2017-05-26 09:25:29 +00:00
|
|
|
---
|
|
|
|
controls:
|
|
|
|
id: 1
|
2020-12-24 14:38:22 +00:00
|
|
|
text: "Test Checks"
|
2017-05-26 09:25:29 +00:00
|
|
|
type: "master"
|
|
|
|
groups:
|
|
|
|
- id: 1.1
|
2020-12-24 14:38:22 +00:00
|
|
|
text: "First Group"
|
2017-05-26 09:25:29 +00:00
|
|
|
checks:
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 0
|
|
|
|
text: "flag is set"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--allow-privileged"
|
2017-05-26 09:25:29 +00:00
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 1
|
|
|
|
text: "flag is not set"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
2018-07-30 12:16:28 +00:00
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--basic-auth"
|
2017-05-26 09:25:29 +00:00
|
|
|
set: false
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 2
|
|
|
|
text: "flag value is set to some value"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--insecure-port"
|
2017-05-26 09:25:29 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 3
|
|
|
|
text: "flag value is greater than or equal some number"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--audit-log-maxage"
|
2017-05-26 09:25:29 +00:00
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 30
|
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 4
|
|
|
|
text: "flag value is less than some number"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--max-backlog"
|
|
|
|
compare:
|
|
|
|
op: lt
|
|
|
|
value: 30
|
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 5
|
|
|
|
text: "flag value does not have some value"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--admission-control"
|
2017-05-26 09:25:29 +00:00
|
|
|
compare:
|
|
|
|
op: nothave
|
|
|
|
value: AlwaysAdmit
|
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 6
|
|
|
|
text: "test AND binary operation"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
- flag: "--kubelet-client-certificate"
|
|
|
|
set: true
|
|
|
|
- flag: "--kubelet-clientkey"
|
|
|
|
set: true
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 7
|
|
|
|
text: "test OR binary operation"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
2017-08-12 18:54:33 +00:00
|
|
|
- flag: "--secure-port"
|
2017-05-26 09:25:29 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
-
|
|
|
|
flag: "--secure-port"
|
|
|
|
set: false
|
|
|
|
|
2017-08-12 18:54:33 +00:00
|
|
|
- id: 8
|
|
|
|
text: "test flag with arbitrary text"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-05-26 09:25:29 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2020-12-24 14:38:22 +00:00
|
|
|
- flag: "permissions"
|
2017-07-24 17:30:13 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
2020-12-24 14:38:22 +00:00
|
|
|
value: "SomeValue"
|
2017-07-24 17:30:13 +00:00
|
|
|
set: true
|
2017-08-15 17:34:07 +00:00
|
|
|
|
|
|
|
- id: 9
|
|
|
|
text: "test permissions"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "/bin/sh -c 'if test -e $config; then stat -c permissions=%a $config; fi'"
|
2017-08-15 17:34:07 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2020-12-24 14:38:22 +00:00
|
|
|
- flag: "permissions"
|
2017-08-15 17:34:07 +00:00
|
|
|
compare:
|
2020-12-24 14:38:22 +00:00
|
|
|
op: bitmask
|
2017-08-15 17:34:07 +00:00
|
|
|
value: "644"
|
|
|
|
set: true
|
2017-09-13 14:32:33 +00:00
|
|
|
|
|
|
|
- id: 10
|
|
|
|
text: "flag value includes some value in a comma-separated list, value is last in list"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-09-13 14:32:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: RBAC
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 11
|
|
|
|
text: "flag value includes some value in a comma-separated list, value is first in list"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-09-13 14:32:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: WebHook
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 12
|
|
|
|
text: "flag value includes some value in a comma-separated list, value middle of list"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-09-13 14:32:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: Something
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 13
|
|
|
|
text: "flag value includes some value in a comma-separated list, value only one in list"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2017-09-13 14:32:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--admission-control"
|
|
|
|
compare:
|
|
|
|
op: has
|
|
|
|
value: Something
|
|
|
|
set: true
|
|
|
|
|
2019-03-11 18:05:33 +00:00
|
|
|
- id: 14
|
2019-04-10 22:47:26 +00:00
|
|
|
text: "check that flag some-arg is set to some-val with ':' separator"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2019-04-10 22:47:26 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "some-arg"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: some-val
|
|
|
|
set: true
|
2020-08-12 13:32:42 +00:00
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 15
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "jsonpath correct value on field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
2020-12-24 14:38:22 +00:00
|
|
|
bin_op: or
|
2019-03-11 18:05:33 +00:00
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.readOnlyPort}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 15000
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.readOnlyPort}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 15000
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.readOnlyPort}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: lte
