1
0
mirror of https://github.com/aquasecurity/kube-bench.git synced 2024-11-25 09:28:16 +00:00

bugfix: false negative when audit_config is defined along with audit and config file not found (#1367)

Suppress the file not found error only when we have audit or auditEnv is defined and they have valid output captured.
As, we already have output from audit command. So we can proceed for our tests even though we didnt find config file.
file not found error: `failed to run: "/test/config.yaml", output: "/bin/sh: line 1: /test/config.yaml: No such file or directory\n", error: exit status 127`

Resolve: #1364
This commit is contained in:
Devendra Turkar 2023-02-02 14:02:27 +05:30 committed by GitHub
parent e1d1053358
commit b942ed3f0b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 35 additions and 2 deletions

View File

@ -208,6 +208,14 @@ func (c *Check) runAuditCommands() (lastCommand string, err error) {
} }
c.AuditConfigOutput, err = runAudit(c.AuditConfig) c.AuditConfigOutput, err = runAudit(c.AuditConfig)
// when file not found then error comes as exit status 127
if err != nil && strings.Contains(err.Error(), "exit status 127") &&
(c.AuditEnvOutput != "" || c.AuditOutput != "") {
// suppress file not found error when there is Audit OR auditEnv output present
glog.V(3).Info(err)
err = nil
c.AuditConfigOutput = ""
}
return c.AuditConfig, err return c.AuditConfig, err
} }
@ -227,8 +235,8 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
t.auditUsed = AuditCommand t.auditUsed = AuditCommand
result := *(t.execute(c.AuditOutput)) result := *(t.execute(c.AuditOutput))
// Check for AuditConfigOutput only if AuditConfig is set // Check for AuditConfigOutput only if AuditConfig is set and auditConfigOutput is not empty
if !result.flagFound && c.AuditConfig != "" { if !result.flagFound && c.AuditConfig != "" && c.AuditConfigOutput != "" {
// t.isConfigSetting = true // t.isConfigSetting = true
t.auditUsed = AuditConfig t.auditUsed = AuditConfig
result = *(t.execute(c.AuditConfigOutput)) result = *(t.execute(c.AuditConfigOutput))

View File

@ -69,6 +69,31 @@ func TestCheck_Run(t *testing.T) {
}, },
Expected: PASS, Expected: PASS,
}, },
{
name: "Scored checks that pass should PASS when config file is not present",
check: Check{
Scored: true,
Audit: "echo hello",
AuditConfig: "/test/config.yaml",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: PASS,
},
{
name: "Scored checks that pass should FAIL when config file is not present",
check: Check{
Scored: true,
AuditConfig: "/test/config.yaml",
Tests: &tests{TestItems: []*testItem{{
Flag: "hello",
Set: true,
}}},
},
Expected: FAIL,
},
} }
for _, testCase := range testCases { for _, testCase := range testCases {