Merge pull request #18 from hazcod/work/commandbot

Tag fix & log optimisations
hazcod · Aug 18, 2021 · a3529a4 · a3529a4
2 parents 7711901 + 98213a3
commit a3529a4
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 13 deletions.
diff --git a/cmd/main.go b/cmd/main.go
@@ -25,6 +25,7 @@ func main() {
 	configPath := flag.String("config", "", "Path to your config file.")
 	logLevelStr := flag.String("log", "info", "Log level.")
 	dryMode := flag.Bool("dry", false, "whether we run in dry-run mode and send nothing to the users.")
+	noReport := flag.Bool("noreport", false, "disable sending an overview to the security user.")
 	flag.Parse()
 
 	logLevel, err := logrus.ParseLevel(*logLevelStr)
@@ -76,7 +77,7 @@ func main() {
 		}
 	}
 
-	if securityUserID == "" {
+	if securityUserID == "" && !*noReport {
 		logrus.WithField("fallback_user", config.Slack.SecurityUser).
 			Fatal("could not find fallback user on Slack")
 	}
@@ -92,11 +93,6 @@ func main() {
 			continue
 		}
 
-		if config.Slack.SkipOnHoliday && strings.EqualFold(slackUser.Profile.StatusText, slackStatusHoliday) {
-			logrus.WithField("slack_name", slackUser.Name).Warn("skipping user since he/she is on holiday")
-			continue
-		}
-
 		userFalconMsg := falconMessages[userEmail]
 
 		userWS1Msg := ws1Messages[userEmail]
@@ -105,7 +101,12 @@ func main() {
 			continue
 		}
 
-		logrus.WithField("falcon", userFalconMsg).WithField("ws1", userWS1Msg).WithField("email", userEmail).
+		if config.Slack.SkipOnHoliday && strings.EqualFold(slackUser.Profile.StatusText, slackStatusHoliday) {
+			logrus.WithField("slack_name", slackUser.Name).Warn("skipping user since he/she is on holiday")
+			continue
+		}
+
+		logrus.WithField("falcon", len(userFalconMsg.Devices)).WithField("ws1", len(userWS1Msg.Devices)).WithField("email", userEmail).
 			Debug("found messages")
 
 		slackMessage, err := user.BuildUserOverviewMessage(logrus.StandardLogger(), config, slackUser, falconMessages[userEmail], ws1Messages[userEmail])
@@ -134,6 +135,11 @@ func main() {
 		logrus.WithField("user", userEmail).Info("sent notice on Slack")
 	}
 
+	if *noReport {
+		logrus.Info("exiting since security overview is disabled")
+		os.Exit(0)
+	}
+
 	if config.Templates.SecurityOverviewMessage == "" {
 		logrus.Warn("not sending a security overview since template is empty")
 		os.Exit(0)

diff --git a/pkg/falcon/extractor.go b/pkg/falcon/extractor.go
@@ -97,6 +97,25 @@ func findEmailTag(tags []string, emailDomains []string) (email string, err error
 	return email, nil
 }
 
+func appendUnique(main, adder []string) []string {
+	for i := range adder {
+		found := false
+
+		for j := range main {
+			if strings.EqualFold(adder[i], main[j]) {
+				found = true
+				break
+			}
+		}
+
+		if found { continue }
+
+		main = append(main, adder[i])
+	}
+
+	return main
+}
+
 func GetMessages(config *config.Config, ctx context.Context) (results map[string]FalconResult, err error) {
 	falconAPIMaxRecords := int64(400)
 
@@ -181,7 +200,9 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 
 			for _, sev := range config.Falcon.SkipSeverities {
 				if strings.EqualFold(sev, vulnSev) {
-					logrus.WithField("severity", *vuln.Cve.Severity).Debug("skipping vulnerability")
+					logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", *vuln.Cve.BaseScore).
+						WithField("severity", *vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
+						Debug("skipping vulnerability")
 					skip = true
 					break
 				}
@@ -190,7 +211,8 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 			if skip { continue }
 		}
 
-		logrus.WithField("cve_score", *vuln.Cve.BaseScore).WithField("severity", *vuln.Cve.Severity).
+		logrus.WithField("host", *vuln.HostInfo.Hostname).WithField("cve_score", *vuln.Cve.BaseScore).
+			WithField("severity", *vuln.Cve.Severity).WithField("cve", *vuln.Cve.ID).
 			Debug("adding vulnerability")
 
 		deviceFinding := UserDeviceFinding{
@@ -235,7 +257,7 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 			device.Findings = append(device.Findings, deviceFinding)
 		}
 
-		device.Tags = append(device.Tags, vuln.HostInfo.Tags...)
+		device.Tags = appendUnique(device.Tags, vuln.HostInfo.Tags)
 
 		devices[uniqueDeviceID] = device
 
@@ -260,7 +282,7 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 				WithField("tags", device.Tags).
 				WithField("prefix", tagEmailPrefix).
 				WithField("device", device.MachineName).
-				Warn("could extract user email tag, using fallback Slack user")
+				Warn("could not extract Falcon email tag from host, using fallback")
 
 			userEmail = config.Slack.SecurityUser
 		}
@@ -278,7 +300,5 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 		results[userEmail] = user
 	}
 
-	logrus.Debugf("%+v", results)
-
 	return results, nil
 }