k8s: Validate API server auditing is enabled

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.15).

Issue-ID: SECCOM-235
Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

3 files changed, 33 insertions, 0 deletions

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index c9b34aa42..23465d66a 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -65,4 +65,6 @@ func main() {
 	log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
 
 	log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
+
+	log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams))
 }
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 47a2a8e01..a316bbc00 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -253,3 +253,22 @@ func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
 	return isSingleFlagPresent("--authorization-mode=", params) &&
 		!hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
 }
+
+// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
+func IsAuditLogPathSet(params []string) bool {
+	return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
+}
+
+// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
+func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
+	found := filterFlags(params, flag)
+	if len(found) != 1 {
+		return false
+	}
+
+	_, value := splitKV(found[0], "=")
+	if value == "" {
+		return false
+	}
+	return true
+}
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 01f1824b0..ba72c33df 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -24,6 +24,7 @@ var _ = Describe("Api", func() {
 				"ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
 				"PodSecurityPolicy,NodeRestriction,EventRateLimit",
 			"--authorization-mode=RBAC",
+			"--audit-log-path=/var/log/apiserver/audit.log",
 		}
 
 		// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -189,6 +190,17 @@ var _ = Describe("Api", func() {
 			Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
 			Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
 		)
+
+		DescribeTable("Audit log path",
+			func(params []string, expected bool) {
+				Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{}, false),
+			Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+			Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+			Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
 	})
 
 	Describe("Address and port flags", func() {