veilor-os/test/boot-checklist.md

# Spare-laptop validation checklist

Run after installing a fresh veilor-os ISO. Each item should pass
before the build is considered green.

## Install flow

- [ ] Anaconda **only** prompts for LUKS passphrase — no account wizard,
      no initial-setup screen
- [ ] Install completes without `%post` errors (check `/var/log/veilor-install.log`)
- [ ] Reboot succeeds, USB removed cleanly

## First boot

- [ ] LUKS prompt appears at boot
- [ ] TTY1 shows veilor-os banner + password prompt
- [ ] Password rejection on weak input (try `password123` — should fail)
- [ ] Password set succeeds with strong input
- [ ] SDDM starts after password set
- [ ] `admin@veilor-os` shell prompt visible after first login
- [ ] `veilor-firstboot.service` shows `inactive (dead)` and `disabled`
      after first run

## Identity

- [ ] `passwd -S root` reports `L` (locked)
- [ ] `getent passwd | wc -l` shows base + admin only
- [ ] `id admin` shows `groups=...,wheel`

## Branding

- [ ] `hostnamectl` reports `veilor-os`
- [ ] `cat /etc/os-release` shows `NAME="veilor-os"` and `ID=veilor`
- [ ] `grep -ri onyx /etc /usr/local /usr/share/fonts` returns zero
- [ ] `grep -ri '192\.168\.0\.\|admin@gmail\|fedora\.local' /etc /usr/local` returns zero

## Theme

- [ ] KDE color scheme shows `veilor-black` in System Settings
- [ ] Konsole renders in DuckSans (`fc-match sans-serif` returns
      `DuckSans` if the font was vendored)
- [ ] Background is pure black (#000000), not Breeze dark grey

## Power

- [ ] `veilor-power status` runs without sudo, shows current profile
- [ ] `veilor-power save` switches to `veilor-powersave`
- [ ] `veilor-power perf` switches to `veilor-performance`
- [ ] Unplugging AC auto-switches to `veilor-powersave` (udev rule)
- [ ] Plugging AC auto-switches to `veilor-performance`

## Hardening — services

- [ ] `systemctl is-active fail2ban` → active
- [ ] `systemctl is-active usbguard` → active
- [ ] `systemctl is-active auditd` → active
- [ ] `systemctl is-active firewalld` → active
- [ ] `systemctl is-active tuned` → active
- [ ] `systemctl is-active chronyd` → active
- [ ] `systemctl is-active sshd` → active
- [ ] `systemctl is-active cups` → inactive / not-found
- [ ] `systemctl is-active avahi-daemon` → inactive / not-found
- [ ] `systemctl is-active bluetooth` → inactive
- [ ] `systemctl is-active veilor-modules-lock` (after 30s) → active

## Hardening — kernel/sysctl

- [ ] `getenforce` → `Enforcing`
- [ ] `mokutil --sb-state` → `SecureBoot enabled`
- [ ] `sysctl kernel.yama.ptrace_scope` → `2`
- [ ] `sysctl kernel.kptr_restrict` → `2`
- [ ] `sysctl fs.suid_dumpable` → `0`
- [ ] `sysctl dev.tty.ldisc_autoload` → `0`
- [ ] `sysctl kernel.modules_disabled` (after 30s post graphical) → `1`

## Hardening — network

- [ ] `firewall-cmd --get-default-zone` → `drop`
- [ ] `firewall-cmd --zone=drop --list-services` → `ssh`
- [ ] `resolvectl status` shows DNSSEC + DoT, LLMNR off
- [ ] `chronyc sources -v` shows NTS-authenticated peers

## Hardening — SSH

- [ ] `sshd -T | grep -E 'permitrootlogin|passwordauth|allowusers|x11forwarding'`
      shows: `permitrootlogin no`, `passwordauthentication no`,
      `allowusers admin`, `x11forwarding no`

## Disk

- [ ] `lsblk -f` shows LUKS2 on the main partition
- [ ] `cryptsetup luksDump /dev/...` shows argon2id, aes-xts-plain64
- [ ] `swapon` shows `zram` device, no disk swap

## SELinux module

- [ ] `semodule -l | grep veilor-systemd` → present
- [ ] No SELinux denials in `ausearch -m AVC -ts boot` related to
      `systemd_modules_load_t`

## USBGuard

- [ ] `systemctl status usbguard` → active
- [ ] `wc -l /etc/usbguard/rules.conf` → 0 (empty allowlist by design)
- [ ] After `sudo usbguard generate-policy > /etc/usbguard/rules.conf`
      and restart, all currently-connected USB devices remain
      functional

## Findings

Log issues and fixes here:

| Date | Item | Issue | Fix in kickstart? |
|------|------|-------|-------------------|
|      |      |       |                   |