From 0cb302761c669128cdec9c136b69e677359314a5 Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Mon, 22 Mar 2021 17:33:53 +0200 Subject: [PATCH] Add logging (#822) * Add more logging The old logging could was lacking and in some cases misleading * Add Logging Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs * Fix typos * more info add more info in comment about the function and it use cases Co-authored-by: Liz Rice * Use switch case Change the logic from if to switch and tidy up the code --- cfg/cis-1.5/policies.yaml | 2 +- cfg/cis-1.6/policies.yaml | 2 +- cfg/gke-1.0/policies.yaml | 2 +- check/check.go | 17 ++++++++++++----- check/test.go | 26 +++++++++++++++++++++----- integration/testdata/cis-1.5/job.data | 2 +- integration/testdata/cis-1.6/job.data | 4 ++-- 7 files changed, 39 insertions(+), 16 deletions(-) diff --git a/cfg/cis-1.5/policies.yaml b/cfg/cis-1.5/policies.yaml index ace5282..5ba7090 100644 --- a/cfg/cis-1.5/policies.yaml +++ b/cfg/cis-1.5/policies.yaml @@ -131,7 +131,7 @@ groups: text: "Minimize the admission of containers with capabilities assigned (Not Scored)" type: "manual" remediation: | - Review the use of capabilites in applications runnning on your cluster. Where a namespace + Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. scored: false diff --git a/cfg/cis-1.6/policies.yaml b/cfg/cis-1.6/policies.yaml index 14b5ffa..980762a 100644 --- a/cfg/cis-1.6/policies.yaml +++ b/cfg/cis-1.6/policies.yaml @@ -131,7 +131,7 @@ groups: text: "Minimize the admission of containers with capabilities assigned (Manual)" type: "manual" remediation: | - Review the use of capabilites in applications runnning on your cluster. Where a namespace + Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. scored: false diff --git a/cfg/gke-1.0/policies.yaml b/cfg/gke-1.0/policies.yaml index 2f26fbd..54ce12b 100644 --- a/cfg/gke-1.0/policies.yaml +++ b/cfg/gke-1.0/policies.yaml @@ -131,7 +131,7 @@ groups: text: "Minimize the admission of containers with capabilities assigned (Scored) " type: "manual" remediation: | - Review the use of capabilites in applications runnning on your cluster. Where a namespace + Review the use of capabilites in applications running on your cluster. Where a namespace contains applications which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. scored: true diff --git a/check/check.go b/check/check.go index da621d7..6e91f23 100644 --- a/check/check.go +++ b/check/check.go @@ -107,12 +107,14 @@ func (r *defaultRunner) Run(c *Check) State { // Run executes the audit commands specified in a check and outputs // the results. func (c *Check) run() State { + glog.V(3).Infof("----- Running check %v -----", c.ID) // Since this is an Scored check // without tests return a 'WARN' to alert // the user that this check needs attention if c.Scored && strings.TrimSpace(c.Type) == "" && c.Tests == nil { c.Reason = "There are no tests" c.State = WARN + glog.V(3).Info(c.Reason) return c.State } @@ -120,6 +122,7 @@ func (c *Check) run() State { if c.Type == SKIP { c.Reason = "Test marked as skip" c.State = INFO + glog.V(3).Info(c.Reason) return c.State } @@ -127,6 +130,7 @@ func (c *Check) run() State { if c.Type == MANUAL { c.Reason = "Test marked as a manual test" c.State = WARN + glog.V(3).Info(c.Reason) return c.State } @@ -138,6 +142,7 @@ func (c *Check) run() State { } else { c.State = WARN } + glog.V(3).Info(c.Reason) return c.State } @@ -172,12 +177,13 @@ func (c *Check) run() State { } else { c.State = WARN } + glog.V(3).Info(c.Reason) } if finalOutput != nil { - glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t State: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State) + glog.V(3).Infof("Command: %q TestResult: %t State: %q \n", lastCommand, finalOutput.testResult, c.State) } else { - glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <> \n", c.ID, lastCommand) + glog.V(3).Infof("Command: %q TestResult: <> \n", lastCommand) } if c.Reason != "" { @@ -212,7 +218,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) { res := make([]testOutput, len(ts.TestItems)) expectedResultArr := make([]string, len(res)) - glog.V(3).Infof("%d tests", len(ts.TestItems)) + glog.V(3).Infof("Running %d test_items", len(ts.TestItems)) for i, t := range ts.TestItems { t.isMultipleOutput = c.IsMultiple @@ -236,6 +242,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) { t.auditUsed = AuditEnv result = *(t.execute(c.AuditEnvOutput)) } + glog.V(2).Infof("Used %s", t.auditUsed) res[i] = result expectedResultArr[i] = res[i].ExpectedResult } @@ -289,8 +296,8 @@ func runAudit(audit string) (output string, err error) { if err != nil { err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err) } else { - glog.V(3).Infof("Command %q\n - Output:\n %q", audit, output) - + glog.V(3).Infof("Command: %q", audit) + glog.V(3).Infof("Output:\n %q", output) } return output, err } diff --git a/check/test.go b/check/test.go index b5abd30..3c63d45 100644 --- a/check/test.go +++ b/check/test.go @@ -126,6 +126,9 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error) // flag: somevalue // --flag // somevalue + // DOESN'T COVER - use pathTestItem implementation of findValue() for this + // flag: + // - wehbook pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *` flagRe := regexp.MustCompile(pttn) vals := flagRe.FindStringSubmatch(s) @@ -145,7 +148,7 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error) err = fmt.Errorf("invalid flag in testItem definition: %s", s) } } - glog.V(3).Infof("In flagTestItem.findValue %s, match %v, s %s, t.Flag %s", value, match, s, t.Flag) + glog.V(3).Infof("In flagTestItem.findValue %s", value) return match, value, err } @@ -183,6 +186,7 @@ func (t envTestItem) findValue(s string) (match bool, value string, err error) { value = "" } } + glog.V(3).Infof("In envTestItem.findValue %s", value) return match, value, nil } @@ -232,10 +236,22 @@ func (t testItem) evaluate(s string) *testOutput { } result.flagFound = match - glog.V(3).Info(fmt.Sprintf("found %v", result.flagFound)) - - - return result + var isExist = "exists" + if !result.flagFound{ + isExist = "does not exist" + } + switch t.auditUsed { + case "auditCommand": + glog.V(3).Infof("Flag '%s' %s", t.Flag, isExist) + case "auditConfig": + glog.V(3).Infof("Path '%s' %s", t.Path, isExist) + case "auditEnv": + glog.V(3).Infof("Env '%s' %s", t.Env, isExist) + default: + glog.V(3).Infof("Error with identify audit used %s", t.auditUsed) + } + + return result } func compareOp(tCompareOp string, flagVal string, tCompareValue string, flagName string) (string, bool) { diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data index 984d113..9c2e7a0 100644 --- a/integration/testdata/cis-1.5/job.data +++ b/integration/testdata/cis-1.5/job.data @@ -353,7 +353,7 @@ UIDs not including 0. 5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. -5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace +5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. diff --git a/integration/testdata/cis-1.6/job.data b/integration/testdata/cis-1.6/job.data index 54e79a4..54ec2b0 100644 --- a/integration/testdata/cis-1.6/job.data +++ b/integration/testdata/cis-1.6/job.data @@ -356,7 +356,7 @@ UIDs not including 0. 5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless it is set to an empty array. -5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace +5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace contains applicaions which do not require any Linux capabities to operate consider adding a PSP which forbids the admission of containers which do not drop all capabilities. @@ -416,4 +416,4 @@ resources and that all new resources are created in a specific namespace. 72 checks PASS 11 checks FAIL 39 checks WARN -0 checks INFO \ No newline at end of file +0 checks INFO