diff --git a/cfg/cis-1.5/policies.yaml b/cfg/cis-1.5/policies.yaml
index ace52826fcf6db8b0369511ddf62e54ad531ef71..5ba70909417735d21f9720863d52e8f52b0067d3 100644
--- a/cfg/cis-1.5/policies.yaml
+++ b/cfg/cis-1.5/policies.yaml
@@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
type: "manual"
remediation: |
- Review the use of capabilites in applications runnning on your cluster. Where a namespace
+ Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
diff --git a/cfg/cis-1.6/policies.yaml b/cfg/cis-1.6/policies.yaml
index 14b5ffa840d720935e8665055159e4b3069c49ef..980762a76a29a0cc3f20d91c47bf0d40e2f3041c 100644
--- a/cfg/cis-1.6/policies.yaml
+++ b/cfg/cis-1.6/policies.yaml
@@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Manual)"
type: "manual"
remediation: |
- Review the use of capabilites in applications runnning on your cluster. Where a namespace
+ Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: false
diff --git a/cfg/gke-1.0/policies.yaml b/cfg/gke-1.0/policies.yaml
index 2f26fbd800b95f474bf0da14a0f81a9637834075..54ce12bd9692fdca4b130f981e79f93386be5820 100644
--- a/cfg/gke-1.0/policies.yaml
+++ b/cfg/gke-1.0/policies.yaml
@@ -131,7 +131,7 @@ groups:
text: "Minimize the admission of containers with capabilities assigned (Scored) "
type: "manual"
remediation: |
- Review the use of capabilites in applications runnning on your cluster. Where a namespace
+ Review the use of capabilites in applications running on your cluster. Where a namespace
contains applications which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
scored: true
diff --git a/check/check.go b/check/check.go
index da621d75d81478502e39c0c2752866afae915375..6e91f237538c254d9a1760d7bf15ff5a504369c5 100644
--- a/check/check.go
+++ b/check/check.go
@@ -107,12 +107,14 @@ func (r *defaultRunner) Run(c *Check) State {
// Run executes the audit commands specified in a check and outputs
// the results.
func (c *Check) run() State {
+ glog.V(3).Infof("----- Running check %v -----", c.ID)
// Since this is an Scored check
// without tests return a 'WARN' to alert
// the user that this check needs attention
if c.Scored && strings.TrimSpace(c.Type) == "" && c.Tests == nil {
c.Reason = "There are no tests"
c.State = WARN
+ glog.V(3).Info(c.Reason)
return c.State
}
@@ -120,6 +122,7 @@ func (c *Check) run() State {
if c.Type == SKIP {
c.Reason = "Test marked as skip"
c.State = INFO
+ glog.V(3).Info(c.Reason)
return c.State
}
@@ -127,6 +130,7 @@ func (c *Check) run() State {
if c.Type == MANUAL {
c.Reason = "Test marked as a manual test"
c.State = WARN
+ glog.V(3).Info(c.Reason)
return c.State
}
@@ -138,6 +142,7 @@ func (c *Check) run() State {
} else {
c.State = WARN
}
+ glog.V(3).Info(c.Reason)
return c.State
}
@@ -172,12 +177,13 @@ func (c *Check) run() State {
} else {
c.State = WARN
}
+ glog.V(3).Info(c.Reason)
}
if finalOutput != nil {
- glog.V(3).Infof("Check.ID: %s Command: %q TestResult: %t State: %q \n", c.ID, lastCommand, finalOutput.testResult, c.State)
+ glog.V(3).Infof("Command: %q TestResult: %t State: %q \n", lastCommand, finalOutput.testResult, c.State)
} else {
- glog.V(3).Infof("Check.ID: %s Command: %q TestResult: <<EMPTY>> \n", c.ID, lastCommand)
+ glog.V(3).Infof("Command: %q TestResult: <<EMPTY>> \n", lastCommand)
}
if c.Reason != "" {
@@ -212,7 +218,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
res := make([]testOutput, len(ts.TestItems))
expectedResultArr := make([]string, len(res))
- glog.V(3).Infof("%d tests", len(ts.TestItems))
+ glog.V(3).Infof("Running %d test_items", len(ts.TestItems))
for i, t := range ts.TestItems {
t.isMultipleOutput = c.IsMultiple
@@ -236,6 +242,7 @@ func (c *Check) execute() (finalOutput *testOutput, err error) {
t.auditUsed = AuditEnv
