diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-17 18:47:43 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-19 15:14:01 +0200 |
commit | 2055f0878a7841f7d07eda60eac10034c4b22215 (patch) | |
tree | 2af33155397d2f067aff531f3e5ae3ec4002707f /test/security/k8s/src/check/validators/master/api.go | |
parent | 6c95c5ca28dd3f48a58dc11cc9c17fd8b4934881 (diff) |
k8s: Validate API server auditing flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.16 - 1.1.18).
Issue-ID: SECCOM-235
Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api.go')
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index a316bbc00..ca517c1ec 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -9,6 +9,10 @@ const ( portDisabled = 0 portLowest = 1 portHighest = 65536 + + auditLogAge = 30 + auditLogBackups = 10 + auditLogSize = 100 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -272,3 +276,37 @@ func hasSingleFlagNonemptyArgument(flag string, params []string) bool { } return true } + +// IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxAgeValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params) +} + +// IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxBackupValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params) +} + +// IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxSizeValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params) +} + +// hasSingleFlagRecommendedNumericArgument checks whether selected flag was used once and has +// an argument that is greater or equal than the recommended value for given command. +func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + arg, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if arg < recommendation { + return false + } + return true +} |