#!/bin/bash

ssh_clean ()
{
	ssh-keygen -R "[127.0.0.1]:4242" >/dev/null 2>&1
}

ssh_exec ()
{
	port=${1-4242}
	shift
	login=${1-marvin}
	shift
	pass=${1-Born2beWild}
	shift
	export SSHPASS="${pass}"
	./ssh.exp -p ${port} ${login}@127.0.0.1 $@ 2>&1 \
		| grep -v -i -e '^Warning: Permanently added' -e ' password:' -e '^spawn ssh'
}

ssh_sudo ()
{
	port=${1-4242}
	shift
	login=${1-marvin}
	shift
	pass=${1-Born2beWild}
	shift
	export SSHPASS="${pass}"
	./ssh_sudo.exp -p ${port} ${login}@127.0.0.1 sudo $@ 2>&1 \
		| grep -v -i -e '^Warning: Permanently added' -e 'password' -e '^spawn ssh' -e 'Connection to'
}

main ()
{
	port=${1-4242}
	echo -n "Username: "
	read -r login
	if [ "${login}" == "" ]
	then
		login=$(git config user.name || echo $USER)
	fi
	echo -n "Password: "
	read -s pass
	if [ "${pass}" == "" ]
	then
		pass="Born2beWild"
	fi
	echo ""

	ssh_clean

	if ssh_exec ${port} ${login} ${pass} hostname -s | grep -q "^${login}42"
	then
		echo "OK: Hostname is ${login}42"
	else
		echo "KO: Unexpected hostname (should be ${login}42)"
	fi

	if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E "(CentOS|Debian)"
	then
		echo "OK: Debian or CentOS installed"
	else
		echo "KO: Unknown Linux distribution"
	fi

	if ssh_exec ${port} ${login} ${pass} cat /etc/os-release | grep -q -i -E '(bullseye|"8")'
	then
		echo "OK: Using stable distro"
	else
		echo "KO: Not using stable distro"
	fi

	if ssh_exec ${port} ${login} ${pass} /usr/sbin/aa-status | grep -q -i -E "apparmor module is loaded" \
		|| ssh_exec ${port} ${login} ${pass} sestatus | grep -q -i -E "SELinux status:[^e]*enabled"
	then
		echo "OK: AppArmor or SELinux is active"
	else
		echo "KO: No AppArmor or SELinux is active"
	fi

	if ssh_exec ${port} ${login} ${pass} lspci | grep -q -i -E "(VirtualBox|QEMU)"
	then
		echo "OK: VirtualBox or UTM QEMU"
	else
		echo "KO: Unexpected Virtual Machine"
	fi

	if ssh_exec ${port} ${login} ${pass} dpkg -l | grep -q -i -E "(xserver|xorg)" \
		|| ssh_exec ${port} ${login} ${pass} rpm -qa | grep -q -i -E "(xserver|xorg)"
	then
		echo "KO: X server is present"
	else
		echo "OK: No X server"
	fi

	if ssh_exec ${port} ${login} ${pass} lsblk | grep -q -i -E "_crypt"
	then
		echo "OK: Disk is encrypted"
	else
		echo "KO: Disk is not encrypted"
	fi

	if ssh_exec ${port} ${login} ${pass} lsblk | grep -c "lvm" | grep -q -E '^[2-9]'
	then
		echo "OK: Two or more partitions use LVM"
	else
		echo "KO: Less than two or no partitions use LVM"
	fi

	if ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^Port 4242' \
		&& ssh_exec ${port} ${login} ${pass} cat /etc/ssh/sshd_config | grep -q -i -E '^PermitRootLogin no'
	then
		echo "OK: SSH config is correctly setup"
	else
		echo "KO: SSH config is not correctly setup"
	fi

	if ssh_exec ${port} ${login} ${pass} groups ${login} | grep -q -E "( user42.* sudo| sudo.* user42)"
	then
		echo "OK: ${login} is member of both user42 and sudo groups"
	else
		echo "KO: ${login} is not member of both user42 and sudo groups"
	fi

	if ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Maximum number of days between password change.*\: 30' \
		&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Minimum number of days between password change.*\: 2' \
		&& ssh_exec ${port} ${login} ${pass} chage -l ${login} | grep -q -i -E '^Number of days of warning before password expires.*\: 7'
	then
		echo "OK: Password expiration for ${login} is correct"
	else
		echo "KO: Password expiration for ${login} is wrong"
	fi

	if ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MAX_DAYS.*\t30' \
		&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_MIN_DAYS.*\t2' \
		&& ssh_exec ${port} ${login} ${pass} cat /etc/login.defs | grep -q -i -E '^PASS_WARN_AGE.*\t7'
	then
		echo "OK: Password expiration policy is correct"
	else
		echo "KO: Password expiration policy is wrong"
	fi

	if ssh_exec ${port} ${login} ${pass} ss -tunlpe | grep -q -E "LISTEN.*:4242.*ssh"
	then
		echo "OK: ssh running on 4242"
	else
		echo "KO: ssh not running on 4242"
	fi

	if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "Status: active"
	then
		echo "OK: Firewall ufw is active"
	else
		echo "KO: No firewall ufw is active"
	fi

	if ssh_sudo ${port} ${login} ${pass} /usr/sbin/ufw status | grep -q -E "4242.*ALLOW.*Anywhere"
	then
		echo "OK: Firewall allow port 4242 from anywhere"
	else
		echo "KO: Firewall does not allow port 4242 from anywhere"
	fi
}

main $@
exit $?

#42