mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-11-21 23:58:06 +00:00
Add logging (#822)
* Add more logging The old logging could was lacking and in some cases misleading * Add Logging Add more logs and change some old messages, the important part is make each test log more readable by adding ------ test id ------ section in logs * Fix typos * more info add more info in comment about the function and it use cases Co-authored-by: Liz Rice <liz@lizrice.com> * Use switch case Change the logic from if to switch and tidy up the code
This commit is contained in:
parent
9030532263
commit
0cb302761c
@ -131,7 +131,7 @@ groups:
|
||||
text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilites in applications runnning on your cluster. Where a namespace
|
||||
Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applicaions which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
scored: false
|
||||
|
@ -131,7 +131,7 @@ groups:
|
||||
text: "Minimize the admission of containers with capabilities assigned (Manual)"
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilites in applications runnning on your cluster. Where a namespace
|
||||
Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applicaions which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
scored: false
|
||||
|
@ -131,7 +131,7 @@ groups:
|
||||
text: "Minimize the admission of containers with capabilities assigned (Scored) "
|
||||
type: "manual"
|
||||
remediation: |
|
||||
Review the use of capabilites in applications runnning on your cluster. Where a namespace
|
||||
Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applications which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
scored: true
|
||||
|
@ -107,12 +107,14 @@ func (r *defaultRunner) Run(c *Check) State {
|
||||
// Run executes the audit commands specified in a check and outputs
|
||||
// the results.
|
||||
func (c *Check) run() State {
|
||||
glog.V(3).Infof("----- Running check %v -----", c.ID)
|
||||
// Since this is an Scored check
|
||||
// without tests return a 'WARN' to alert
|
||||
// the user that this check needs attention
|
||||
if c.Scored && strings.TrimSpace(c.Type) == "" && c.Tests == nil {
|
||||
c.Reason = "There are no tests"
|
||||
c.State = WARN
|
||||
glog.V(3).Info(c.Reason)
|
||||
return c.State
|
||||
}
|
||||
|
||||
@ -120,6 +122,7 @@ func (c *Check) run() State {
|
||||
if c.Type == SKIP {
|
||||
c.Reason = "Test marked as skip"
|
||||
c.State = INFO
|
||||
glog.V(3).Info(c.Reason)
|
||||
return c.State
|
||||
}
|
||||
|
||||
@ -127,6 +130,7 @@ func (c *Check) run() State {
|
||||
if c.Type == MANUAL {
|
||||
c.Reason = "Test marked as a manual test"
|
||||
c.State = WARN
|
||||
glog.V(3).Info(c.Reason)
|
||||
return c.State
|
||||
}
|
||||
|
||||
@ -138,6 +142,7 @@ func (c *Check) run() State {
|
||||
} else {
|
||||
c.State = WARN
|
||||
}
|
||||
glog.V(3).Info(c.Reason)
|
||||
return c.State
|
||||
}
|
||||
|
||||
@ -172,12 +177,13 @@ func (c *Check) run() State {
|
||||
} else {
|
||||
c.State = WARN
|
||||
}
|
||||
glog.V(3).Info(c.Reason)
|
||||
}
|
||||
|
||||
if finalOutput != nil {
|
||||
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t State: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State)
|
||||
glog.V(3).Infof("Command: %q TestResult: %t State: %q \n", lastCommand, finalOutput.testResult, c.State)
|
||||
} else {
|
||||
glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand)
|
||||
glog.V(3).Infof("Command: %q TestResult: <<EMPTY>> \n", lastCommand)
|
||||
}
|
||||
|
||||
if c.Reason != "" {
|
||||
@ -212,7 +218,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
|
||||
res := make([]testOutput, len(ts.TestItems))
|
||||
expectedResultArr := make([]string, len(res))
|
||||
|
||||
glog.V(3).Infof("%d tests", len(ts.TestItems))
