k8s: Validate API server auditing flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.16 - 1.1.18).
Issue-ID: SECCOM-235
Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index 23465d6..7468bc4 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -67,4 +67,7 @@
log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams))
+ log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
+ log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogPathSet(k8sParams))
+ log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
}
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index a316bbc..ca517c1 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -9,6 +9,10 @@
portDisabled = 0
portLowest = 1
portHighest = 65536
+
+ auditLogAge = 30
+ auditLogBackups = 10
+ auditLogSize = 100
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -272,3 +276,37 @@
}
return true
}
+
+// IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxAgeValid(params []string) bool {
+ return hasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
+}
+
+// IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxBackupValid(params []string) bool {
+ return hasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
+}
+
+// IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxSizeValid(params []string) bool {
+ return hasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
+}
+
+// hasSingleFlagRecommendedNumericArgument checks whether selected flag was used once and has
+// an argument that is greater or equal than the recommended value for given command.
+func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 1 {
+ return false
+ }
+
+ _, value := splitKV(found[0], "=")
+ arg, err := strconv.Atoi(value) // what about empty parameter?
+ if err != nil {
+ return false
+ }
+ if arg < recommendation {
+ return false
+ }
+ return true
+}
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index ba72c33..23c2838 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -25,6 +25,9 @@
"PodSecurityPolicy,NodeRestriction,EventRateLimit",
"--authorization-mode=RBAC",
"--audit-log-path=/var/log/apiserver/audit.log",
+ "--audit-log-maxage=30",
+ "--audit-log-maxbackup=10",
+ "--audit-log-maxsize=100",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -236,6 +239,44 @@
)
})
+ Describe("Numeric flags", func() {
+ DescribeTable("Audit log age",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxAgeValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Audit log backups",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxBackupValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Audit log size",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxSizeValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ })
+
Describe("Argument list flags", func() {
DescribeTable("AlwaysAdmit admission control plugin",
func(params []string, expected bool) {