Merge branch 'master' into config-improvements

2025-01-19 04:01:07 +00:00 · 2019-05-27 13:10:40 +02:00 · 2019-05-27 13:10:40 +02:00 · a8c69b57e8
commit a8c69b57e8
parent e33e44b676 ff6443e279
4 changed files with 42 additions and 3 deletions
--- a/check/check.go
+++ b/check/check.go
@ -62,7 +62,7 @@ func handleError(err error, context string) (errmsg string) {
 type Check struct {
 	ID          string      `yaml:"id" json:"test_number"`
 	Text        string      `json:"test_desc"`
-	Audit       string      `json:"omit"`
+	Audit       string      `json:"audit"`
 	Type        string      `json:"type"`
 	Commands    []*exec.Cmd `json:"omit"`
 	Tests       *tests      `json:"omit"`
@ -72,6 +72,7 @@ type Check struct {
 	State       `json:"status"`
 	ActualValue string `json:"actual_value"`
 	Scored      bool   `json:"scored"`
+	ExpectedResult string `json:"expected_result"`
 }

 // Runner wraps the basic Run method.
@ -188,6 +189,7 @@ func (c *Check) run() State {
 	finalOutput := c.Tests.execute(out.String())
 	if finalOutput != nil {
 		c.ActualValue = finalOutput.actualResult
+		c.ExpectedResult = finalOutput.ExpectedResult
 		if finalOutput.testResult {
 			c.State = PASS
 		} else {
--- a/check/test.go
+++ b/check/test.go
@ -58,6 +58,7 @@ type compare struct {
 type testOutput struct {
 	testResult   bool
 	actualResult string
+	ExpectedResult string
 }

 func failTestItem(s string) *testOutput {
@ -135,9 +136,10 @@ func (t *testItem) execute(s string) *testOutput {
 				}
 			}

-			result.actualResult = strings.ToLower(flagVal)
+			expectedResultPattern := ""
 			switch t.Compare.Op {
 			case "eq":
+				expectedResultPattern = "'%s' is equal to '%s'"
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
@ -147,6 +149,7 @@ func (t *testItem) execute(s string) *testOutput {
 				}

 			case "noteq":
+				expectedResultPattern = "'%s' is not equal to '%s'"
 				value := strings.ToLower(flagVal)
 				// Do case insensitive comparaison for booleans ...
 				if value == "false" || value == "true" {
@ -156,32 +159,41 @@ func (t *testItem) execute(s string) *testOutput {
 				}

 			case "gt":
+				expectedResultPattern = "%s is greater then %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a > b

 			case "gte":
+				expectedResultPattern = "%s is greater or equal to %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a >= b

 			case "lt":
+				expectedResultPattern = "%s is lower then %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a < b

 			case "lte":
+				expectedResultPattern = "%s is lower or equal to %s"
 				a, b := toNumeric(flagVal, t.Compare.Value)
 				result.testResult = a <= b

 			case "has":
+				expectedResultPattern = "'%s' has '%s'"
 				result.testResult = strings.Contains(flagVal, t.Compare.Value)

 			case "nothave":
+				expectedResultPattern = " '%s' not have '%s'"
 				result.testResult = !strings.Contains(flagVal, t.Compare.Value)
 			}
+
+			result.ExpectedResult = fmt.Sprintf(expectedResultPattern, t.Flag, t.Compare.Value)
 		} else {
+			result.ExpectedResult = fmt.Sprintf("'%s' is present", t.Flag)
 			result.testResult = isset
 		}
-
 	} else {
+		result.ExpectedResult = fmt.Sprintf("'%s' is not present", t.Flag)
 		notset := !match
 		result.testResult = notset
 	}
@ -207,8 +219,11 @@ func (ts *tests) execute(s string) *testOutput {
 		return finalOutput
 	}

+	expectedResultArr := make([]string, len(res))
+
 	for i, t := range ts.TestItems {
 		res[i] = *(t.execute(s))
+		expectedResultArr[i] = res[i].ExpectedResult
 	}

 	var result bool
@ -222,16 +237,25 @@ func (ts *tests) execute(s string) *testOutput {
 		for i := range res {
 			result = result && res[i].testResult
 		}
+		// Generate an AND expected result
+		finalOutput.ExpectedResult = strings.Join(expectedResultArr, " AND ")
+
 	case or:
 		result = false
 		for i := range res {
 			result = result || res[i].testResult
 		}
+		// Generate an OR expected result
+		finalOutput.ExpectedResult = strings.Join(expectedResultArr, " OR ")
 	}

 	finalOutput.testResult = result
 	finalOutput.actualResult = res[0].actualResult

+	if finalOutput.actualResult == "" {
+		finalOutput.actualResult = s
+	}
+
 	return finalOutput
 }

--- a/cmd/common.go
+++ b/cmd/common.go
@ -19,6 +19,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"

 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/golang/glog"
@ -142,6 +143,10 @@ func prettyPrint(r *check.Controls, summary check.Summary) {
 			colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))
 			for _, c := range g.Checks {
 				colorPrint(c.State, fmt.Sprintf("%s %s\n", c.ID, c.Text))
+
+				if includeTestOutput && c.State == check.FAIL && len(c.ActualValue) > 0 {
+					printRawOutput(c.ActualValue)
+				}
 			}
 		}

@ -240,3 +245,9 @@ func isMaster() bool {
 	}
 	return true
 }
+
+func printRawOutput(output string) {
+	for _, row := range strings.Split(output, "\n") {
+		fmt.Println(fmt.Sprintf("\t %s", row))
+	}
+}
--- a/cmd/root.go
+++ b/cmd/root.go
@ -47,6 +47,7 @@ var (
 	noSummary          bool
 	noRemediations     bool
 	filterOpts         FilterOpts
+	includeTestOutput bool
 )

 // RootCmd represents the base command when called without any subcommands
@ -87,6 +88,7 @@ func init() {
 	RootCmd.PersistentFlags().BoolVar(&pgSQL, "pgsql", false, "Save the results to PostgreSQL")
 	RootCmd.PersistentFlags().BoolVar(&filterOpts.Scored, "scored", true, "Run the scored CIS checks")
 	RootCmd.PersistentFlags().BoolVar(&filterOpts.Unscored, "unscored", true, "Run the unscored CIS checks")
+	RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the actual result when test fails")

 	RootCmd.PersistentFlags().StringVarP(
 		&filterOpts.CheckList,