Refactor LUKS and Secure Boot checks to improve status reporting and …

…remove redundant code
ParetoSecurity · Dec 11, 2024 · 20e7324 · 20e7324
1 parent da284bd
commit 20e7324
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 29 deletions.
diff --git a/check/luks.go b/check/luks.go
@@ -52,11 +52,6 @@ func (f *EncryptingFS) FailedMessage() string {
 	return "Block device encryption is disabled"
 }
 
-// Status returns the status of the check
-func (f *EncryptingFS) Status() string {
-	return f.status
-}
-
 // RequiresRoot returns whether the check requires root access
 func (f *EncryptingFS) RequiresRoot() bool {
 	return true
@@ -122,3 +117,11 @@ func (f *EncryptingFS) Run() error {
 
 	return nil
 }
+
+// Status returns the status of the check
+func (f *EncryptingFS) Status() string {
+	if f.Passed() {
+		return f.PassedMessage()
+	}
+	return f.FailedMessage()
+}
diff --git a/check/secure_boot.go b/check/secure_boot.go
@@ -3,9 +3,6 @@ package check
 import (
 	"os"
 	"path/filepath"
-
-	"github.com/caarlos0/log"
-	"paretosecurity.com/auditor/shared"
 )
 
 type SecureBoot struct {
@@ -20,22 +17,6 @@ func (f *SecureBoot) Name() string {
 
 // Run executes the check
 func (f *SecureBoot) Run() error {
-	if f.RequiresRoot() && !shared.IsRoot() {
-		// Run as root
-		passed, err := shared.RunCheckViaHelper(f.UUID())
-		if err != nil {
-			log.WithError(err).Warn("Failed to run check via helper")
-			return err
-		}
-		f.passed = passed
-		return nil
-	}
-	// Check if we're even running on a UEFI system
-	if _, err := os.Stat("/sys/firmware/efi"); os.IsNotExist(err) {
-		f.passed = false
-		f.status = "System is not running in UEFI mode"
-		return nil
-	}
 
 	// Find and read the SecureBoot EFI variable
 	pattern := "/sys/firmware/efi/efivars/SecureBoot-*"
@@ -59,10 +40,9 @@ func (f *SecureBoot) Run() error {
 	if len(data) >= 5 && data[4] == 1 {
 		f.passed = true
 		f.status = f.PassedMessage()
-	} else {
-		f.passed = false
-		f.status = f.FailedMessage()
 	}
+	f.passed = false
+	f.status = f.FailedMessage()
 
 	return nil
 }
@@ -74,7 +54,11 @@ func (f *SecureBoot) Passed() bool {
 
 // CanRun returns whether the check can run
 func (f *SecureBoot) IsRunnable() bool {
-	return true
+	if _, err := os.Stat("/sys/firmware/efi"); os.IsNotExist(err) {
+		f.status = "System is not running in UEFI mode"
+		return true
+	}
+	return false
 }
 
 // UUID returns the UUID of the check
@@ -99,7 +83,7 @@ func (f *SecureBoot) FailedMessage() string {
 
 // RequiresRoot returns whether the check requires root access
 func (f *SecureBoot) RequiresRoot() bool {
-	return true
+	return false
 }
 
 // Status returns the status of the check