] DOMAIN="inside.domusdigitalis.dev" REQUIRED_CERTS=("HOME-ROOT-CA.pem" "DOMUS-ROOT-CA.pem") CERT_DIR="/etc/ssl/certs" KEY_DIR="/etc/ssl/private" GREEN='\033[0;32m' RED='\033[0;31m' YELLOW='\033[1;33m' NC='\033[0m' # end::vars[] # tag::banner[] echo "========================================" echo "Linux Compliance Check - Home Lab" echo "========================================" echo "Date: $(date)" echo "Hostname: $(hostname -f)" echo "" # end::banner[] PASS=0 FAIL=0 # tag::luks-check[] # 1. LUKS Encryption echo -n "[1] LUKS Encryption: " if lsblk -f | grep -q crypto_LUKS; then echo -e "${GREEN}✓ ENABLED${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ NOT DETECTED${NC}" FAIL=$((FAIL+1)) fi # end::luks-check[] # tag::crypttab-check[] # 2. /etc/crypttab exists echo -n "[2] /etc/crypttab: " if [ -f /etc/crypttab ] && [ -s /etc/crypttab ]; then echo -e "${GREEN}✓ EXISTS${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ MISSING${NC}" FAIL=$((FAIL+1)) fi # end::crypttab-check[] # tag::ad-check[] # 3. AD Domain Join echo -n "[3] AD Domain Join ($DOMAIN): " if realm list 2>/dev/null | grep -q "$DOMAIN"; then echo -e "${GREEN}✓ JOINED${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ NOT JOINED${NC}" FAIL=$((FAIL+1)) fi # end::ad-check[] # tag::sssd-check[] # 4. SSSD Service echo -n "[4] SSSD Service: " if systemctl is-active --quiet sssd; then echo -e "${GREEN}✓ RUNNING${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ NOT RUNNING${NC}" FAIL=$((FAIL+1)) fi # end::sssd-check[] # tag::networkmanager-check[] # 5. NetworkManager echo -n "[5] NetworkManager: " if systemctl is-active --quiet NetworkManager; then echo -e "${GREEN}✓ RUNNING${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ NOT RUNNING${NC}" FAIL=$((FAIL+1)) fi # end::networkmanager-check[] # tag::cert-check[] # 6. CA Certificates echo -n "[6] CA Certificates: " MISSING_CERTS=() for cert in "${REQUIRED_CERTS[@]}"; do if [ ! -f "${CERT_DIR}/${cert}" ]; then MISSING_CERTS+=("$cert") fi done if [ ${#MISSING_CERTS[@]} -eq 0 ]; then echo -e "${GREEN}✓ ALL INSTALLED${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ MISSING: ${MISSING_CERTS[*]}${NC}" FAIL=$((FAIL+1)) fi # end::cert-check[] # tag::machine-cert-check[] # 7. Machine Certificate echo -n "[7] Machine Certificate: " HOSTNAME_SHORT=$(hostname -s) MACHINE_CERT="${CERT_DIR}/${HOSTNAME_SHORT}-eaptls.pem" MACHINE_KEY="${KEY_DIR}/${HOSTNAME_SHORT}-eaptls.key" if [ -f "$MACHINE_CERT" ] && [ -f "$MACHINE_KEY" ]; then echo -e "${GREEN}✓ INSTALLED${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ MISSING${NC}" FAIL=$((FAIL+1)) fi # end::machine-cert-check[] # tag::8021x-check[] # 8. 802.1X Configuration echo -n "[8] 802.1X NetworkManager Connection: " if nmcli connection show | grep -q "802.1X\|802-1x\|Wired.*EAP"; then echo -e "${GREEN}✓ CONFIGURED${NC}" PASS=$((PASS+1)) else echo -e "${RED}✗ NOT CONFIGURED${NC}" FAIL=$((FAIL+1)) fi # end::8021x-check[] # tag::zabbix-check[] # 9. Zabbix Agent (Optional) echo -n "[9] Zabbix Monitoring: " if systemctl is-active --quiet zabbix-agent2; then echo -e "${GREEN}✓ RUNNING${NC}" PASS=$((PASS+1)) else echo -e "${YELLOW}~ OPTIONAL (not running)${NC}" fi # end::zabbix-check[] # tag::summary[] echo "" echo "========================================" echo "Summary: $PASS passed, $FAIL failed" echo "========================================" if [ $FAIL -eq 0 ]; then echo -e "${GREEN}✓ Workstation compliant!${NC}" exit 0 else echo -e "${RED}✗ Compliance issues detected${NC}" echo "Review failed checks above" exit 1 fi # end::summary[]