k8s: Validate API server auditing is enabled

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.15).

Issue-ID: SECCOM-235
Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index c9b34aa..23465d6 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -65,4 +65,6 @@ func main() {
        log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
 
        log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
+
+       log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 47a2a8e..a316bbc 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -253,3 +253,22 @@ func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
        return isSingleFlagPresent("--authorization-mode=", params) &&
                !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
 }
+
+// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
+func IsAuditLogPathSet(params []string) bool {
+       return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
+}
+
+// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
+func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
+       found := filterFlags(params, flag)
+       if len(found) != 1 {
+               return false
+       }
+
+       _, value := splitKV(found[0], "=")
+       if value == "" {
+               return false
+       }
+       return true
+}

diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 01f1824..ba72c33 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -24,6 +24,7 @@ var _ = Describe("Api", func() {
                                "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
                                "PodSecurityPolicy,NodeRestriction,EventRateLimit",
                        "--authorization-mode=RBAC",
+                       "--audit-log-path=/var/log/apiserver/audit.log",
                }
 
                // kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -189,6 +190,17 @@ var _ = Describe("Api", func() {
                        Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
                        Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
                )
+
+               DescribeTable("Audit log path",
+                       func(params []string, expected bool) {
+                               Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{}, false),
+                       Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+                       Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+                       Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+                       Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+               )
        })
 
        Describe("Address and port flags", func() {