|
||||
glog.V(3).Infof("Running %d test_items", len(ts.TestItems))
|
||||
for i, t := range ts.TestItems {
|
||||
|
||||
t.isMultipleOutput = c.IsMultiple
|
||||
@ -236,6 +242,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
|
||||
t.auditUsed = AuditEnv
|
||||
result = *(t.execute(c.AuditEnvOutput))
|
||||
}
|
||||
glog.V(2).Infof("Used %s", t.auditUsed)
|
||||
res[i] = result
|
||||
expectedResultArr[i] = res[i].ExpectedResult
|
||||
}
|
||||
@ -289,8 +296,8 @@ func runAudit(audit string) (output string, err error) {
|
||||
if err != nil {
|
||||
err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err)
|
||||
} else {
|
||||
glog.V(3).Infof("Command %q\n - Output:\n %q", audit, output)
|
||||
|
||||
glog.V(3).Infof("Command: %q", audit)
|
||||
glog.V(3).Infof("Output:\n %q", output)
|
||||
}
|
||||
return output, err
|
||||
}
|
||||
|
@ -126,6 +126,9 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
|
||||
// flag: somevalue
|
||||
// --flag
|
||||
// somevalue
|
||||
// DOESN'T COVER - use pathTestItem implementation of findValue() for this
|
||||
// flag:
|
||||
// - wehbook
|
||||
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
|
||||
flagRe := regexp.MustCompile(pttn)
|
||||
vals := flagRe.FindStringSubmatch(s)
|
||||
@ -145,7 +148,7 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
|
||||
err = fmt.Errorf("invalid flag in testItem definition: %s", s)
|
||||
}
|
||||
}
|
||||
glog.V(3).Infof("In flagTestItem.findValue %s, match %v, s %s, t.Flag %s", value, match, s, t.Flag)
|
||||
glog.V(3).Infof("In flagTestItem.findValue %s", value)
|
||||
|
||||
return match, value, err
|
||||
}
|
||||
@ -183,6 +186,7 @@ func (t envTestItem) findValue(s string) (match bool, value string, err error) {
|
||||
value = ""
|
||||
}
|
||||
}
|
||||
glog.V(3).Infof("In envTestItem.findValue %s", value)
|
||||
return match, value, nil
|
||||
}
|
||||
|
||||
@ -232,10 +236,22 @@ func (t testItem) evaluate(s string) *testOutput {
|
||||
}
|
||||
|
||||
result.flagFound = match
|
||||
glog.V(3).Info(fmt.Sprintf("found %v", result.flagFound))
|
||||
var isExist = "exists"
|
||||
if !result.flagFound{
|
||||
isExist = "does not exist"
|
||||
}
|
||||
switch t.auditUsed {
|
||||
case "auditCommand":
|
||||
glog.V(3).Infof("Flag '%s' %s", t.Flag, isExist)
|
||||
case "auditConfig":
|
||||
glog.V(3).Infof("Path '%s' %s", t.Path, isExist)
|
||||
case "auditEnv":
|
||||
glog.V(3).Infof("Env '%s' %s", t.Env, isExist)
|
||||
default:
|
||||
glog.V(3).Infof("Error with identify audit used %s", t.auditUsed)
|
||||
}
|
||||
|
||||
|
||||
return result
|
||||
return result
|
||||
}
|
||||
|
||||
func compareOp(tCompareOp string, flagVal string, tCompareValue string, flagName string) (string, bool) {
|
||||
|
2
integration/testdata/cis-1.5/job.data
vendored
2
integration/testdata/cis-1.5/job.data
vendored
@ -353,7 +353,7 @@ UIDs not including 0.
|
||||
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
it is set to an empty array.
|
||||
|
||||
5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace
|
||||
5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applicaions which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
|
||||
|
2
integration/testdata/cis-1.6/job.data
vendored
2
integration/testdata/cis-1.6/job.data
vendored
@ -356,7 +356,7 @@ UIDs not including 0.
|
||||
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
|
||||
it is set to an empty array.
|
||||
|
||||
5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace
|
||||
5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
|
||||
contains applicaions which do not require any Linux capabities to operate consider adding
|
||||
a PSP which forbids the admission of containers which do not drop all capabilities.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user