codeGROOVE-dev
diff --git a/‎Makefile‎
Lines changed: 2 additions & 2 deletions b/‎Makefile‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 45 additions & 7 deletions b/‎README.md‎
Lines changed: 45 additions & 7 deletions
diff --git a/‎cmd/agent/analyzer/analyzer.go‎
Lines changed: 59 additions & 0 deletions b/‎cmd/agent/analyzer/analyzer.go‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎cmd/agent/analyzer/antivirus.go‎
Lines changed: 83 additions & 0 deletions b/‎cmd/agent/analyzer/antivirus.go‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎cmd/agent/analyzer/app_firewall.go‎
Lines changed: 33 additions & 0 deletions b/‎cmd/agent/analyzer/app_firewall.go‎
Lines changed: 33 additions & 0 deletions
@@ -7,8 +7,8 @@ GOTEST=$(GOCMD) test
 GOGET=$(GOCMD) get
 GOMOD=$(GOCMD) mod
 
-SERVER_BINARY=gitmdm-server
-AGENT_BINARY=gitmdm-agent
+SERVER_BINARY=./out/gitmdm-server
+AGENT_BINARY=./out/gitmdm-agent
 SERVER_PATH=./cmd/server
 AGENT_PATH=./cmd/agent
 
 
@@ -2,6 +2,8 @@
 
 Security-first compliance reporting that doesn't compromise your infrastructure.
 
+![gitMDM Logo](media/logo_small.png)
+
 ## The Problem
 
 Every MDM is a backdoor. They typically require root access and arbitrary remote code execution. They're incompatible with secure-by-default operating systems. Yet auditors require them for SOC 2.
@@ -14,11 +16,22 @@ gitMDM proves compliance without compromising security:
 - **No phone-home** - Your git repo, your endpoint, your control
 - **Works everywhere** - Including secure-by-default systems such as OpenBSD.
 
+## Screenshots
+
+**Dashboard: Compliance at a glance**
+<a href="media/dashboard.png"><img src="media/dashboard.png" alt="Dashboard" width="400"/></a>
+
+**Agent Report: Detailed results**
+<a href="media/report.png"><img src="media/report.png" alt="Agent Report" width="400"/></a>
+
+**Remediation: Plain-English guidance**
+<a href="media/remediate.png"><img src="media/remediate.png" alt="Remediation Steps" width="400"/></a>
+
 ## How It Works
 
 ```
 [Agent]                    [Server]                   [Git]
-Run compiled checks  →  Receive reports only  →  Immutable audit trail
+Run compiled checks  →  Receive reports only  → Tamper-resistant audit trail
 ```
 
 The server **cannot** push commands. Ever. That's the point.
@@ -27,10 +40,36 @@ The server **cannot** push commands. Ever. That's the point.
 
 ```bash
 # Server
-./gitmdm-server -git [email protected]:org/compliance.git -api-key SECRET
+./out/gitmdm-server -git [email protected]:org/compliance.git -api-key SECRET
+
+# Agent  
+./out/gitmdm-agent -server https://server:8080
+```
+
+## Local Checks
+
+You can run the compliance checks even without a server:
+
+```bash
+./out/gitmdm-agent -run all
+```
+
+You'll see output similar to:
+
+```log
+🔍 Running security checks...
+
+⚠️  3 issues require attention
+
+🔸 screen lock
+   🐞 Problem: Screen idle time too long (1 hour, SOC 2 requires ≤15 min); Screen lock delay too long (4 hours, SOC 2 requires ≤15 min)
+   💻 Evidence: defaults -currentHost read com.apple.screensaver idleTime && sysadminctl -screenLock status
 
-# Agent (checks compiled in from checks.yaml)
-./gitmdm-agent -server https://server:8080
+   🔧 How to fix:
+      1. Open System Settings > Lock Screen
+      2. Set 'Start Screen Saver when inactive' to 15 minutes or less
+      3. Open System Settings > Lock Screen
+      4. Set 'Require password after screen saver begins' to 'immediately'
 ```
 
 ## What You Get
@@ -70,8 +109,7 @@ Edit, compile, deploy. No runtime configuration files to tamper with.
 ## Building
 
 ```bash
-vim checks.yaml  # Define your compliance checks
-make build       # Compiles checks into binary
+make all
 ```
 
 ## FAQ
@@ -80,7 +118,7 @@ make build       # Compiles checks into binary
 A: It generates the reports auditors need. Without the backdoors.
 
