maybe simplify the YAML processing for multi-OS keys

Author: tstromberg

cmd/agent/checks.yaml

@@ -26,6 +26,14 @@ checks:
           - Enable full disk encryption using LUKS
           - Run 'sudo cryptsetup luksFormat /dev/sdX' for each unencrypted partition
           - Update /etc/crypttab and /etc/fstab accordingly
+      # Check for ZFS root encryption (zroot is common on Linux with ZFS)
+      - output: sudo zfs get -H encryption zroot 2>/dev/null || doas zfs get -H encryption zroot 2>/dev/null || zfs get -H encryption zroot 2>/dev/null
+        includes: "zroot.*encryption.*off"
+        remediation:
+          - ZFS root pool is not encrypted
+          - Create an encrypted ZFS dataset or migrate to an encrypted pool
+          - "For new pools: zpool create -O encryption=on -O keyformat=passphrase zroot ..."
+          - Note that existing pools cannot be encrypted in-place
     darwin:
       - output: fdesetup status
         includes: "FileVault is Off|Encryption Not Enabled"
@@ -40,6 +48,14 @@ checks:
           - Enable GELI disk encryption
           - See FreeBSD Handbook chapter on disk encryption
           - Use 'geli init' to initialize encrypted providers
+      # Check for ZFS root encryption (zroot is common on FreeBSD)
+      - output: sudo zfs get -H encryption zroot 2>/dev/null || doas zfs get -H encryption zroot 2>/dev/null || zfs get -H encryption zroot 2>/dev/null
+        includes: "zroot.*encryption.*off"
+        remediation:
+          - ZFS root pool is not encrypted
+          - Create an encrypted ZFS dataset or migrate to an encrypted pool
+          - "For new pools: zpool create -O encryption=on -O keyformat=passphrase zroot ..."
+          - Note that existing pools cannot be encrypted in-place
     openbsd:
       - output: doas bioctl softraid0
         includes: "No such device|not configured"
@@ -54,19 +70,19 @@ checks:
           - Enable CGD (CryptoGraphic Disk) encryption
           - Configure /etc/cgd/cgd.conf
           - See NetBSD guide on CGD configuration
-    linux, freebsd:
-      # Check for ZFS root encryption (zroot is common on FreeBSD and Linux)
-      - output: (sudo zfs get -H encryption zroot 2>/dev/null || doas zfs get -H encryption zroot 2>/dev/null || zfs get -H encryption zroot 2>/dev/null) | awk '{print $3}'
-        includes: "^off$"
+    solaris:
+      # Check for ZFS root encryption (rpool is standard on Solaris)
+      - output: sudo zfs get -H encryption rpool 2>/dev/null || doas zfs get -H encryption rpool 2>/dev/null || zfs get -H encryption rpool 2>/dev/null
+        includes: "rpool.*encryption.*off"
         remediation:
           - ZFS root pool is not encrypted
           - Create an encrypted ZFS dataset or migrate to an encrypted pool
-          - "For new pools: zpool create -O encryption=on -O keyformat=passphrase zroot ..."
+          - "For new pools: zpool create -O encryption=on -O keyformat=passphrase rpool ..."
           - Note that existing pools cannot be encrypted in-place
-    solaris, illumos:
-      # Check for ZFS root encryption (rpool is standard on Solaris/illumos)
-      - output: (sudo zfs get -H encryption rpool 2>/dev/null || doas zfs get -H encryption rpool 2>/dev/null || zfs get -H encryption rpool 2>/dev/null) | awk '{print $3}'
-        includes: "^off$"
+    illumos:
+      # Check for ZFS root encryption (rpool is standard on illumos)
+      - output: sudo zfs get -H encryption rpool 2>/dev/null || doas zfs get -H encryption rpool 2>/dev/null || zfs get -H encryption rpool 2>/dev/null
+        includes: "rpool.*encryption.*off"
         remediation:
