#!/usr/bin/env bash
set +e
set +u
set +H 2>/dev/null

echo "===== YEFF AI READ-ONLY DISCOVERY AUDIT ====="
echo "DATE=$(date)"
echo "HOSTNAME=$(hostname 2>/dev/null)"
echo "REMOTE_YEFFAI_MUTATION=NO"
echo "YEFFAI_READONLY_DISCOVERY_COMMANDS_EXECUTED=YES"
echo "YEFFAI_INSTALLATION_COMMAND_EXECUTED=NO"
echo "INSTALLATION_STARTED=NO"
echo "PACKAGE_ID=yeffai_readonly_discovery_audit_commands"
echo "OPERATOR_PACKET_ID=yeffai_readonly_discovery_audit_operator_packet"
echo
echo "===== COMMAND_001 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=HOST_IDENTITY_READ"
echo "PURPOSE=Ler identidade básica do host YEFF AI sem mutação."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
printf "hostname="; hostname; printf "kernel="; uname -a; printf "os_release="; cat /etc/os-release 2>/dev/null
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_002 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=TIME_AND_UPTIME_READ"
echo "PURPOSE=Ler horário, uptime e carga do host."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
date -Is; uptime
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_003 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=PROCESS_READ"
echo "PURPOSE=Ler processos ativos para evidência de runtime/observer/serviços."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
ps aux --sort=comm | head -n 200
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_004 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=SYSTEMD_SERVICE_READ"
echo "PURPOSE=Ler serviços systemd sem iniciar, parar ou reiniciar nada."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
systemctl list-units --type=service --all --no-pager 2>/dev/null | head -n 300
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_005 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=LISTENING_PORTS_READ"
echo "PURPOSE=Ler portas em escuta e processos associados."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
ss -tulpn 2>/dev/null || netstat -tulpn 2>/dev/null
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_006 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=DISK_AND_MOUNTS_READ"
echo "PURPOSE=Ler discos, mounts e espaço sem alterar arquivos."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
df -hT; printf "\n--- mounts ---\n"; mount | head -n 200
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_007 ====="
echo "SCOPE=BASE"
echo "GROUP_ID=BASE"
echo "COMMAND_ID=TOP_LEVEL_TREE_READ"
echo "PURPOSE=Ler estrutura de diretórios prováveis sem conteúdo sensível."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
find /home /opt /srv /var/www -maxdepth 3 -type d 2>/dev/null | sort | head -n 500
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_008 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=RUNTIME_OBSERVABILITY"
echo "COMMAND_ID=RUNTIME_LOG_PATHS_READ"
echo "PURPOSE=Descobrir caminhos de logs e runtime state sem ler segredo."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
find /var/log /run /var/run /opt /srv /home -maxdepth 4 \( -iname "*log*" -o -iname "*runtime*" -o -iname "*status*" -o -iname "*observer*" -o -iname "*audit*" \) 2>/dev/null | sort | head -n 500
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_009 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=RUNTIME_OBSERVABILITY"
echo "COMMAND_ID=RECENT_LOG_METADATA_READ"
echo "PURPOSE=Ler metadados de logs recentes sem truncar ou modificar."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
find /var/log -type f -maxdepth 3 -printf "%TY-%Tm-%Td %TH:%TM %s %p\n" 2>/dev/null | sort | tail -n 200
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_010 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=SECURITY_BASELINE"
echo "COMMAND_ID=UFW_STATUS_READ"
echo "PURPOSE=Ler status do UFW sem habilitar firewall."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
ufw status verbose 2>/dev/null || true
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_011 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=SECURITY_BASELINE"
echo "COMMAND_ID=SSH_CONFIG_READ"
echo "PURPOSE=Ler configuração SSH efetiva e arquivos principais sem editar."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
sshd -T 2>/dev/null | egrep "^(permitrootlogin|passwordauthentication|pubkeyauthentication|port|allowusers|denyusers)"; printf "\n--- sshd_config ---\n"; grep -RIn "^PermitRootLogin\|^PasswordAuthentication\|^PubkeyAuthentication\|^Port\|^AllowUsers\|^DenyUsers" /etc/ssh/sshd_config /etc/ssh/sshd_config.d 2>/dev/null || true
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_012 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=SECURITY_BASELINE"
echo "COMMAND_ID=SECURITY_PACKAGES_STATUS_READ"
echo "PURPOSE=Ler presença/status de fail2ban, auditd e inotify-tools sem instalar."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
dpkg -l 2>/dev/null | egrep "fail2ban|auditd|audispd|inotify-tools" || true; printf "\n--- services ---\n"; systemctl status fail2ban auditd --no-pager 2>/dev/null || true
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_013 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=SECURITY_BASELINE"
echo "COMMAND_ID=PERMISSIONS_SECURITY_READ"
echo "PURPOSE=Ler permissões de arquivos/diretórios críticos sem alterar."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
ls -ld /root /home /etc/ssh /var/log /opt /srv /var/www 2>/dev/null; find /etc/ssh -maxdepth 2 -type f -printf "%m %u %g %p\n" 2>/dev/null | sort
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_014 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=BACKUP_RECOVERY"
echo "COMMAND_ID=BACKUP_PATHS_DISCOVERY_READ"
echo "PURPOSE=Descobrir diretórios e manifests de backup sem executar backup ou restore."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
find /home /opt /srv /var/backups /backup /backups -maxdepth 5 \( -iname "*backup*" -o -iname "*restore*" -o -iname "*snapshot*" -o -iname "*manifest*" -o -iname "*rollback*" \) 2>/dev/null | sort | head -n 500
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== COMMAND_015 ====="
echo "SCOPE=GROUP"
echo "GROUP_ID=BACKUP_RECOVERY"
echo "COMMAND_ID=BACKUP_METADATA_READ"
echo "PURPOSE=Ler metadados de arquivos de backup sem copiar, deletar ou restaurar."
echo "MUTATES_SYSTEM=NO"
echo "COMMAND_BEGIN"
find /var/backups /backup /backups /home /opt /srv -maxdepth 4 -type f \( -iname "*manifest*" -o -iname "*.sha256" -o -iname "*.json" -o -iname "*.txt" \) -printf "%TY-%Tm-%Td %TH:%TM %s %p\n" 2>/dev/null | sort | head -n 500
CMD_STATUS=$?
echo "COMMAND_EXIT_STATUS=$CMD_STATUS"
echo "COMMAND_END"
echo
echo "===== FINAL ====="
echo "STATUS=PASS"
echo "CAUSE=read-only discovery audit executed on YEFF AI target via Waresites SSH without requested mutation"
echo "REMOTE_YEFFAI_MUTATION=NO"
echo "YEFFAI_INSTALLATION_COMMAND_EXECUTED=NO"
echo "INSTALLATION_STARTED=NO"
