Enhance logging and improve encrypted device detection in LUKS check;…

… add root requirement handling in Secure Boot check
ParetoSecurity · Dec 11, 2024 · ffeba5c · ffeba5c
1 parent 6a85f75
commit ffeba5c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/check/luks.go b/check/luks.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/caarlos0/log"
+	"github.com/davecgh/go-spew/spew"
 	"paretosecurity.com/auditor/shared"
 )
 
@@ -93,7 +94,7 @@ func (f *EncryptingFS) Run() error {
 		}
 		crypttab.Close()
 	}
-	log.WithField("encryptedDevices", encryptedDevices).Debug("Found encrypted devices")
+	log.WithField("encryptedDevices", spew.Sdump(encryptedDevices)).Debug("Found encrypted devices")
 	cmd := exec.Command("blkid")
 	output, err := cmd.Output()
 	if err != nil {
@@ -106,8 +107,8 @@ func (f *EncryptingFS) Run() error {
 		line := scanner.Text()
 		if strings.Contains(line, `TYPE="crypto_LUKS"`) {
 			log.WithField("line", line).Debug("Found encrypted device")
-			for device := range encryptedDevices {
-				if strings.Contains(line, device) {
+			for _, uuid := range encryptedDevices {
+				if strings.Contains(line, uuid) {
 					f.passed = true
 					f.status = f.PassedMessage()
 					return nil

diff --git a/check/secure_boot.go b/check/secure_boot.go
@@ -3,6 +3,9 @@ package check
 import (
 	"os"
 	"path/filepath"
+
+	"github.com/caarlos0/log"
+	"paretosecurity.com/auditor/shared"
 )
 
 type SecureBoot struct {
@@ -17,6 +20,16 @@ func (f *SecureBoot) Name() string {
 
 // Run executes the check
 func (f *SecureBoot) Run() error {
+	if f.RequiresRoot() && !shared.IsRoot() {
+		// Run as root
+		passed, err := shared.RunCheckViaHelper(f.UUID())
+		if err != nil {
+			log.WithError(err).Warn("Failed to run check via helper")
+			return err
+		}
+		f.passed = passed
+		return nil
+	}
 	// Check if we're even running on a UEFI system
 	if _, err := os.Stat("/sys/firmware/efi"); os.IsNotExist(err) {
 		f.passed = false