Improve default crypto.go (#151)

Author: sourque

aeacus.go

@@ -16,13 +16,20 @@ import (
 // `Y888""8o `Y8bod8P' `Y888""8o `Y8bod8P'  `V88V"V8P' 8""888P' //
 //////////////////////////////////////////////////////////////////
 
+const (
+	DEBUG_BUILD = true
+)
+
 func main() {
 	app := &cli.App{
 		UseShortOptionHandling: true,
 		EnableBashCompletion:   true,
 		Name:                   "aeacus",
-		Usage:                  "setup and score vulnerabilities in an image",
+		Usage:                  "score image vulnerabilities",
 		Before: func(c *cli.Context) error {
+			if debugEnabled {
+				verboseEnabled = true
+			}
 			err := determineDirectory()
 			if err != nil {
 				return err
@@ -105,20 +112,7 @@ func main() {
 				},
 			},
 			{
-				Name:    "decrypt",
-				Aliases: []string{"d"},
-				Usage:   "Check that encrypted scoring data file is valid",
-				Action: func(c *cli.Context) error {
-					permsCheck()
-					err := readScoringData()
-					if err == nil && verboseEnabled {
-						printConfig()
-					}
-					return err
-				},
-			},
-			{
-				Name:    "idprompt",
+				Name:    "prompt",
 				Aliases: []string{"p"},
 				Usage:   "Launch TeamID GUI prompt",
 				Action: func(c *cli.Context) error {

checks.go

@@ -68,7 +68,6 @@ func (c cond) requireArgs(args ...interface{}) {
 		} else if v.Field(i).String() != "" {
 			warn(c.Type+":", "specifying unnecessary argument '"+vType.Field(i).Name+"'")
 		}
-
 	}
 }
 
@@ -103,6 +102,13 @@ func runCheck(cond cond) bool {
 	not := "Not"
 	condFunc := ""
 	negation := false
+
+	// Ensure that condition type is a valid length
+	if len(cond.Type) <= len(not) {
+		fail(`Condition type "` + cond.Type + `" is not long enough to be valid`)
+		return false
+	}
+
 	condEnding := cond.Type[len(cond.Type)-len(not) : len(cond.Type)]
 	if condEnding == not {
 		negation = true
@@ -125,6 +131,11 @@ func runCheck(cond cond) bool {
 	}
 
 	debug("Result is", result, "and error is", err)
+
+	if verboseEnabled && !err.IsNil() {
+		warn(condFunc, "returned an error:", err)
+	}
+
 	return err.IsNil() && result
 }
 
@@ -164,8 +175,7 @@ func (c cond) DirContains() (bool, error) {
 			files = append(files, path)
 		}
 		if len(files) > 10000 {
-			fail("Recursive indexing has exceeded limit, erroring out.")
-			return errors.New("Indexed too many files in recursive search")
+			return errors.New("attempted to index too many files in recursive search")
 		}
 		return nil
 	})
@@ -206,7 +216,6 @@ func (c cond) FileContains() (bool, error) {
 	for _, line := range strings.Split(fileContent, "\n") {
 		found, err = regexp.Match(c.Value, []byte(line))
 		if err != nil {
-			fail("There's an error with your regular expression for FileContains: " + err.Error())
 			return false, err
 		}
 		if found {

checks_linux.go

@@ -23,6 +23,13 @@ func (c cond) Command() (bool, error) {
 	}
 	err := shellCommand(c.Cmd)
 	if err != nil {
+		// This check does not return errors, since it is based on successful
+		// execution. If any errors occurred, it means that the check failed,
+		// not errored out.
+		//
+		// It would be an error if failure to execute the command resulted in
+		// an inability to meaningfully score the check (e.g., if the uname
+		// syscall failed for KernelVersion).
 		return false, nil
 	}
 	return true, nil
@@ -61,6 +68,7 @@ func (c cond) KernelVersion() (bool, error) {
 		}
 		releaseUint = append(releaseUint, uint8(utsname.Release[i]))
 	}
+	debug("System uname value is", string(releaseUint), "and our value is", c.Value)
 	return string(releaseUint) == c.Value, err
 }
 
@@ -73,8 +81,10 @@ func (c cond) PasswordChanged() (bool, error) {
 	for _, line := range strings.Split(fileContent, "\n") {
 		if strings.Contains(line, c.User+":") {
 			if strings.Contains(line, c.User+":"+c.Value) {
+				debug("Exact value found in /etc/shadow for user", c.User+":", line)
 				return false, nil
 			}
+			debug("Differing value found in /etc/shadow for user", c.User+":", line)
 			return true, nil
 		}
 	}

checks_test_linux.go checks_linux_test.gochecks_test_linux.go renamed to checks_linux_test.go

@@ -13,17 +13,17 @@ func TestCommand(t *testing.T) {
 		t.Error(c, "failed:", out, err)
 	}
 
-	// Should fail: command execution fails
+	// Should fail: command return false
 	c.Cmd = "commanddoesntexist"
 	out, err = c.Command()
-	if err == nil || out != false {
+	if err != nil || out != false {
 		t.Error(c, "failed:", out, err)
 	}
 
-	// Should fail: command returns error
+	// Should fail: command return false
 	c.Cmd = "cat /etc/file/doesnt/exist"
 	out, err = c.Command()
-	if err == nil || out != false {
+	if err != nil || out != false {
 		t.Error(c, "failed:", out, err)
 	}
 }

checks_windows.go

@@ -171,7 +171,7 @@ func (c cond) RegistryKey() (bool, error) {
 		return false, errors.New("Unknown registry hive " + registryHiveText)
 	}
 
-	debug("Getting key", keyPath, "from hive ", registryHiveText)
+	debug("Getting key", keyPath, "from hive", registryHiveText)
 	// Actually get the key
 	k, err := registry.OpenKey(registryHive, keyPath, registry.QUERY_VALUE)
 	if err != nil {

configs.go

@@ -30,7 +30,7 @@ func parseConfig(configContent string) {
 
 	if conf.Remote != "" {
 		if conf.Remote[len(conf.Remote)-1] == '/' {
-			fail("Your remote URL must not end with a slash:", conf.Remote[:len(conf.Remote)-1])
+			fail("Your remote URL must not end with a slash: try", conf.Remote[:len(conf.Remote)-1])
 			os.Exit(1)
 		}
 		if conf.Name == "" {
@@ -70,11 +70,11 @@ func writeConfig() {
 }
 
 // ReadConfig parses the scoring configuration file.
-func readConfig() error {
+func readConfig() {
 	fileContent, err := readFile(dirPath + scoringConf)
 	if err != nil {
 		fail("Configuration file (" + dirPath + scoringConf + ") not found!")
-		return err
+		os.Exit(1)
 	}
 	parseConfig(fileContent)
 	assignPoints()
@@ -83,7 +83,6 @@ func readConfig() error {
 		printConfig()
 	}
 	obfuscateConfig()
-	return nil
 }
 
 // PrintConfig offers a printed representation of the config, as parsed