 **Q: What if we need to change checks?**
-A: Rebuild and redeploy. Immutability is a feature.
+A: Rebuild and redeploy. Immutability is a feature, not a bug.
 
 **Q: Why git?**
 A: Cryptographic proof, audit trail, existing tooling, no database.
 
@@ -0,0 +1,59 @@
+// Package analyzer provides compliance check analysis and grading.
+package analyzer
+
+import (
+	"strings"
+)
+
+// Result represents the analysis result of a compliance check.
+type Result struct {
+	Status      string   // "pass", "fail", "n/a"
+	Description string   // Human-readable description
+	Remediation []string // Command-specific remediation steps
+}
+
+// AnalyzeCheck analyzes the output of a compliance check and returns pass/fail status.
+// Takes into account the OS and specific command being run for more accurate analysis.
+func AnalyzeCheck(checkName string, osName string, command string, stdout string, stderr string, exitCode int) Result {
+	// Handle timeout case explicitly (timeout results in exitCode -1)
+	if exitCode == -1 && strings.Contains(stderr, "Command timed out") {
+		return Result{Status: "n/a", Description: "Check timed out - try again later"}
+	}
+
+	// Combine output for analysis
+	output := strings.ToLower(stdout + stderr)
+
+	// Extract the base command (first word) for command-specific analysis
+	baseCommand := ""
+	if command != "" {
+		parts := strings.Fields(command)
+		if len(parts) > 0 {
+			baseCommand = parts[0]
+		}
+	}
+
+	switch checkName {
+	case "disk_encryption":
+		return analyzeDiskEncryption(output, osName, baseCommand)
+	case "firewall":
+		return analyzeFirewall(output, exitCode, osName, baseCommand)
+	case "app_firewall":
+		return analyzeAppFirewall(output, exitCode, osName, baseCommand)
+	case "screen_lock":
+		return analyzeScreenLock(output, osName, baseCommand, command)
+	case "auto_login":
+		return analyzeAutoLogin(output, osName, baseCommand)
+	case "password_policy":
+		return analyzePasswordPolicy(output, osName, baseCommand, command)
+	case "updates", "software_updates":
+		return analyzeUpdates(output, osName, baseCommand, exitCode)
+	case "antivirus":
+		return analyzeAntivirus(output, osName)
+	case "hostname", "uname", "users", "network", "system_info":
+		// Informational checks - no pass/fail
+		return Result{Status: "n/a", Description: "Informational"}
+	default:
+		// Unknown check - can't grade
+		return Result{Status: "n/a", Description: "No compliance criteria defined"}
+	}
+}
@@ -0,0 +1,83 @@
+package analyzer
+
+import "strings"
+
+func analyzeAntivirus(output string, osName string) Result {
+	// For systemctl commands, check if service is active
+	if strings.Contains(output, "active") && !strings.Contains(output, "inactive") {
+		return Result{Status: "pass", Description: "ClamAV daemon active"}
+	}
+
+	// macOS XProtect detection via pgrep
+	if osName == "darwin" {
+		// XProtect processes typically include XProtectService or similar
+		if strings.Contains(output, "xprotect") {
+			// Parse pgrep output: "PID processname"
+			lines := strings.Split(output, "\n")
+			for _, line := range lines {
+				if strings.Contains(strings.ToLower(line), "xprotect") {
+					// Extract process name from "PID processname" format
+					parts := strings.Fields(line)
+					if len(parts) >= 2 {
+						return Result{Status: "pass", Description: "XProtect running"}
+					}
+					return Result{Status: "pass", Description: "XProtect running"}
+				}
+			}
+		}
+
+		// If XProtect is not found on macOS, it's a failure (should always be running)
