#!/bin/bash
# Saikyo OS Server Security Audit Tool
# Copyright (c) 2025-2026 OOO "SAIKO"
# License: GPL-3.0

set -e

VERSION="1.0.0"
SCRIPT_NAME=$(basename "$0")

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

print_header() {
    echo -e "${BLUE}================================================${NC}"
    echo -e "${BLUE}  Saikyo OS Server - Security Audit Tool v${VERSION}${NC}"
    echo -e "${BLUE}  Разработка: ООО «САЙКО»${NC}"
    echo -e "${BLUE}  https://saikyo-server.ru${NC}"
    echo -e "${BLUE}================================================${NC}"
    echo ""
}

check_passed() {
    echo -e "[${GREEN}PASS${NC}] $1"
}

check_failed() {
    echo -e "[${RED}FAIL${NC}] $1"
}

check_warning() {
    echo -e "[${YELLOW}WARN${NC}] $1"
}

check_info() {
    echo -e "[${BLUE}INFO${NC}] $1"
}

audit_ssh() {
    echo -e "\n${BLUE}=== Проверка SSH ===${NC}"
    
    if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then
        check_passed "Root-логин через SSH отключён"
    else
        check_failed "Root-логин через SSH разрешён"
    fi
    
    if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then
        check_passed "Аутентификация по паролю отключена"
    else
        check_warning "Аутентификация по паролю включена"
    fi
    
    if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
        check_passed "Аутентификация по ключам включена"
    else
        check_failed "Аутентификация по ключам отключена"
    fi
}

audit_firewall() {
    echo -e "\n${BLUE}=== Проверка Firewall ===${NC}"
    
    if systemctl is-active --quiet firewalld; then
        check_passed "Firewalld активен"
    elif systemctl is-active --quiet ufw; then
        check_passed "UFW активен"
    elif systemctl is-active --quiet nftables; then
        check_passed "nftables активен"
    else
        check_failed "Firewall не активен"
    fi
}

audit_apparmor() {
    echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}"
    
    if systemctl is-active --quiet apparmor; then
        check_passed "AppArmor активен"
        
        if command -v aa-status &>/dev/null; then
            PROFILES=$(aa-status --profiled 2>/dev/null || echo "0")
            check_info "Загружено профилей: ${PROFILES}"
        fi
    else
        check_failed "AppArmor не активен"
    fi
}

audit_fail2ban() {
    echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}"
    
    if systemctl is-active --quiet fail2ban; then
        check_passed "Fail2ban активен"
        
        if command -v fail2ban-client &>/dev/null; then
            JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ')
            check_info "Активные jail: ${JAILS:-нет}"
        fi
    else
        check_warning "Fail2ban не активен"
    fi
}

audit_auditd() {
    echo -e "\n${BLUE}=== Проверка Auditd ===${NC}"
    
    if systemctl is-active --quiet auditd; then
        check_passed "Auditd активен"
        
        RULES=$(auditctl -l 2>/dev/null | wc -l)
        check_info "Загружено правил аудита: ${RULES}"
    else
        check_warning "Auditd не активен"
    fi
}

audit_updates() {
    echo -e "\n${BLUE}=== Проверка обновлений ===${NC}"
    
    if dpkg -l | grep -q unattended-upgrades; then
        check_passed "unattended-upgrades установлен"
    else
        check_warning "unattended-upgrades не установлен"
    fi
    
    if systemctl is-active --quiet unattended-upgrades; then
        check_passed "Автообновления активны"
    else
        check_warning "Автообновления не активны"
    fi
}

audit_passwords() {
    echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}"
    
    if [ -f /etc/security/pwquality.conf ]; then
        check_passed "pwquality.conf настроен"
        
        if grep -q "minlen" /etc/security/pwquality.conf; then
            MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ')
            check_info "Минимальная длина пароля: ${MINLEN:-не задана}"
        fi
    else
        check_warning "pwquality.conf не найден"
    fi
}

audit_integrity() {
    echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}"
    
    if command -v aide &>/dev/null; then
        check_passed "AIDE установлен"
    else
        check_warning "AIDE не установлен"
    fi
    
    if command -v rkhunter &>/dev/null; then
        check_passed "rkhunter установлен"
    else
        check_warning "rkhunter не установлен"
    fi
}

generate_report() {
    echo -e "\n${BLUE}=== Генерация отчёта ===${NC}"
    
    REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
    
    {
        echo "Saikyo OS Server Security Audit Report"
        echo "Date: $(date)"
        echo "Hostname: $(hostname)"
        echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')"
        echo ""
        echo "=== Summary ==="
    } > "$REPORT_FILE" 2>/dev/null || {
        REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
        echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE"
    }
    
    check_info "Отчёт сохранён: ${REPORT_FILE}"
}

main() {
    print_header
    
    check_info "Начало аудита безопасности..."
    check_info "Хост: $(hostname)"
    check_info "Дата: $(date)"
    
    audit_ssh
    audit_firewall
    audit_apparmor
    audit_fail2ban
    audit_auditd
    audit_updates
    audit_passwords
    audit_integrity
    
    generate_report
    
    echo -e "\n${GREEN}Аудит завершён.${NC}"
}

case "$1" in
    --version|-v)
        echo "$SCRIPT_NAME version $VERSION"
        echo "Copyright (c) 2025-2026 OOO SAIKO"
        ;;
    --help|-h)
        echo "Usage: $SCRIPT_NAME [OPTIONS]"
        echo ""
        echo "Saikyo OS Server Security Audit Tool"
        echo ""
        echo "Options:"
        echo "  -h, --help      Show this help"
        echo "  -v, --version   Show version"
        echo ""
        echo "Website: https://saikyo-server.ru"
        echo "Support: support@saikyo-os.ru"
        ;;
    *)
        main
        ;;
esac
