more mate fixes

Author: tstromberg

cmd/agent/checks.yaml

@@ -235,13 +235,13 @@ checks:
         excludes: "xautolock|xss-lock|light-locker"
         remediation:
           - Configure screen locking for Openbox
-          - "Add to ~/.config/openbox/autostart: 'xautolock -time 15 -locker \"i3lock -c 000000\" &'"
+          - 'Add to ~/.config/openbox/autostart: ''xautolock -time 15 -locker "i3lock -c 000000" &'''
       # Sway (Wayland) - Only check if sway is running
       - output: pgrep sway >/dev/null && grep "exec swayidle" ~/.config/sway/config 2>/dev/null
         excludes: "swayidle"
         remediation:
           - Configure swayidle to lock screen automatically
-          - "Add to Sway config: 'exec swayidle -w timeout 900 \"swaylock -f\" before-sleep \"swaylock -f\"'"
+          - 'Add to Sway config: ''exec swayidle -w timeout 900 "swaylock -f" before-sleep "swaylock -f"'''
       # Generic X11 fallback - Only if X11 is running but no specific DE detected
       - output: >
           pgrep Xorg >/dev/null && ! (pgrep gnome-shell >/dev/null || pgrep mate-session >/dev/null || pgrep xfce4-session >/dev/null ||
@@ -251,7 +251,7 @@ checks:
         remediation:
           - Configure X11 screen saver with 'xset s 900'
           - Install and configure a screen locker (xlock, i3lock, slock)
-          - "Add to window manager startup: 'xautolock -time 15 -locker \"xlock\" &'"
+          - 'Add to window manager startup: ''xautolock -time 15 -locker "xlock" &'''
     linux:
       # Linux-specific additional checks
     windows:
@@ -277,43 +277,43 @@ checks:
           - Set "Turn display off on power adapter when inactive" to 15 minutes or less
     unix:
       # GNOME - Only check timeout if GNOME Shell is running
-      - output: pgrep gnome-shell && gsettings get org.gnome.desktop.session idle-delay
+      - output: pgrep gnome-shell >/dev/null && gsettings get org.gnome.desktop.session idle-delay
         includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
         remediation:
           - Set GNOME screensaver timeout to 15 minutes or less
           - Run 'gsettings set org.gnome.desktop.session idle-delay 900'
       # MATE - Only check timeout if MATE session is running
-      - output: pgrep mate-session && gsettings get org.mate.screensaver lock-delay
+      - output: pgrep mate-session >/dev/null && gsettings get org.mate.session idle-delay
         includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
         remediation:
           - Set MATE screensaver timeout to 15 minutes or less
-          - Run 'gsettings set org.mate.screensaver lock-delay 15'
+          - Run 'gsettings set org.mate.session idle-delay 15'
       # XFCE - Only check timeout if XFCE session is running
-      - output: pgrep xfce4-session && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep
+      - output: pgrep xfce4-session >/dev/null && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep
         includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
         remediation:
           - Set XFCE display timeout to 15 minutes or less
           - Run 'xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-ac-sleep -s 15'
-      - output: pgrep xfce4-session && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-battery-sleep
+      - output: pgrep xfce4-session >/dev/null && xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-battery-sleep
         includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
         remediation:
           - Set XFCE battery display timeout to 15 minutes or less
           - Run 'xfconf-query -c xfce4-power-manager -p /xfce4-power-manager/dpms-on-battery-sleep -s 15'
       # KDE Plasma - Only check timeout if KDE session is running
-      - output: pgrep plasmashell && kreadconfig5 --file kscreenlockerrc --group Daemon --key Timeout
+      - output: pgrep plasmashell >/dev/null && kreadconfig5 --file kscreenlockerrc --group Daemon --key Timeout
