#!/usr/bin/env bash # Extended read-only security + cleanup audit (run on target host). set -u echo "=== identity ===" hostname -f 2>/dev/null || hostname if [ -f /etc/os-release ]; then . /etc/os-release; echo "os=${PRETTY_NAME:-unknown}"; fi echo "kernel=$(uname -r)" echo "uptime=$(uptime -p 2>/dev/null || uptime)" echo "=== disk ===" df -h / /var 2>/dev/null | tail -n +2 | awk '{print $6" "$5" used "$4" free"}' echo "=== sshd (effective) ===" if command -v sshd >/dev/null 2>&1; then sshd -T 2>/dev/null | grep -E '^(permitrootlogin|passwordauthentication|pubkeyauthentication|permitemptypasswords|port|x11forwarding|maxauthtries) ' || true else grep -E '^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Port) ' /etc/ssh/sshd_config 2>/dev/null | grep -v '^#' || echo "sshd not found" fi echo "=== firewall ===" if command -v ufw >/dev/null 2>&1; then ufw status verbose 2>/dev/null | head -5 elif command -v firewall-cmd >/dev/null 2>&1; then firewall-cmd --state 2>/dev/null || true else echo "no ufw/firewalld" fi echo "=== fail2ban ===" systemctl is-active fail2ban 2>/dev/null || echo "fail2ban: inactive or missing" echo "=== unattended-upgrades ===" systemctl is-active unattended-upgrades 2>/dev/null || echo "unattended-upgrades: inactive or missing" echo "=== pending apt upgrades ===" if command -v apt >/dev/null 2>&1; then apt-get -s upgrade 2>/dev/null | grep -c '^Inst' || echo 0 else echo "n/a" fi echo "=== docker ===" if command -v docker >/dev/null 2>&1; then echo "docker=$(docker --version 2>/dev/null || true)" echo "containers=$(docker ps -aq 2>/dev/null | wc -l | tr -d ' ') running=$(docker ps -q 2>/dev/null | wc -l | tr -d ' ')" echo "images=$(docker images -q 2>/dev/null | wc -l | tr -d ' ')" docker system df 2>/dev/null | tail -n +2 || true else echo "no docker" fi echo "=== journal disk ===" journalctl --disk-usage 2>/dev/null || echo "n/a" echo "=== apt cache ===" du -sh /var/cache/apt/archives 2>/dev/null || echo "n/a" echo "=== existing cron (root) ===" crontab -l 2>/dev/null | grep -v '^#' | grep -v '^$' | head -10 || echo "no root crontab" ls /etc/cron.{daily,weekly,monthly}/* 2>/dev/null | xargs -I{} basename {} | head -15 || true echo "=== listening tcp (non-localhost) ===" ss -tlnp 2>/dev/null | awk 'NR==1 || /LISTEN/ {print}' | grep -v '127.0.0.1:' | grep -v '\[::1\]:' | head -15 echo "=== uid 0 accounts ===" awk -F: '$3==0 {print $1}' /etc/passwd | tr '\n' ' ' echo echo "=== tailscale ===" command -v tailscale >/dev/null 2>&1 && tailscale status --self 2>/dev/null | head -1 || echo "no tailscale"