122 lines
4.0 KiB
Bash
122 lines
4.0 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
OUT_BASE="/var/lib/saikyo-audit-report"
|
|
TS="$(date -u +%Y%m%dT%H%M%SZ)"
|
|
OUT_DIR="${OUT_BASE}/${TS}"
|
|
|
|
mkdir -p "${OUT_DIR}" "${OUT_DIR}/crypto" "${OUT_DIR}/apt" "${OUT_DIR}/system" "${OUT_DIR}/licenses" "${OUT_DIR}/network"
|
|
chmod 0755 "${OUT_BASE}" "${OUT_DIR}" || true
|
|
|
|
{
|
|
echo "timestamp_utc=${TS}"
|
|
echo "hostname=$(hostname)"
|
|
echo "kernel=$(uname -srmo)"
|
|
echo "arch=$(dpkg --print-architecture 2>/dev/null || true)"
|
|
} > "${OUT_DIR}/system/summary.env"
|
|
|
|
# Saikyo subscription/license status (if present)
|
|
if command -v saikyo-license >/dev/null 2>&1; then
|
|
(saikyo-license status 2>&1 || true) > "${OUT_DIR}/system/saikyo-license.status"
|
|
(saikyo-license verify 2>&1 || true) > "${OUT_DIR}/system/saikyo-license.verify"
|
|
else
|
|
echo "saikyo-license not installed" > "${OUT_DIR}/system/saikyo-license.status"
|
|
fi
|
|
|
|
if [ -f /etc/os-release ]; then
|
|
cp -f /etc/os-release "${OUT_DIR}/system/os-release" || true
|
|
fi
|
|
if [ -f /usr/lib/os-release ]; then
|
|
cp -f /usr/lib/os-release "${OUT_DIR}/system/os-release.lib" || true
|
|
fi
|
|
|
|
# Package inventory
|
|
(dpkg-query -W -f='${Package}\t${Version}\n' 2>/dev/null || true) > "${OUT_DIR}/packages.tsv"
|
|
|
|
# APT sources + keyrings
|
|
mkdir -p "${OUT_DIR}/apt/sources.list.d" || true
|
|
if [ -f /etc/apt/sources.list ]; then
|
|
cp -f /etc/apt/sources.list "${OUT_DIR}/apt/sources.list" || true
|
|
fi
|
|
if [ -d /etc/apt/sources.list.d ]; then
|
|
cp -a /etc/apt/sources.list.d/. "${OUT_DIR}/apt/sources.list.d/" 2>/dev/null || true
|
|
fi
|
|
(ls -la /usr/share/keyrings 2>/dev/null || true) > "${OUT_DIR}/apt/keyrings.ls"
|
|
|
|
(grep -RhsE '^(deb|deb-src)\s' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true) > "${OUT_DIR}/apt/sources.lines"
|
|
|
|
# Hashes for installed Saikyo keyring/list (if present)
|
|
for f in \
|
|
/usr/share/keyrings/saikyo-archive-keyring.gpg \
|
|
/etc/apt/sources.list.d/saikyo-os.list \
|
|
/etc/os-release \
|
|
/usr/lib/os-release
|
|
do
|
|
if [ -f "$f" ]; then
|
|
sha256sum "$f" >> "${OUT_DIR}/sha256sum.files" || true
|
|
fi
|
|
done
|
|
|
|
# Crypto / GOST checks
|
|
{
|
|
echo "openssl_version=$(openssl version 2>/dev/null || true)"
|
|
echo "openssl_engines="
|
|
openssl engine -t -c 2>/dev/null || true
|
|
} > "${OUT_DIR}/crypto/openssl-engine.txt"
|
|
|
|
if command -v gostsum >/dev/null 2>&1; then
|
|
echo test | gostsum > "${OUT_DIR}/crypto/gostsum.txt" 2>&1 || true
|
|
else
|
|
echo "gostsum not installed" > "${OUT_DIR}/crypto/gostsum.txt"
|
|
fi
|
|
|
|
if command -v lsmod >/dev/null 2>&1; then
|
|
lsmod | grep -i gost > "${OUT_DIR}/crypto/lsmod-gost.txt" 2>/dev/null || true
|
|
fi
|
|
|
|
(grep -RhsE '(pool\.ntp\.org|ntp\.org|time\.google\.com|time\.windows\.com|geoip|telemetry)' /etc 2>/dev/null || true) > "${OUT_DIR}/network/external-indicators.txt"
|
|
|
|
(systemctl list-unit-files 2>/dev/null || true) > "${OUT_DIR}/system/unit-files.txt"
|
|
|
|
# Secure Boot / MOK / TPM
|
|
{
|
|
echo "mokutil_sb_state:"
|
|
(mokutil --sb-state 2>/dev/null || true)
|
|
echo
|
|
echo "mokutil_list_enrolled:"
|
|
(mokutil --list-enrolled 2>/dev/null || true)
|
|
echo
|
|
echo "tpm_devices:"
|
|
(ls -la /dev/tpm* 2>/dev/null || true)
|
|
echo
|
|
echo "saikyo_mok_der_present:"
|
|
if [ -f /usr/share/saikyo-os/secure-boot/saikyo-mok.der ]; then
|
|
sha256sum /usr/share/saikyo-os/secure-boot/saikyo-mok.der || true
|
|
else
|
|
echo "missing"
|
|
fi
|
|
} > "${OUT_DIR}/system/secure-boot.txt"
|
|
|
|
LICENSE_TSV="${OUT_DIR}/licenses/licenses.tsv"
|
|
PROBLEM_TSV="${OUT_DIR}/licenses/problematic-licenses.tsv"
|
|
|
|
echo -e "package\tlicense" > "${LICENSE_TSV}"
|
|
echo -e "package\tmatched" > "${PROBLEM_TSV}"
|
|
|
|
while IFS=$'\t' read -r pkg ver; do
|
|
[ -n "${pkg}" ] || continue
|
|
cfile="/usr/share/doc/${pkg}/copyright"
|
|
lic="UNKNOWN"
|
|
if [ -f "${cfile}" ]; then
|
|
lic=$(awk -F': ' 'BEGIN{l=""} $1=="License" && l=="" {l=$2} END{if(l=="") print "UNKNOWN"; else print l}' "${cfile}" 2>/dev/null || echo "UNKNOWN")
|
|
fi
|
|
echo -e "${pkg}\t${lic}" >> "${LICENSE_TSV}"
|
|
case "${lic}" in
|
|
*SSPL*|*Elastic*|*RSAL*|*Redis*Source*Available*|*Server*Side*Public*License*|*AGPL*)
|
|
echo -e "${pkg}\t${lic}" >> "${PROBLEM_TSV}"
|
|
;;
|
|
esac
|
|
done < "${OUT_DIR}/packages.tsv"
|
|
|
|
echo "Report created: ${OUT_DIR}"
|