Enhance check messages and add schema output option in CLI

.github/workflows/release.yml

@@ -40,6 +40,13 @@ jobs:
         with:
           name: release
           path: dist
+      - run:  dist/pareto-linux_linux_amd64_v1/paretosecurity check --schema > checks.json
+      - name: Upload checks info
+        uses: softprops/action-gh-release@v1
+        with:
+          files: checks.json
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Import GPG key
         uses: crazy-max/ghaction-import-gpg@v6
         with:

check/autologin.go

@@ -75,10 +75,20 @@ func (f *Autologin) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *Autologin) PassedMessage() string {
+	return "Automatic login is off"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *Autologin) FailedMessage() string {
+	return "Automatic login is on"
+}
+
 // Status returns the status of the check
 func (f *Autologin) Status() string {
 	if !f.Passed() {
-		return "Automatic login is on"
+		return f.FailedMessage()
 	}
-	return "Automatic login is off"
+	return f.PassedMessage()
 }

check/check.go

@@ -8,6 +8,8 @@ import (
 
 type Check interface {
 	Name() string
+	PassedMessage() string
+	FailedMessage() string
 	Run() error
 	Passed() bool
 	IsRunnable() bool

check/firewall.go

@@ -82,10 +82,20 @@ func (f *Firewall) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *Firewall) PassedMessage() string {
+	return "Firewall is on"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *Firewall) FailedMessage() string {
+	return "Firewall is off"
+}
+
 // Status returns the status of the check
 func (f *Firewall) Status() string {
 	if f.Passed() {
-		return "Firewall is on"
+		return f.PassedMessage()
 	}
-	return "Firewall is off"
+	return f.FailedMessage()
 }

check/luks.go

@@ -14,7 +14,7 @@ type EncryptingFS struct {
 
 // Name returns the name of the check
 func (f *EncryptingFS) Name() string {
-	return "Block device encryption is enabled"
+	return "Block device encryption"
 }
 
 // Passed returns the status of the check
@@ -37,6 +37,16 @@ func (f *EncryptingFS) ReportIfDisabled() bool {
 	return true
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *EncryptingFS) PassedMessage() string {
+	return "Block device encryption is enabled"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *EncryptingFS) FailedMessage() string {
+	return "Block device encryption is disabled"
+}
+
 // Status returns the status of the check
 func (f *EncryptingFS) Status() string {
 	return f.status
@@ -107,10 +117,10 @@ func (f *EncryptingFS) Run() error {
 		f.passed = true
 		f.status = "Both root and home are LUKS encrypted"
 	} else if rootEncrypted {
-		f.passed = false
+		f.passed = true
 		f.status = "Only root is LUKS encrypted"
 	} else if homeEncrypted {
-		f.passed = false
+		f.passed = true
 		f.status = "Only home is LUKS encrypted"
 	} else {
 		f.passed = false

check/password_unlock.go

@@ -71,10 +71,20 @@ func (f *PasswordToUnlock) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *PasswordToUnlock) PassedMessage() string {
+	return "Password after sleep or screensaver is on"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *PasswordToUnlock) FailedMessage() string {
+	return "Password after sleep or screensaver is off"
+}
+
 // Status returns the status of the check
 func (f *PasswordToUnlock) Status() string {
 	if f.Passed() {
-		return "Password after sleep or screensaver is on"
+		return f.PassedMessage()
 	}
-	return "Password after sleep or screensaver is off"
+	return f.FailedMessage()
 }

check/printer.go

@@ -61,6 +61,16 @@ func (f *Printer) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *Printer) PassedMessage() string {
+	return "Printer sharing is disabled"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *Printer) FailedMessage() string {
+	return "Printer sharing is enabled"
+}
+
 // Status returns the status of the check
 func (f *Printer) Status() string {
 	if !f.Passed() {

check/remote_login.go

@@ -69,6 +69,16 @@ func (f *RemoteLogin) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *RemoteLogin) PassedMessage() string {
+	return "Remote access services are found running"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *RemoteLogin) FailedMessage() string {
+	return "No remote access services found running"
+}
+
 // Status returns the status of the check
 func (f *RemoteLogin) Status() string {
 	if !f.Passed() {

check/secure_boot.go

@@ -45,10 +45,10 @@ func (f *SecureBoot) Run() error {
 	// Value of 1 means enabled, 0 means disabled
 	if len(data) >= 5 && data[4] == 1 {
 		f.passed = true
-		f.status = "SecureBoot is enabled"
+		f.status = f.PassedMessage()
 	} else {
 		f.passed = false
-		f.status = "SecureBoot is disabled"
+		f.status = f.FailedMessage()
 	}
 
 	return nil
@@ -74,6 +74,16 @@ func (f *SecureBoot) ReportIfDisabled() bool {
 	return true
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *SecureBoot) PassedMessage() string {
+	return "SecureBoot is enabled"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *SecureBoot) FailedMessage() string {
+	return "SecureBoot is disabled"
+}
+
 // Status returns the status of the check
 func (f *SecureBoot) Status() string {
 	return f.status

