# Spare-laptop validation checklist Run after installing a fresh veilor-os ISO. Each item should pass before the build is considered green. ## Install flow - [ ] Anaconda **only** prompts for LUKS passphrase — no account wizard, no initial-setup screen - [ ] Install completes without `%post` errors (check `/var/log/veilor-install.log`) - [ ] Reboot succeeds, USB removed cleanly ## First boot - [ ] LUKS prompt appears at boot - [ ] TTY1 shows veilor-os banner + password prompt - [ ] Password rejection on weak input (try `password123` — should fail) - [ ] Password set succeeds with strong input - [ ] SDDM starts after password set - [ ] `admin@veilor-os` shell prompt visible after first login - [ ] `veilor-firstboot.service` shows `inactive (dead)` and `disabled` after first run ## Identity - [ ] `passwd -S root` reports `L` (locked) - [ ] `getent passwd | wc -l` shows base + admin only - [ ] `id admin` shows `groups=...,wheel` ## Branding - [ ] `hostnamectl` reports `veilor-os` - [ ] `cat /etc/os-release` shows `NAME="veilor-os"` and `ID=veilor` - [ ] `grep -ri onyx /etc /usr/local /usr/share/fonts` returns zero - [ ] `grep -ri '192\.168\.0\.\|admin@gmail\|fedora\.local' /etc /usr/local` returns zero ## Theme - [ ] KDE color scheme shows `veilor-black` in System Settings - [ ] Konsole renders in DuckSans (`fc-match sans-serif` returns `DuckSans` if the font was vendored) - [ ] Background is pure black (#000000), not Breeze dark grey ## Power - [ ] `veilor-power status` runs without sudo, shows current profile - [ ] `veilor-power save` switches to `veilor-powersave` - [ ] `veilor-power perf` switches to `veilor-performance` - [ ] Unplugging AC auto-switches to `veilor-powersave` (udev rule) - [ ] Plugging AC auto-switches to `veilor-performance` ## Hardening — services - [ ] `systemctl is-active fail2ban` → active - [ ] `systemctl is-active usbguard` → active - [ ] `systemctl is-active auditd` → active - [ ] `systemctl is-active firewalld` → active - [ ] `systemctl is-active tuned` → active - [ ] `systemctl is-active chronyd` → active - [ ] `systemctl is-active sshd` → active - [ ] `systemctl is-active cups` → inactive / not-found - [ ] `systemctl is-active avahi-daemon` → inactive / not-found - [ ] `systemctl is-active bluetooth` → inactive - [ ] `systemctl is-active veilor-modules-lock` (after 30s) → active ## Hardening — kernel/sysctl - [ ] `getenforce` → `Enforcing` - [ ] `mokutil --sb-state` → `SecureBoot enabled` - [ ] `sysctl kernel.yama.ptrace_scope` → `2` - [ ] `sysctl kernel.kptr_restrict` → `2` - [ ] `sysctl fs.suid_dumpable` → `0` - [ ] `sysctl dev.tty.ldisc_autoload` → `0` - [ ] `sysctl kernel.modules_disabled` (after 30s post graphical) → `1` ## Hardening — network - [ ] `firewall-cmd --get-default-zone` → `drop` - [ ] `firewall-cmd --zone=drop --list-services` → `ssh` - [ ] `resolvectl status` shows DNSSEC + DoT, LLMNR off - [ ] `chronyc sources -v` shows NTS-authenticated peers ## Hardening — SSH - [ ] `sshd -T | grep -E 'permitrootlogin|passwordauth|allowusers|x11forwarding'` shows: `permitrootlogin no`, `passwordauthentication no`, `allowusers admin`, `x11forwarding no` ## Disk - [ ] `lsblk -f` shows LUKS2 on the main partition - [ ] `cryptsetup luksDump /dev/...` shows argon2id, aes-xts-plain64 - [ ] `swapon` shows `zram` device, no disk swap ## SELinux module - [ ] `semodule -l | grep veilor-systemd` → present - [ ] No SELinux denials in `ausearch -m AVC -ts boot` related to `systemd_modules_load_t` ## USBGuard - [ ] `systemctl status usbguard` → active - [ ] `wc -l /etc/usbguard/rules.conf` → 0 (empty allowlist by design) - [ ] After `sudo usbguard generate-policy > /etc/usbguard/rules.conf` and restart, all currently-connected USB devices remain functional ## Findings Log issues and fixes here: | Date | Item | Issue | Fix in kickstart? | |------|------|-------|-------------------| | | | | |