           - ZFS root pool is not encrypted
           - Create an encrypted ZFS dataset or migrate to an encrypted pool
@@ -133,30 +149,30 @@ checks:
           - Configure iptables rules for basic protection
     freebsd:
       # Try sudo first, then doas, then direct access
-      - output: (sudo pfctl -s info 2>/dev/null || doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null) | grep -i status
-        includes: "Disabled"
+      - output: sudo pfctl -s info 2>/dev/null || doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null
+        includes: "Status:.*Disabled"
         remediation:
           - Enable PF firewall with 'sudo pfctl -e' or 'doas pfctl -e'
           - Configure /etc/pf.conf with appropriate rules
           - Add pf_enable="YES" to /etc/rc.conf
           - Start with 'service pf start'
       # Also check if PF is even loaded in the kernel
-      - output: kldstat | grep -q pf.ko && echo "loaded" || echo "not loaded"
-        includes: "not loaded"
+      - output: kldstat
+        excludes: "pf\\.ko"
         remediation:
           - Load PF kernel module with 'sudo kldload pf'
           - Add pf_load="YES" to /boot/loader.conf for persistence
       # Check if ipfw is being used instead of pf
-      - output: (sudo ipfw list 2>/dev/null || doas ipfw list 2>/dev/null || ipfw list 2>/dev/null) | head -1
+      - output: sudo ipfw list 2>/dev/null || doas ipfw list 2>/dev/null || ipfw list 2>/dev/null
         excludes: "00001|65535"
         remediation:
           - IPFW firewall appears to be inactive or not configured
           - Add firewall rules with 'ipfw add' commands
           - Configure /etc/rc.conf with firewall_enable="YES"
     openbsd:
       # OpenBSD has PF enabled by default, check if it's actually filtering
-      - output: (doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null) | grep -i status
-        includes: "Disabled"
+      - output: doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null
+        includes: "Status:.*Disabled"
         remediation:
           - Enable PF firewall with 'doas pfctl -e' or 'pfctl -e'
           - Configure /etc/pf.conf with appropriate rules
@@ -169,16 +185,16 @@ checks:
           - Configure firewall rules in /etc/pf.conf
           - Load rules with 'doas pfctl -f /etc/pf.conf'
     netbsd:
-      - output: (sudo npfctl show 2>/dev/null || doas npfctl show 2>/dev/null || npfctl show 2>/dev/null) | grep -i config
+      - output: sudo npfctl show 2>/dev/null || doas npfctl show 2>/dev/null || npfctl show 2>/dev/null
         includes: "inactive|empty"
         remediation:
           - Enable NPF firewall
           - Configure /etc/npf.conf with firewall rules
           - Add npf=YES to /etc/rc.conf
           - Start with 'service npf start'
     dragonfly:
-      - output: (sudo pfctl -s info 2>/dev/null || doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null) | grep -i status
-        includes: "Disabled"
+      - output: sudo pfctl -s info 2>/dev/null || doas pfctl -s info 2>/dev/null || pfctl -s info 2>/dev/null
+        includes: "Status:.*Disabled"
         remediation:
           - Enable PF firewall with 'sudo pfctl -e' or 'doas pfctl -e'
           - Configure /etc/pf.conf with appropriate rules
@@ -597,7 +613,7 @@ checks:
   antivirus:
     description: "Detect antivirus/anti-malware software"
     darwin:
-      - output: system_profiler SPInstallHistoryDataType | grep -i "xprotect\|malware"
+      - output: system_profiler SPInstallHistoryDataType
         excludes: "XProtect|MRT"
         remediation:
           - macOS includes built-in XProtect antivirus