+		// Only check if this was a pgrep command that returned no results
+		if strings.Contains(output, "pgrep") || len(output) < 10 {
+			return Result{Status: "fail", Description: "XProtect not running"}
+		}
+
+		// For macOS, we only care about XProtect, not third-party AV
+		// Return n/a for other commands like ps aux
+		return Result{Status: "n/a", Description: "Only XProtect is required for macOS"}
+	}
+
+	// For ps output, look for AV processes
+	if strings.Contains(output, "ps aux") || strings.Contains(output, "pid") {
+		// Parse ps output looking for AV processes
+		lines := strings.Split(output, "\n")
+		for _, line := range lines {
+			lower := strings.ToLower(line)
+			// Look for common AV processes
+			if (strings.Contains(lower, "clamav") && !strings.Contains(lower, "grep")) ||
+				(strings.Contains(lower, "sophos") && !strings.Contains(lower, "grep")) ||
+				(strings.Contains(lower, "mcafee") && !strings.Contains(lower, "grep")) ||
+				(strings.Contains(lower, "symantec") && !strings.Contains(lower, "grep")) ||
+				(strings.Contains(lower, "defender") && !strings.Contains(lower, "grep")) ||
+				(strings.Contains(lower, "xprotect") && osName == "darwin") ||
+				(strings.Contains(lower, "mrt.app") && osName == "darwin") ||
+				strings.Contains(lower, "antivirus") {
+				return Result{Status: "pass", Description: "Antivirus process detected"}
+			}
+		}
+	}
+
+	// Windows WMI output
+	if strings.Contains(output, "displayname") && strings.Contains(output, "productstate") {
+		// If we got WMI output with AV products
+		if strings.Contains(output, "defender") ||
+			strings.Contains(output, "antivirus") ||
+			strings.Contains(output, "mcafee") ||
+			strings.Contains(output, "norton") ||
+			strings.Contains(output, "sophos") {
+			return Result{Status: "pass", Description: "Windows antivirus detected"}
+		}
+	}
+
+	// No AV is often fine for servers/Linux
+	if osName == "linux" || osName == "freebsd" || osName == "openbsd" {
+		return Result{Status: "n/a", Description: "Antivirus optional for " + osName}
+	}
+
+	// Can't check
+	if strings.Contains(output, "permission denied") {
+		return Result{Status: "n/a", Description: "Cannot check antivirus status"}
+	}
+
+	return Result{Status: "n/a", Description: "Antivirus not detected"}
+}
@@ -0,0 +1,33 @@
+package analyzer
+
+import "strings"
+
+func analyzeAppFirewall(output string, exitCode int, osName string, baseCommand string) Result {
+	// macOS Application Firewall specific analysis (SOC 2 relevant check)
+	if baseCommand == "socketfilterfw" {
+		// Check global state - this is the main SOC 2 compliance indicator
+		if strings.Contains(output, "firewall is enabled") {
+			return Result{Status: "pass", Description: "macOS Application Firewall enabled"}
+		}
+		if strings.Contains(output, "firewall is disabled") {
+			return Result{
+				Status:      "fail",
+				Description: "macOS Application Firewall disabled",
+				Remediation: []string{
+					"Open System Settings > Network > Firewall",
+					"Click on 'Options...'",
+					"Turn on 'Enable Firewall'",
+				},
+			}
+		}
+	}
+
+	// Permission issues or not available
+	if strings.Contains(output, "permission denied") ||
+		strings.Contains(output, "not found") ||
+		strings.Contains(output, "command not found") {
+		return Result{Status: "n/a", Description: "Cannot access application firewall"}
+	}
+
+	return Result{Status: "n/a", Description: "Application firewall status unknown"}
+}