From e143c48e26ab3168dde9b17ccf7baf025defdc98 Mon Sep 17 00:00:00 2001
From: Bruno <103858681+EsseLowNitro@users.noreply.github.com>
Date: Fri, 30 Aug 2024 01:01:40 -0300
Subject: [PATCH] chore: several audit script improvements

---
 .../share/ublue-os/just/70-secureblue.just    | 35 ++++++++++++++++---
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/system/usr/share/ublue-os/just/70-secureblue.just
index 398c26f..0210163 100644
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -489,10 +489,12 @@ audit-secureblue:
     fi
 
     EXTENSIONS_TEST_STRING="Ensuring GNOME user extensions are disabled"
-    if [ "$(gsettings get org.gnome.shell allow-extension-installation)" = "false" ]; then
-        print_status "$EXTENSIONS_TEST_STRING" "$STATUS_SUCCESS"
-    else
-        print_status "$EXTENSIONS_TEST_STRING" "$STATUS_FAILURE"
+    if command -v gsettings &> /dev/null; then
+        if [ "$(gsettings get org.gnome.shell allow-extension-installation)" = "false" ]; then
+            print_status "$EXTENSIONS_TEST_STRING" "$STATUS_SUCCESS"
+        else
+            print_status "$EXTENSIONS_TEST_STRING" "$STATUS_FAILURE"
+        fi
     fi
 
     SELINUX_TEST_STRING="Ensuring SELinux is in Enforcing mode"
@@ -559,3 +561,28 @@ audit-secureblue:
         done
     fi
 
+    GHNS_TEST_STRING="Ensuring KDE GHNS is disabled"
+    KDE_GLOBALS_FILE="/etc/xdg/kdeglobals"
+    GHNS_STRING="$(grep 'ghns=false' $KDE_GLOBALS_FILE)"
+    if test -e $KDE_GLOBALS_FILE; then
+        if [[ $GHNS_STRING == "ghns=false" ]]; then
+            print_status "$GHNS_TEST_STRING" "$STATUS_SUCCESS"
+        else
+            print_status "$GHNS_TEST_STRING" "$STATUS_FAILURE"
+        fi
+    fi
+
+    HARDENED_MALLOC_TEST_STRING="Ensuring hardened_malloc is set in ld.so.preload"
+    if diff /usr/etc/ld.so.preload /etc/ld.so.preload > /dev/null; then
+        print_status "$HARDENED_MALLOC_TEST_STRING" "$STATUS_SUCCESS"
+    else
+        print_status "$HARDENED_MALLOC_TEST_STRING" "$STATUS_FAILURE"
+    fi
+
+    SECUREBOOT_TEST_STRING="Ensuring secure boot is enabled"
+    if [ "$(mokutil --sb-state)" == "SecureBoot enabled" ]; then
+        print_status "$SECUREBOOT_TEST_STRING" "$STATUS_SUCCESS"
+    else
+        print_status "$SECUREBOOT_TEST_STRING" "$STATUS_FAILURE"
+    fi
+