cmd/agent/executeCheck.go

@@ -84,51 +84,55 @@ func (a *Agent) executeCommand(ctx context.Context, checkName string, rule confi
 	start := time.Now()
 	command := rule.Output
 
-	// Extract the primary command (first word) to check if it exists
-	commandParts := strings.Fields(command)
-	if len(commandParts) > 0 {
-		primaryCmd := commandParts[0]
-
-		// Check if this is a shell builtin or special command
-		shellBuiltins := map[string]bool{
-			"echo": true, "test": true, "[": true, "[[": true, "if": true,
-			"then": true, "else": true, "fi": true, "for": true, "while": true,
-			"do": true, "done": true, "case": true, "esac": true, "function": true,
-			"return": true, "break": true, "continue": true, "exit": true,
-			"source": true, ".": true, "eval": true, "exec": true, "export": true,
-			"unset": true, "shift": true, "cd": true, "pwd": true, "read": true,
-			"readonly": true, "declare": true, "typeset": true, "local": true,
-			"true": true, "false": true, "type": true, "command": true,
-			// Include sudo and doas since they're commonly used
-			"sudo": true, "doas": true,
-		}
-
-		// If it's not a shell builtin and not a path, check if the command exists
-		if !shellBuiltins[primaryCmd] && !strings.Contains(primaryCmd, "/") {
-			// Temporarily set PATH for LookPath
-			oldPath := os.Getenv("PATH")
-			if err := os.Setenv("PATH", securePath()); err != nil {
-				log.Printf("[WARN] Failed to set PATH for command check: %v", err)
-			}
-			_, lookupErr := exec.LookPath(primaryCmd)
-			if err := os.Setenv("PATH", oldPath); err != nil {
-				log.Printf("[WARN] Failed to restore PATH: %v", err)
+	// Skip PATH checking if the command contains shell operators
+	// These commands need shell interpretation and can't be validated simply
+	if !containsShellOperators(command) {
+		// Extract the primary command (first word) to check if it exists
+		commandParts := strings.Fields(command)
+		if len(commandParts) > 0 {
+			primaryCmd := commandParts[0]
+
+			// Check if this is a shell builtin or special command
+			shellBuiltins := map[string]bool{
+				"echo": true, "test": true, "[": true, "[[": true, "if": true,
+				"then": true, "else": true, "fi": true, "for": true, "while": true,
+				"do": true, "done": true, "case": true, "esac": true, "function": true,
+				"return": true, "break": true, "continue": true, "exit": true,
+				"source": true, ".": true, "eval": true, "exec": true, "export": true,
+				"unset": true, "shift": true, "cd": true, "pwd": true, "read": true,
+				"readonly": true, "declare": true, "typeset": true, "local": true,
+				"true": true, "false": true, "type": true, "command": true,
+				// Include sudo and doas since they're commonly used
+				"sudo": true, "doas": true,
 			}
 
-			if lookupErr != nil {
-				if *debug {
-					log.Printf("[DEBUG] Command '%s' not found in PATH for check '%s', skipping", primaryCmd, checkName)
+			// If it's not a shell builtin and not a path, check if the command exists
+			if !shellBuiltins[primaryCmd] && !strings.Contains(primaryCmd, "/") {
+				// Temporarily set PATH for LookPath
+				oldPath := os.Getenv("PATH")
+				if err := os.Setenv("PATH", securePath()); err != nil {
+					log.Printf("[WARN] Failed to set PATH for command check: %v", err)
 				}
-
-				output := gitmdm.CommandOutput{
-					Command:     command,
-					Skipped:     true,
-					FileMissing: true, // Treat missing command like missing file
-					Stderr:      fmt.Sprintf("Skipped: %s not found", primaryCmd),
+				_, lookupErr := exec.LookPath(primaryCmd)
+				if err := os.Setenv("PATH", oldPath); err != nil {
+					log.Printf("[WARN] Failed to restore PATH: %v", err)
 				}
 
-				// Don't analyze skipped commands
-				return output
+				if lookupErr != nil {
+					if *debug {
+						log.Printf("[DEBUG] Command '%s' not found in PATH for check '%s', skipping", primaryCmd, checkName)
+					}
+
+					output := gitmdm.CommandOutput{
+						Command:     command,
+						Skipped:     true,
+						FileMissing: true, // Treat missing command like missing file
+						Stderr:      fmt.Sprintf("Skipped: %s not found", primaryCmd),
+					}
+
+					// Don't analyze skipped commands
+					return output
+				}
 			}
 		}
 	}

cmd/agent/executeCommand.go

@@ -14,6 +14,18 @@ import (
 	"time"
 )
 
+// containsShellOperators checks if a command contains shell operators that indicate
+// it needs shell interpretation (pipes, redirects, command chaining, subshells, etc).
+func containsShellOperators(command string) bool {
+	shellOperators := []string{"|", "&", ";", ">", "<", "(", ")", "{", "}", "$", "`", "||", "&&"}
+	for _, op := range shellOperators {
+		if strings.Contains(command, op) {
+			return true
+		}
+	}
+	return false
+}
+
 // securePath returns a secure PATH based on the OS.
 func securePath() string {
 	switch runtime.GOOS {
@@ -43,46 +55,50 @@ func securePath() string {
 func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command string) gitmdm.CommandOutput {
 	start := time.Now()
 
