Bloodhound: Add warning for 3.4.1.1 check fail in K8s

This test is expected to fail on Kubernetes variants as
Kubernetes needs the iptables rule -P FORWARD ACCEPT for its
operation and it is not recommended to modify this rule as it
could lead to adverse effects of service operation. This
rule exists in Bottlerocket because it is possible to run
Bottlerocket with default deny (on ECS for instance).

Author: vyaghras

sources/bloodhound/src/output.rs

@@ -43,7 +43,13 @@ impl ReportWriter for TextReportWriter {
         writeln!(output, "{:17}{}", "Skipped:", report.skipped)?;
         writeln!(output, "{:17}{}", "Total checks:", report.total)?;
         writeln!(output)?;
-        writeln!(output, "Compliance check result: {}", report.status)
+        if report.contain_known_fail_check("3.4.1.1".to_string()) {
+            writeln!(
+                output,
+                "\x1b[93m Check 3.4.1.1 fails in Kubernetes Variants due to a known issue(https://github.com/bottlerocket-os/bottlerocket-core-kit/issues/540 ). Please work with your auditor to log an exception.\x1b[0m"
+            )?;
+        }
+        writeln!(output, "Compliance check result: {} ", report.status)
     }
 }
 

sources/bloodhound/src/results.rs

@@ -180,4 +180,10 @@ impl ReportResults {
         self.results
             .insert(metadata.name.clone(), IndividualResult { metadata, result });
     }
+
+    pub fn contain_known_fail_check(&self, target_id: String) -> bool {
+        self.results.values().any(|result| {
+            result.metadata.id == target_id && result.result.status == CheckStatus::FAIL
+        })
+    }
 }