veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1
veilor-os/test/boot-checklist.md

4 KiB
Raw Permalink Blame History

Spare-laptop validation checklist

Run after installing a fresh veilor-os ISO. Each item should pass before the build is considered green.

Install flow

  • Anaconda only prompts for LUKS passphrase — no account wizard, no initial-setup screen
  • Install completes without %post errors (check /var/log/veilor-install.log)
  • Reboot succeeds, USB removed cleanly

First boot

  • LUKS prompt appears at boot
  • TTY1 shows veilor-os banner + password prompt
  • Password rejection on weak input (try password123 — should fail)
  • Password set succeeds with strong input
  • SDDM starts after password set
  • admin@veilor-os shell prompt visible after first login
  • veilor-firstboot.service shows inactive (dead) and disabled after first run

Identity

  • passwd -S root reports L (locked)
  • getent passwd | wc -l shows base + admin only
  • id admin shows groups=...,wheel

Branding

  • hostnamectl reports veilor-os
  • cat /etc/os-release shows NAME="veilor-os" and ID=veilor
  • grep -ri onyx /etc /usr/local /usr/share/fonts returns zero
  • grep -ri '192\.168\.0\.\|admin@gmail\|fedora\.local' /etc /usr/local returns zero

Theme

  • KDE color scheme shows veilor-black in System Settings
  • Konsole renders in DuckSans (fc-match sans-serif returns DuckSans if the font was vendored)
  • Background is pure black (#000000), not Breeze dark grey

Power

  • veilor-power status runs without sudo, shows current profile
  • veilor-power save switches to veilor-powersave
  • veilor-power perf switches to veilor-performance
  • Unplugging AC auto-switches to veilor-powersave (udev rule)
  • Plugging AC auto-switches to veilor-performance

Hardening — services

  • systemctl is-active fail2ban → active
  • systemctl is-active usbguard → active
  • systemctl is-active auditd → active
  • systemctl is-active firewalld → active
  • systemctl is-active tuned → active
  • systemctl is-active chronyd → active
  • systemctl is-active sshd → active
  • systemctl is-active cups → inactive / not-found
  • systemctl is-active avahi-daemon → inactive / not-found
  • systemctl is-active bluetooth → inactive
  • systemctl is-active veilor-modules-lock (after 30s) → active

Hardening — kernel/sysctl

  • getenforceEnforcing
  • mokutil --sb-stateSecureBoot enabled
  • sysctl kernel.yama.ptrace_scope2
  • sysctl kernel.kptr_restrict2
  • sysctl fs.suid_dumpable0
  • sysctl dev.tty.ldisc_autoload0
  • sysctl kernel.modules_disabled (after 30s post graphical) → 1

Hardening — network

  • firewall-cmd --get-default-zonedrop
  • firewall-cmd --zone=drop --list-servicesssh
  • resolvectl status shows DNSSEC + DoT, LLMNR off
  • chronyc sources -v shows NTS-authenticated peers

Hardening — SSH

  • sshd -T | grep -E 'permitrootlogin|passwordauth|allowusers|x11forwarding' shows: permitrootlogin no, passwordauthentication no, allowusers admin, x11forwarding no

Disk

  • lsblk -f shows LUKS2 on the main partition
  • cryptsetup luksDump /dev/... shows argon2id, aes-xts-plain64
  • swapon shows zram device, no disk swap

SELinux module

  • semodule -l | grep veilor-systemd → present
  • No SELinux denials in ausearch -m AVC -ts boot related to systemd_modules_load_t

USBGuard

  • systemctl status usbguard → active
  • wc -l /etc/usbguard/rules.conf → 0 (empty allowlist by design)
  • After sudo usbguard generate-policy > /etc/usbguard/rules.conf and restart, all currently-connected USB devices remain functional

Findings

Log issues and fixes here:

Date Item Issue Fix in kickstart?