-	// Extract the primary command (first word) to check if it exists
-	commandParts := strings.Fields(command)
-	if len(commandParts) > 0 {
-		primaryCmd := commandParts[0]
-
-		// Check if this is a shell builtin or special command
-		shellBuiltins := map[string]bool{
-			"echo": true, "test": true, "[": true, "[[": true, "if": true,
-			"then": true, "else": true, "fi": true, "for": true, "while": true,
-			"do": true, "done": true, "case": true, "esac": true, "function": true,
-			"return": true, "break": true, "continue": true, "exit": true,
-			"source": true, ".": true, "eval": true, "exec": true, "export": true,
-			"unset": true, "shift": true, "cd": true, "pwd": true, "read": true,
-			"readonly": true, "declare": true, "typeset": true, "local": true,
-			"true": true, "false": true, "type": true, "command": true,
-			// Include sudo and doas since they're commonly used
-			"sudo": true, "doas": true,
-		}
-
-		// If it's not a shell builtin and not a path, check if the command exists
-		if !shellBuiltins[primaryCmd] && !strings.Contains(primaryCmd, "/") {
-			// Temporarily set PATH for LookPath
-			oldPath := os.Getenv("PATH")
-			if err := os.Setenv("PATH", securePath()); err != nil {
-				log.Printf("[WARN] Failed to set PATH for command check: %v", err)
-			}
-			_, lookupErr := exec.LookPath(primaryCmd)
-			if err := os.Setenv("PATH", oldPath); err != nil {
-				log.Printf("[WARN] Failed to restore PATH: %v", err)
+	// Skip PATH checking if the command contains shell operators
+	// These commands need shell interpretation and can't be validated simply
+	if !containsShellOperators(command) {
+		// Extract the primary command (first word) to check if it exists
+		commandParts := strings.Fields(command)
+		if len(commandParts) > 0 {
+			primaryCmd := commandParts[0]
+
+			// Check if this is a shell builtin or special command
+			shellBuiltins := map[string]bool{
+				"echo": true, "test": true, "[": true, "[[": true, "if": true,
+				"then": true, "else": true, "fi": true, "for": true, "while": true,
+				"do": true, "done": true, "case": true, "esac": true, "function": true,
+				"return": true, "break": true, "continue": true, "exit": true,
+				"source": true, ".": true, "eval": true, "exec": true, "export": true,
+				"unset": true, "shift": true, "cd": true, "pwd": true, "read": true,
+				"readonly": true, "declare": true, "typeset": true, "local": true,
+				"true": true, "false": true, "type": true, "command": true,
+				// Include sudo and doas since they're commonly used
+				"sudo": true, "doas": true,
 			}
 
-			if lookupErr != nil {
-				if *debug {
-					log.Printf("[DEBUG] Command '%s' not found in PATH for check '%s', skipping", primaryCmd, checkName)
+			// If it's not a shell builtin and not a path, check if the command exists
+			if !shellBuiltins[primaryCmd] && !strings.Contains(primaryCmd, "/") {
+				// Temporarily set PATH for LookPath
+				oldPath := os.Getenv("PATH")
+				if err := os.Setenv("PATH", securePath()); err != nil {
+					log.Printf("[WARN] Failed to set PATH for command check: %v", err)
 				}
-				return gitmdm.CommandOutput{
-					Command:  command,
-					Stdout:   "",
-					Stderr:   fmt.Sprintf("Skipped: %s not found", primaryCmd),
-					ExitCode: -2, // Special exit code for skipped
+				_, lookupErr := exec.LookPath(primaryCmd)
+				if err := os.Setenv("PATH", oldPath); err != nil {
+					log.Printf("[WARN] Failed to restore PATH: %v", err)
+				}
+
+				if lookupErr != nil {
+					if *debug {
+						log.Printf("[DEBUG] Command '%s' not found in PATH for check '%s', skipping", primaryCmd, checkName)
+					}
+					return gitmdm.CommandOutput{
+						Command:  command,
+						Stdout:   "",
+						Stderr:   fmt.Sprintf("Skipped: %s not found", primaryCmd),
+						ExitCode: -2, // Special exit code for skipped
+					}
 				}
 			}
 		}

cmd/agent/main.go

@@ -28,7 +28,6 @@ import (
 	"time"
 
 	"github.com/codeGROOVE-dev/retry"
-
 	"gopkg.in/yaml.v3"
 )
 
@@ -964,7 +963,7 @@ func (a *Agent) listAvailableChecks() {
 	// Display checks with descriptions from YAML
 	for _, checkName := range availableChecks {
 		checkDef := a.config.Checks[checkName]
-		description := checkDef.Description
+		description := checkDef.Description()
 		if description == "" {
 			description = "Compliance check"
 		}