1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-21 23:58:06 +00:00

Add logging (#822)

* Add more logging

The old logging could was lacking and in some cases misleading

* Add Logging

Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs

* Fix typos

* more info

add more info in comment about the function and it use cases

Co-authored-by: Liz Rice <liz@lizrice.com>

* Use switch case

Change the logic from if to switch and tidy up the code
This commit is contained in:
Yoav Rotem 2021-03-22 17:33:53 +02:00 committed by GitHub
parent 9030532263
commit 0cb302761c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 39 additions and 16 deletions

View File

@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Not Scored)" text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilites in applications runnning on your cluster. Where a namespace Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false

View File

@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Manual)" text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilites in applications runnning on your cluster. Where a namespace Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false scored: false

View File

@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Scored) " text: "Minimize the admission of containers with capabilities assigned (Scored) "
type: "manual" type: "manual"
remediation: | remediation: |
Review the use of capabilites in applications runnning on your cluster. Where a namespace Review the use of capabilites in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
scored: true scored: true

View File

@ -107,12 +107,14 @@ func (r *defaultRunner) Run(c *Check) State {
// Run executes the audit commands specified in a check and outputs // Run executes the audit commands specified in a check and outputs
// the results. // the results.
func (c *Check) run() State { func (c *Check) run() State {
glog.V(3).Infof("----- Running check %v -----", c.ID)
// Since this is an Scored check // Since this is an Scored check
// without tests return a 'WARN' to alert // without tests return a 'WARN' to alert
// the user that this check needs attention // the user that this check needs attention
if c.Scored && strings.TrimSpace(c.Type) == "" && c.Tests == nil { if c.Scored && strings.TrimSpace(c.Type) == "" && c.Tests == nil {
c.Reason = "There are no tests" c.Reason = "There are no tests"
c.State = WARN c.State = WARN
glog.V(3).Info(c.Reason)
return c.State return c.State
} }
@ -120,6 +122,7 @@ func (c *Check) run() State {
if c.Type == SKIP { if c.Type == SKIP {
c.Reason = "Test marked as skip" c.Reason = "Test marked as skip"
c.State = INFO c.State = INFO
glog.V(3).Info(c.Reason)
return c.State return c.State
} }
@ -127,6 +130,7 @@ func (c *Check) run() State {
if c.Type == MANUAL { if c.Type == MANUAL {
c.Reason = "Test marked as a manual test" c.Reason = "Test marked as a manual test"
c.State = WARN c.State = WARN
glog.V(3).Info(c.Reason)
return c.State return c.State
} }
@ -138,6 +142,7 @@ func (c *Check) run() State {
} else { } else {
c.State = WARN c.State = WARN
} }
glog.V(3).Info(c.Reason)
return c.State return c.State
} }
@ -172,12 +177,13 @@ func (c *Check) run() State {
} else { } else {
c.State = WARN c.State = WARN
} }
glog.V(3).Info(c.Reason)
} }
if finalOutput != nil { if finalOutput != nil {
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t State: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State) glog.V(3).Infof("Command: %q TestResult: %t State: %q \n", lastCommand, finalOutput.testResult, c.State)
} else { } else {
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand) glog.V(3).Infof("Command: %q TestResult: <<EMPTY>> \n", lastCommand)
} }
if c.Reason != "" { if c.Reason != "" {
@ -212,7 +218,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
res := make([]testOutput, len(ts.TestItems)) res := make([]testOutput, len(ts.TestItems))
expectedResultArr := make([]string, len(res)) expectedResultArr := make([]string, len(res))
glog.V(3).Infof("%d tests", len(ts.TestItems)) glog.V(3).Infof("Running %d test_items", len(ts.TestItems))
for i, t := range ts.TestItems { for i, t := range ts.TestItems {
t.isMultipleOutput = c.IsMultiple t.isMultipleOutput = c.IsMultiple
@ -236,6 +242,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
t.auditUsed = AuditEnv t.auditUsed = AuditEnv
result = *(t.execute(c.AuditEnvOutput)) result = *(t.execute(c.AuditEnvOutput))
} }
glog.V(2).Infof("Used %s", t.auditUsed)
res[i] = result res[i] = result
expectedResultArr[i] = res[i].ExpectedResult expectedResultArr[i] = res[i].ExpectedResult
} }
@ -289,8 +296,8 @@ func runAudit(audit string) (output string, err error) {
if err != nil { if err != nil {
err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err) err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err)
} else { } else {
glog.V(3).Infof("Command %q\n - Output:\n %q", audit, output) glog.V(3).Infof("Command: %q", audit)
glog.V(3).Infof("Output:\n %q", output)
} }
return output, err return output, err
} }

View File

@ -126,6 +126,9 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
// flag: somevalue // flag: somevalue
// --flag // --flag
// somevalue // somevalue
// DOESN'T COVER - use pathTestItem implementation of findValue() for this
// flag:
// - wehbook
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *` pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
flagRe := regexp.MustCompile(pttn) flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s) vals := flagRe.FindStringSubmatch(s)
@ -145,7 +148,7 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
err = fmt.Errorf("invalid flag in testItem definition: %s", s) err = fmt.Errorf("invalid flag in testItem definition: %s", s)
} }
} }
glog.V(3).Infof("In flagTestItem.findValue %s, match %v, s %s, t.Flag %s", value, match, s, t.Flag) glog.V(3).Infof("In flagTestItem.findValue %s", value)
return match, value, err return match, value, err
} }
@ -183,6 +186,7 @@ func (t envTestItem) findValue(s string) (match bool, value string, err error) {
value = "" value = ""
} }
} }
glog.V(3).Infof("In envTestItem.findValue %s", value)
return match, value, nil return match, value, nil
} }
@ -232,10 +236,22 @@ func (t testItem) evaluate(s string) *testOutput {
} }
result.flagFound = match result.flagFound = match
glog.V(3).Info(fmt.Sprintf("found %v", result.flagFound)) var isExist = "exists"
if !result.flagFound{
isExist = "does not exist"
return result }
switch t.auditUsed {
case "auditCommand":
glog.V(3).Infof("Flag '%s' %s", t.Flag, isExist)
case "auditConfig":
glog.V(3).Infof("Path '%s' %s", t.Path, isExist)
case "auditEnv":
glog.V(3).Infof("Env '%s' %s", t.Env, isExist)
default:
glog.V(3).Infof("Error with identify audit used %s", t.auditUsed)
}
return result
} }
func compareOp(tCompareOp string, flagVal string, tCompareValue string, flagName string) (string, bool) { func compareOp(tCompareOp string, flagVal string, tCompareValue string, flagName string) (string, bool) {

View File

@ -353,7 +353,7 @@ UIDs not including 0.
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.
5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace 5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.

View File

@ -356,7 +356,7 @@ UIDs not including 0.
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless 5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array. it is set to an empty array.
5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace 5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities. a PSP which forbids the admission of containers which do not drop all capabilities.
@ -416,4 +416,4 @@ resources and that all new resources are created in a specific namespace.
72 checks PASS 72 checks PASS
11 checks FAIL 11 checks FAIL
39 checks WARN 39 checks WARN
0 checks INFO 0 checks INFO