From 2055f0878a7841f7d07eda60eac10034c4b22215 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Tue, 17 Sep 2019 18:47:43 +0200 Subject: k8s: Validate API server auditing flags This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.16 - 1.1.18). Issue-ID: SECCOM-235 Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36 Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/cmd/check/check.go | 3 ++ .../k8s/src/check/validators/master/api.go | 38 ++++++++++++++++++++ .../k8s/src/check/validators/master/api_test.go | 41 ++++++++++++++++++++++ 3 files changed, 82 insertions(+) (limited to 'test/security/k8s') diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 23465d66a..7468bc443 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -67,4 +67,7 @@ func main() { log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) + log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) + log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogPathSet(k8sParams)) + log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index a316bbc00..ca517c1ec 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -9,6 +9,10 @@ const ( portDisabled = 0 portLowest = 1 portHighest = 65536 + + auditLogAge = 30 + auditLogBackups = 10 + auditLogSize = 100 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -272,3 +276,37 @@ func hasSingleFlagNonemptyArgument(flag string, params []string) bool { } return true } + +// IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxAgeValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params) +} + +// IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxBackupValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params) +} + +// IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value. +func IsAuditLogMaxSizeValid(params []string) bool { + return hasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params) +} + +// hasSingleFlagRecommendedNumericArgument checks whether selected flag was used once and has +// an argument that is greater or equal than the recommended value for given command. +func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + arg, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if arg < recommendation { + return false + } + return true +} diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index ba72c33df..23c2838aa 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -25,6 +25,9 @@ var _ = Describe("Api", func() { "PodSecurityPolicy,NodeRestriction,EventRateLimit", "--authorization-mode=RBAC", "--audit-log-path=/var/log/apiserver/audit.log", + "--audit-log-maxage=30", + "--audit-log-maxbackup=10", + "--audit-log-maxsize=100", } // kubeApiServerCasablanca was obtained from virtual environment for testing @@ -236,6 +239,44 @@ var _ = Describe("Api", func() { ) }) + Describe("Numeric flags", func() { + DescribeTable("Audit log age", + func(params []string, expected bool) { + Expect(IsAuditLogMaxAgeValid(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false), + Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Audit log backups", + func(params []string, expected bool) { + Expect(IsAuditLogMaxBackupValid(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false), + Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Audit log size", + func(params []string, expected bool) { + Expect(IsAuditLogMaxSizeValid(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false), + Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + }) + Describe("Argument list flags", func() { DescribeTable("AlwaysAdmit admission control plugin", func(params []string, expected bool) { -- cgit 1.2.3-korg