         includes: "^(0|1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})$"
         remediation:
           - Set KDE screen lock timeout to 15 minutes or less
           - Run 'kwriteconfig5 --file kscreenlockerrc --group Daemon --key Timeout 15'
           - Or configure in System Settings > Desktop Behavior > Screen Locking
       # Cinnamon - Only check timeout if Cinnamon is running
-      - output: pgrep cinnamon && gsettings get org.cinnamon.desktop.screensaver lock-delay
+      - output: pgrep cinnamon >/dev/null && gsettings get org.cinnamon.desktop.screensaver lock-delay
         includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
         remediation:
           - Set Cinnamon screensaver timeout to 15 minutes or less
           - Run 'gsettings set org.cinnamon.desktop.screensaver lock-delay 900'
       # Budgie - Only check timeout if Budgie is running
-      - output: pgrep budgie-panel && gsettings get org.gnome.desktop.session idle-delay
+      - output: pgrep budgie-panel >/dev/null && gsettings get org.gnome.desktop.session idle-delay
         includes: "^(0|9[1-9][0-9]|[1-9][0-9]{3,})$"
         remediation:
           - Set Budgie screensaver timeout to 15 minutes or less
@@ -329,30 +329,30 @@ checks:
         includes: "-time (1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})"
         remediation:
           - Configure xautolock with 15 minute timeout or less
-          - "Add to autostart: 'xautolock -time 15 -locker \"light-locker\" &'"
+          - 'Add to autostart: ''xautolock -time 15 -locker "light-locker" &'''
       # Sway - Only check timeout if sway is running
       - output: pgrep sway >/dev/null && grep "timeout" ~/.config/sway/config 2>/dev/null
         includes: "timeout [9][1-9][0-9][0-9]|timeout [1-9][0-9]{4,}"
         remediation:
           - Configure swayidle timeout to 15 minutes (900 seconds) or less
-          - "Add to Sway config: 'exec swayidle -w timeout 900 \"swaylock -f\"'"
+          - 'Add to Sway config: ''exec swayidle -w timeout 900 "swaylock -f"'''
       # i3 Window Manager - Check if xautolock is running with proper timeout
       - output: pgrep i3 >/dev/null && pgrep -fl "xautolock.*-time"
         includes: "-time (1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})"
         remediation:
           - Configure xautolock timeout to 15 minutes or less
-          - "Add to i3 config: 'exec --no-startup-id xautolock -time 15 -locker \"i3lock -c 000000\"'"
+          - 'Add to i3 config: ''exec --no-startup-id xautolock -time 15 -locker "i3lock -c 000000"'''
       # Openbox - Check if xautolock is running with proper timeout
       - output: pgrep openbox >/dev/null && pgrep -fl "xautolock.*-time"
         includes: "-time (1[6-9]|[2-9][0-9]|[1-9][0-9]{2,})"
         remediation:
           - Configure xautolock timeout to 15 minutes or less
-          - "Add to ~/.config/openbox/autostart: 'xautolock -time 15 -locker \"i3lock -c 000000\" &'"
+          - 'Add to ~/.config/openbox/autostart: ''xautolock -time 15 -locker "i3lock -c 000000" &'''
       # Generic X11 - Only if X11 is running but no specific DE detected
       - output: >
-          pgrep Xorg && ! (pgrep gnome-shell || pgrep mate-session || pgrep xfce4-session ||
-          pgrep plasmashell || pgrep cinnamon || pgrep budgie-panel || pgrep lxqt-session ||
-          pgrep lxsession || pgrep i3 || pgrep openbox || pgrep sway) && xset q
+          pgrep Xorg >/dev/null && ! (pgrep gnome-shell >/dev/null || pgrep mate-session >/dev/null || pgrep xfce4-session >/dev/null ||
+          pgrep plasmashell >/dev/null || pgrep cinnamon >/dev/null || pgrep budgie-panel >/dev/null || pgrep lxqt-session >/dev/null ||
+          pgrep lxsession >/dev/null || pgrep i3 >/dev/null || pgrep openbox >/dev/null || pgrep sway >/dev/null) && xset q
         includes: "timeout:.*([9][1-9][0-9]|[1-9][0-9]{3,})"
         remediation:
           - Set X11 screen saver timeout to 15 minutes (900 seconds) or less

