Mole/lib/check_security.sh

#!/bin/bash

# Security checks

check_filevault() {
    # Check FileVault encryption status
    if command -v fdesetup > /dev/null 2>&1; then
        local fv_status=$(fdesetup status 2> /dev/null || echo "")
        if echo "$fv_status" | grep -q "FileVault is On"; then
            echo -e "  ${GREEN}✓${NC} FileVault    Enabled"
        else
            echo -e "  ${RED}✗${NC} FileVault    ${RED}Disabled${NC} (Recommend enabling)"
            export FILEVAULT_DISABLED=true
        fi
    fi
}

check_firewall() {
    # Check firewall status
    unset FIREWALL_DISABLED
    local firewall_status=$(defaults read /Library/Preferences/com.apple.alf globalstate 2> /dev/null || echo "0")
    if [[ "$firewall_status" == "1" || "$firewall_status" == "2" ]]; then
        echo -e "  ${GREEN}✓${NC} Firewall     Enabled"
    else
        echo -e "  ${YELLOW}${ICON_WARNING}${NC} Firewall     ${YELLOW}Disabled${NC} (Consider enabling)"
        echo -e "    ${GRAY}System Settings → Network → Firewall, or run:${NC}"
        echo -e "    ${GRAY}sudo defaults write /Library/Preferences/com.apple.alf globalstate -int 1${NC}"
        export FIREWALL_DISABLED=true
    fi
}

check_gatekeeper() {
    # Check Gatekeeper status
    if command -v spctl > /dev/null 2>&1; then
        local gk_status=$(spctl --status 2> /dev/null || echo "")
        if echo "$gk_status" | grep -q "enabled"; then
            echo -e "  ${GREEN}✓${NC} Gatekeeper   Active"
            unset GATEKEEPER_DISABLED
        else
            echo -e "  ${YELLOW}${ICON_WARNING}${NC} Gatekeeper   ${YELLOW}Disabled${NC}"
            echo -e "    ${GRAY}Enable via System Settings → Privacy & Security, or:${NC}"
            echo -e "    ${GRAY}sudo spctl --master-enable${NC}"
            export GATEKEEPER_DISABLED=true
        fi
    fi
}

check_sip() {
    # Check System Integrity Protection
    if command -v csrutil > /dev/null 2>&1; then
        local sip_status=$(csrutil status 2> /dev/null || echo "")
        if echo "$sip_status" | grep -q "enabled"; then
            echo -e "  ${GREEN}✓${NC} SIP          Enabled"
        else
            echo -e "  ${YELLOW}${ICON_WARNING}${NC} SIP          ${YELLOW}Disabled${NC}"
            echo -e "    ${GRAY}Restart into Recovery → Utilities → Terminal → run: csrutil enable${NC}"
        fi
    fi
}

check_all_security() {
    check_filevault
    check_firewall
    check_gatekeeper
    check_sip
}