# ZimaOS Server Audit Checklist

Use this checklist when performing a full ZimaOS server audit. Execute each section and report results under these headings.

## Section 1: SSH Setup
- [ ] `systemctl status sshd` — is it active?
- [ ] `grep -E '^(#\s*)?(PubkeyAuthentication|PasswordAuthentication|PermitRootLogin|AuthorizedKeysFile)' /etc/ssh/sshd_config`
- [ ] Check for regular users: `awk -F: '$3 >= 1000 && $3 < 65534 {print $1, $6}' /etc/passwd`
- [ ] Verify authorized_keys: `cat /DATA/.ssh/authorized_keys`
- [ ] Note: `/root/.ssh/` is read-only on ZimaOS — use `/DATA/.ssh/` instead
- [ ] After changes: `systemctl reload sshd`

## Section 2: Network
- [ ] Hostname: `hostnamectl`
- [ ] IPv4: `ip -4 addr show | grep inet`
- [ ] MAC of active interface: `ip link show` → find eth0 link/ether
- [ ] Default gateway: `ip route | grep default`
- [ ] DNS: `cat /etc/resolv.conf`
- [ ] Report as table: IP, MAC, Gateway, DNS

## Section 3: System
- [ ] OS: `cat /etc/os-release` + `uname -a`
- [ ] Hardware model: `hostnamectl` (Hardware Model field)
- [ ] RAM: `free -h`
- [ ] Disk: `df -h`
- [ ] CPU: `lscpu | head -8`
- [ ] USB devices: `lsusb` (important for Zigbee stick detection)

## Section 4: Docker & Containers
- [ ] Docker version: `docker version --format '{{.Server.Version}}'`
- [ ] All containers: `docker ps -a`
- [ ] HA container: `docker inspect homeassistant`
  - Image + tag
  - NetworkMode
  - RestartPolicy
  - Mounts (source → target)
  - Ports
  - Env keys (no values if secrets present)
- [ ] Config path: typically `/DATA/AppData/<app>/config/`
- [ ] DOCKER_CONFIG env: `export DOCKER_CONFIG=/tmp/docker-config`

## Section 5: HA Configuration
- [ ] `cat /DATA/AppData/homeassistant/config/configuration.yaml`
- [ ] `cat /DATA/AppData/homeassistant/config/.HA_VERSION`
- [ ] `du -sh /DATA/AppData/homeassistant/config/`
- [ ] `ls -la /DATA/AppData/homeassistant/config/`
- [ ] Installations: `jq '.data.entries[].domain' .storage/core.config_entries | sort -u`
- [ ] Backups: `ls /DATA/AppData/homeassistant/config/backup*` and `find /DATA/AppData/homeassistant -maxdepth 2 -name '*.tar'`
- [ ] Logs: `docker logs --tail 50 homeassistant`

## Section 6: Security
- [ ] UFW: `ufw status` (likely not installed)
- [ ] iptables: `sudo iptables -L | head -30`
- [ ] Listening ports: `ss -tulpn | grep LISTEN`
- [ ] Auto-updates: `systemctl status unattended-upgrades` (likely not installed)

## Section 7: Report Format

Deliver one markdown report with sections:
1. SSH-Setup
2. Netzwerk (table: IP, MAC, Gateway, DNS)
3. System (OS, Hardware, RAM, Disk, CPU)
4. USB-Geräte
5. Docker + HA Container
6. HA-Konfiguration
7. Sicherheit
8. Auffälligkeiten & Empfehlungen

Rules:
- Never expose passwords, tokens, or secrets.yaml content
- Report failures, don't skip them
- Only modify SSH keys — nothing else destructive