cmd/agent/main.go

@@ -997,6 +997,41 @@ func (a *Agent) displayCheckResults(results map[string]CheckResult, finalOrder [
 	printLine("")
 }
 
+// displayFailedOutput displays a single failed output with appropriate formatting.
+func displayFailedOutput(idx int, output gitmdm.CommandOutput, totalOutputs int) {
+	// If multiple commands were checked, number them
+	if totalOutputs > 1 {
+		printLine("      [Command %d of %d - FAILED]", idx+1, totalOutputs)
+	}
+
+	// Show command or file that was checked
+	if output.Command != "" {
+		printLine("      Command: %s", output.Command)
+	} else if output.File != "" {
+		printLine("      File: %s", output.File)
+	}
+	// Show why it failed
+	if output.FailReason != "" {
+		printLine("      Failure: %s", output.FailReason)
+	}
+
+	// Show relevant output (truncated for readability)
+	if output.Stdout != "" {
+		lines := strings.Split(output.Stdout, "\n")
+		maxLines := maxDisplayLines
+		if len(lines) > maxLines {
+			printLine("      Output: %s", strings.Join(lines[:maxLines], "\n      "))
+			printLine("      ... (output truncated, %d more lines)", len(lines)-maxLines)
+		} else {
+			printLine("      Output: %s", strings.ReplaceAll(output.Stdout, "\n", "\n      "))
+		}
+	}
+
+	if output.Stderr != "" && output.Stderr != output.FailReason {
+		printLine("      Error: %s", output.Stderr)
+	}
+}
+
 // displayFailedChecks shows details for all failed checks.
 func (*Agent) displayFailedChecks(results map[string]CheckResult, finalOrder []string) {
 	// Get failed checks in order
@@ -1018,48 +1053,17 @@ func (*Agent) displayFailedChecks(results map[string]CheckResult, finalOrder []s
 		if len(result.Outputs) > 0 {
 			printLine("   💻 Evidence:")
 			failedCount := 0
-			for i, output := range result.Outputs {
+			for idx, output := range result.Outputs {
 				// Skip outputs that didn't fail
 				if !output.Failed {
 					continue
 				}
 				failedCount++
 
-				// If multiple commands were checked, number them
-				if len(result.Outputs) > 1 {
-					printLine("      [Command %d of %d - FAILED]", i+1, len(result.Outputs))
-				}
-
-				// Show command or file that was checked
-				if output.Command != "" {
-					printLine("      Command: %s", output.Command)
-				} else if output.File != "" {
-					printLine("      File: %s", output.File)
-				}
-				// Show why it failed
-				if output.FailReason != "" {
-					printLine("      Failure: %s", output.FailReason)
-				}
-
-				// Show relevant output (truncated for readability)
-				if output.Stdout != "" {
-					lines := strings.Split(output.Stdout, "\n")
-					maxLines := maxDisplayLines
-					if len(lines) > maxLines {
-						printLine("      Output: %s", strings.Join(lines[:maxLines], "\n      "))
-						printLine("      ... (output truncated, %d more lines)", len(lines)-maxLines)
-					} else {
-						printLine("      Output: %s", strings.ReplaceAll(output.Stdout, "\n", "\n      "))
-					}
-				}
-
-				if output.Stderr != "" && output.Stderr != output.FailReason {
-					printLine("      Error: %s", output.Stderr)
-				}
-				
+				displayFailedOutput(idx, output, len(result.Outputs))
 				// Add spacing between multiple failed commands
 				if failedCount < len(result.Outputs) && len(result.Outputs) > 1 {
-					for j := i + 1; j < len(result.Outputs); j++ {
+					for j := idx + 1; j < len(result.Outputs); j++ {
 						if result.Outputs[j].Failed {
 							printLine("")
 							break

internal/analyzer/analyzer.go

@@ -5,10 +5,14 @@ import (
 	"fmt"
 	"gitmdm/internal/config"
 	"gitmdm/internal/gitmdm"
+	"log"
+	"os"
 	"regexp"
 	"strings"
 )
 
+var debug = os.Getenv("DEBUG") == "true"
+
 // AnalyzeCheck analyzes a CommandOutput against a CommandRule to determine pass/fail.
 func AnalyzeCheck(output *gitmdm.CommandOutput, rule config.CommandRule) error {
 	// If command/file was skipped or missing, don't fail the check
@@ -20,6 +24,9 @@ func AnalyzeCheck(output *gitmdm.CommandOutput, rule config.CommandRule) error {
 	// skip includes/excludes analysis (the command couldn't run properly)
 	if output.ExitCode != 0 && rule.ExitCode == nil {
 		// Mark as skipped since the command couldn't run (e.g., pgrep failed)
+		if debug {
+			log.Printf("[DEBUG] Skipping analysis for command with exit code %d (no exitcode rule configured)", output.ExitCode)
+		}
 		output.Skipped = true
 		return nil
 	}