From 2055f0878a7841f7d07eda60eac10034c4b22215 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Tue, 17 Sep 2019 18:47:43 +0200
Subject: k8s: Validate API server auditing flags

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.16 - 1.1.18).

Issue-ID: SECCOM-235
Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 .../k8s/src/check/validators/master/api.go         | 38 ++++++++++++++++++++
 .../k8s/src/check/validators/master/api_test.go    | 41 ++++++++++++++++++++++
 2 files changed, 79 insertions(+)

(limited to 'test/security/k8s/src/check/validators')

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index a316bbc00..ca517c1ec 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -9,6 +9,10 @@ const (
 	portDisabled = 0
 	portLowest   = 1
 	portHighest  = 65536
+
+	auditLogAge     = 30
+	auditLogBackups = 10
+	auditLogSize    = 100
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -272,3 +276,37 @@ func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
 	}
 	return true
 }
+
+// IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxAgeValid(params []string) bool {
+	return hasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
+}
+
+// IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxBackupValid(params []string) bool {
+	return hasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
+}
+
+// IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
+func IsAuditLogMaxSizeValid(params []string) bool {
+	return hasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
+}
+
+// hasSingleFlagRecommendedNumericArgument checks whether selected flag was used once and has
+// an argument that is greater or equal than the recommended value for given command.
+func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, params []string) bool {
+	found := filterFlags(params, flag)
+	if len(found) != 1 {
+		return false
+	}
+
+	_, value := splitKV(found[0], "=")
+	arg, err := strconv.Atoi(value) // what about empty parameter?
+	if err != nil {
+		return false
+	}
+	if arg < recommendation {
+		return false
+	}
+	return true
+}
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index ba72c33df..23c2838aa 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -25,6 +25,9 @@ var _ = Describe("Api", func() {
 				"PodSecurityPolicy,NodeRestriction,EventRateLimit",
 			"--authorization-mode=RBAC",
 			"--audit-log-path=/var/log/apiserver/audit.log",
+			"--audit-log-maxage=30",
+			"--audit-log-maxbackup=10",
+			"--audit-log-maxsize=100",
 		}
 
 		// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -236,6 +239,44 @@ var _ = Describe("Api", func() {
 		)
 	})
 
+	Describe("Numeric flags", func() {
+		DescribeTable("Audit log age",
+			func(params []string, expected bool) {
+				Expect(IsAuditLogMaxAgeValid(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{}, false),
+			Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false),
+			Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false),
+			Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+			Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Audit log backups",
+			func(params []string, expected bool) {
+				Expect(IsAuditLogMaxBackupValid(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{}, false),
+			Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false),
+			Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false),
+			Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+			Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Audit log size",
+			func(params []string, expected bool) {
+				Expect(IsAuditLogMaxSizeValid(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{}, false),
+			Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false),
+			Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false),
+			Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+			Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+	})
+
 	Describe("Argument list flags", func() {
 		DescribeTable("AlwaysAdmit admission control plugin",
 			func(params []string, expected bool) {
-- 
cgit 1.2.3-korg