check/sharing.go

@@ -62,6 +62,16 @@ func (f *Sharing) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *Sharing) PassedMessage() string {
+	return "No file sharing services found running"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *Sharing) FailedMessage() string {
+	return "Sharing services found running "
+}
+
 // Status returns the status of the check
 func (f *Sharing) Status() string {
 	if !f.Passed() {
@@ -71,5 +81,5 @@ func (f *Sharing) Status() string {
 		}
 		return msg
 	}
-	return "No file sharing services found running"
+	return f.PassedMessage()
 }

check/software_updates.go

@@ -89,6 +89,16 @@ func (f *SoftwareUpdates) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *SoftwareUpdates) PassedMessage() string {
+	return "All apps are up to date"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *SoftwareUpdates) FailedMessage() string {
+	return "Some apps are out of date"
+}
+
 // Status returns the status of the check
 func (f *SoftwareUpdates) Status() string {
 	return f.details

check/ssh_keys.go

@@ -79,10 +79,20 @@ func (f *SSHKeys) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *SSHKeys) PassedMessage() string {
+	return "SSH keys are password protected"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *SSHKeys) FailedMessage() string {
+	return "SSH keys are not using password"
+}
+
 // Status returns the status of the check
 func (f *SSHKeys) Status() string {
 	if f.Passed() {
-		return "SSH keys are password protected"
+		return f.PassedMessage()
 	}
 	return "Found unprotected SSH key(s): " + strings.Join(f.failedKeys, ", ")
 }

check/ssh_keys_algo.go

@@ -127,10 +127,20 @@ func (f *SSHKeysAlgo) ReportIfDisabled() bool {
 	return false
 }
 
+// PassedMessage returns the message to return if the check passed
+func (f *SSHKeysAlgo) PassedMessage() string {
+	return "SSH keys use strong encryption"
+}
+
+// FailedMessage returns the message to return if the check failed
+func (f *SSHKeysAlgo) FailedMessage() string {
+	return "SSH keys are using weak encryption"
+}
+
 // Status returns the status of the check
 func (f *SSHKeysAlgo) Status() string {
 	if f.Passed() {
-		return "SSH keys use strong encryption"
+		return f.PassedMessage()
 	}
 
 	return "SSH key " + f.sshKey + " is using weak encryption"

cmd/check.go

@@ -16,10 +16,17 @@ import (
 )
 
 var checkCmd = &cobra.Command{
-	Use:   "check [--json]",
+	Use:   "check [--json] [--schema]",
 	Short: "Check system status",
 	Run: func(cc *cobra.Command, args []string) {
 		jsonOutput, _ := cc.Flags().GetBool("json")
+		schemaOutput, _ := cc.Flags().GetBool("schema")
+
+		if schemaOutput {
+			PrintSchemaJSON()
+			return
+		}
+
 		if jsonOutput {
 			CheckJSON()
 			return
@@ -37,6 +44,7 @@ var checkCmd = &cobra.Command{
 func init() {
 	rootCmd.AddCommand(checkCmd)
 	checkCmd.Flags().Bool("json", false, "output JSON")
+	checkCmd.Flags().Bool("schema", false, "output schema for all checks")
 }
 
 func Check() {
@@ -109,3 +117,19 @@ func CheckJSON() {
 	}
 	fmt.Println(string(out))
 }
+
+func PrintSchemaJSON() {
+	schema := make(map[string]map[string][]string)
+	for _, claim := range claims.All {
+		checks := make(map[string][]string)
+		for _, chk := range claim.Checks {
+			checks[chk.UUID()] = []string{chk.PassedMessage(), chk.FailedMessage()}
+		}
+		schema[claim.Title] = checks
+	}
+	out, err := json.MarshalIndent(schema, "", "  ")
+	if err != nil {
+		log.WithError(err).Warn("cannot marshal schema")
+	}
+	fmt.Println(string(out))
+}

flake.nix

@@ -63,7 +63,7 @@
             ];
           };
 
-          testScript = builtins.readFile "${toString ./.}/integration/nixos.py";
+          testScript = builtins.readFile "${toString ./.}/test/integration/nixos.py";
         };
 
         packages.test-debian = let
@@ -74,7 +74,7 @@
                 target = "/mnt/package";
               };
             };
-            testScript = builtins.readFile "${toString ./.}/integration/debian.py";
+            testScript = builtins.readFile "${toString ./.}/test/integration/debian.py";
           };
         in
           vmTest.driver;
@@ -87,7 +87,7 @@
                 target = "/mnt/package";
               };
             };
-            testScript = builtins.readFile "${toString ./.}/integration/fedora.py";
+            testScript = builtins.readFile "${toString ./.}/test/integration/fedora.py";
           };
         in
           vmTest.driver;
@@ -100,7 +100,7 @@
                 target = "/mnt/package";
               };
             };
-            testScript = builtins.readFile "${toString ./.}/integration/ubuntu.py";
+            testScript = builtins.readFile "${toString ./.}/test/integration/ubuntu.py";
           };
         in
           vmTest.driver;