chore: several audit script improvements

2025-11-06 13:27:51 +00:00 · 2024-08-30 01:01:40 -03:00
parent fefc64baba
commit e143c48e26
1 changed files with 31 additions and 4 deletions
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -489,11 +489,13 @@ audit-secureblue:
    fi
    EXTENSIONS_TEST_STRING="Ensuring GNOME user extensions are disabled"
    if command -v gsettings &> /dev/null; then
        if [ "$(gsettings get org.gnome.shell allow-extension-installation)" = "false" ]; then
            print_status "$EXTENSIONS_TEST_STRING" "$STATUS_SUCCESS"
        else
            print_status "$EXTENSIONS_TEST_STRING" "$STATUS_FAILURE"
        fi
    fi
    SELINUX_TEST_STRING="Ensuring SELinux is in Enforcing mode"
    if [ "$(getenforce)" = "Enforcing" ]; then
@@ -559,3 +561,28 @@ audit-secureblue:
        done
    fi
    GHNS_TEST_STRING="Ensuring KDE GHNS is disabled"
    KDE_GLOBALS_FILE="/etc/xdg/kdeglobals"
    GHNS_STRING="$(grep 'ghns=false' $KDE_GLOBALS_FILE)"
    if test -e $KDE_GLOBALS_FILE; then
        if [[ $GHNS_STRING == "ghns=false" ]]; then
            print_status "$GHNS_TEST_STRING" "$STATUS_SUCCESS"
        else
            print_status "$GHNS_TEST_STRING" "$STATUS_FAILURE"
        fi
    fi
    HARDENED_MALLOC_TEST_STRING="Ensuring hardened_malloc is set in ld.so.preload"
    if diff /usr/etc/ld.so.preload /etc/ld.so.preload > /dev/null; then
        print_status "$HARDENED_MALLOC_TEST_STRING" "$STATUS_SUCCESS"
    else
        print_status "$HARDENED_MALLOC_TEST_STRING" "$STATUS_FAILURE"
    fi
    SECUREBOOT_TEST_STRING="Ensuring secure boot is enabled"
    if [ "$(mokutil --sb-state)" == "SecureBoot enabled" ]; then
        print_status "$SECUREBOOT_TEST_STRING" "$STATUS_SUCCESS"
    else
        print_status "$SECUREBOOT_TEST_STRING" "$STATUS_FAILURE"
    fi