result = *(t.execute(c.AuditEnvOutput))
}
+ glog.V(2).Infof("Used %s", t.auditUsed)
res[i] = result
expectedResultArr[i] = res[i].ExpectedResult
}
@@ -289,8 +296,8 @@ func runAudit(audit string) (output string, err error) {
if err != nil {
err = fmt.Errorf("failed to run: %q, output: %q, error: %s", audit, output, err)
} else {
- glog.V(3).Infof("Command %q\n - Output:\n %q", audit, output)
-
+ glog.V(3).Infof("Command: %q", audit)
+ glog.V(3).Infof("Output:\n %q", output)
}
return output, err
}
diff --git a/check/test.go b/check/test.go
index b5abd30937504247d43fcfaceaba811d1b601182..3c63d4590de04301acf6215c6848a8e53b052589 100644
--- a/check/test.go
+++ b/check/test.go
@@ -126,6 +126,9 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
// flag: somevalue
// --flag
// somevalue
+ // DOESN'T COVER - use pathTestItem implementation of findValue() for this
+ // flag:
+ // - wehbook
pttn := `(` + t.Flag + `)(=|: *)*([^\s]*) *`
flagRe := regexp.MustCompile(pttn)
vals := flagRe.FindStringSubmatch(s)
@@ -145,7 +148,7 @@ func (t flagTestItem) findValue(s string) (match bool, value string, err error)
err = fmt.Errorf("invalid flag in testItem definition: %s", s)
}
}
- glog.V(3).Infof("In flagTestItem.findValue %s, match %v, s %s, t.Flag %s", value, match, s, t.Flag)
+ glog.V(3).Infof("In flagTestItem.findValue %s", value)
return match, value, err
}
@@ -183,6 +186,7 @@ func (t envTestItem) findValue(s string) (match bool, value string, err error) {
value = ""
}
}
+ glog.V(3).Infof("In envTestItem.findValue %s", value)
return match, value, nil
}
@@ -232,10 +236,22 @@ func (t testItem) evaluate(s string) *testOutput {
}
result.flagFound = match
- glog.V(3).Info(fmt.Sprintf("found %v", result.flagFound))
-
-
- return result
+ var isExist = "exists"
+ if !result.flagFound{
+ isExist = "does not exist"
+ }
+ switch t.auditUsed {
+ case "auditCommand":
+ glog.V(3).Infof("Flag '%s' %s", t.Flag, isExist)
+ case "auditConfig":
+ glog.V(3).Infof("Path '%s' %s", t.Path, isExist)
+ case "auditEnv":
+ glog.V(3).Infof("Env '%s' %s", t.Env, isExist)
+ default:
+ glog.V(3).Infof("Error with identify audit used %s", t.auditUsed)
+ }
+
+ return result
}
func compareOp(tCompareOp string, flagVal string, tCompareValue string, flagName string) (string, bool) {
diff --git a/integration/testdata/cis-1.5/job.data b/integration/testdata/cis-1.5/job.data
index 984d11301dc3028ba0323a27284eeb2ec48b88e8..9c2e7a0f2578e25946195471c172dfdd3aa9552a 100644
--- a/integration/testdata/cis-1.5/job.data
+++ b/integration/testdata/cis-1.5/job.data
@@ -353,7 +353,7 @@ UIDs not including 0.
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array.
-5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace
+5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
diff --git a/integration/testdata/cis-1.6/job.data b/integration/testdata/cis-1.6/job.data
index 54e79a472e9bb90db3ce1933779434ba6a922fbe..54ec2b0655a3d3c5ad78c994ca6426d6555d2acd 100644
--- a/integration/testdata/cis-1.6/job.data
+++ b/integration/testdata/cis-1.6/job.data
@@ -356,7 +356,7 @@ UIDs not including 0.
5.2.8 Ensure that allowedCapabilities is not present in PSPs for the cluster unless
it is set to an empty array.
-5.2.9 Review the use of capabilites in applications runnning on your cluster. Where a namespace
+5.2.9 Review the use of capabilites in applications running on your cluster. Where a namespace
contains applicaions which do not require any Linux capabities to operate consider adding
a PSP which forbids the admission of containers which do not drop all capabilities.
@@ -416,4 +416,4 @@ resources and that all new resources are created in a specific namespace.
72 checks PASS
11 checks FAIL
39 checks WARN
-0 checks INFO
\ No newline at end of file
+0 checks INFO