|
|
|
|
value: 15000
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 16
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "jsonpath correct case-sensitive value on string field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.stringValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
value: "None"
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.stringValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
value: "webhook,Something,RBAC"
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.stringValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "WebHook,Something,RBAC"
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 17
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "jsonpath correct value on boolean field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.trueValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
value: somethingElse
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.trueValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: noteq
|
|
|
|
value: false
|
|
|
|
set: true
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.trueValue}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 18
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "jsonpath field absent"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.notARealField}"
|
2019-03-11 18:05:33 +00:00
|
|
|
set: false
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 19
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "jsonpath correct value on nested field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.authentication.anonymous.enabled}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "false"
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 20
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "yamlpath correct value on field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.readOnlyPort}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: gt
|
|
|
|
value: 14999
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 21
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "yamlpath field absent"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.fieldThatIsUnset}"
|
2019-03-11 18:05:33 +00:00
|
|
|
set: false
|
2017-09-13 14:32:33 +00:00
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 22
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "yamlpath correct value on nested field"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.authentication.anonymous.enabled}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "false"
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 23
|
2019-04-11 16:09:33 +00:00
|
|
|
text: "path on invalid json"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.authentication.anonymous.enabled}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "false"
|
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 24
|
2019-04-11 16:09:33 +00:00
|
|
|
text: "path with broken expression"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2020-12-24 14:38:22 +00:00
|
|
|
- path: "{.missingClosingBrace}"
|
2019-03-11 18:05:33 +00:00
|
|
|
set: true
|
|
|
|
|
2019-04-11 09:03:07 +00:00
|
|
|
- id: 25
|
2019-03-11 18:05:33 +00:00
|
|
|
text: "yamlpath on invalid yaml"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2019-03-11 18:05:33 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
2019-04-11 16:09:33 +00:00
|
|
|
- path: "{.authentication.anonymous.enabled}"
|
2019-03-11 18:05:33 +00:00
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "false"
|
|
|
|
set: true
|
2019-06-05 11:23:59 +00:00
|
|
|
|
|
|
|
- id: 26
|
|
|
|
text: "check regex op matches"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
|
|
|
audit_config: "echo \"Non empty command\""
|
2019-06-05 11:23:59 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- path: "{.currentMasterVersion}"
|
|
|
|
compare:
|
|
|
|
op: regex
|
|
|
|
value: '^1\.12.*$'
|
|
|
|
set: true
|
2019-10-14 14:37:10 +00:00
|
|
|
|
2020-03-03 16:54:38 +00:00
|
|
|
- id: 27
|
|
|
|
text: "check boolean flag with no value"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2020-03-03 16:54:38 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: true
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 28
|
|
|
|
text: "check boolean flag with false value"
|
2020-12-24 14:38:22 +00:00
|
|
|
audit: "echo \"Non empty command\""
|
2020-03-03 16:54:38 +00:00
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--peer-client-cert-auth"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: false
|
|
|
|
set: true
|
2020-12-21 11:18:54 +00:00
|
|
|
- id: 29
|
|
|
|
text: "flag is set (via env)"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--allow-privileged"
|
|
|
|
env: "ALLOW_PRIVILEGED"
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 30
|
|
|
|
text: "flag is not set (via env)"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--basic-auth"
|
|
|
|
env: "BASIC_AUTH"
|
|
|
|
set: false
|
|
|
|
|
|
|
|
- id: 31
|
|
|
|
text: "flag value is set to some value (via env)"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--insecure-port"
|
|
|
|
env: "INSECURE_PORT"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 32
|
|
|
|
text: "flag value is greater than or equal some number (via env)"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "--audit-log-maxage"
|
|
|
|
env: "AUDIT_LOG_MAXAGE"
|
|
|
|
compare:
|
|
|
|
op: gte
|
|
|
|
value: 30
|
|
|
|
set: true
|
|
|
|
|
|
|
|
- id: 33
|
|
|
|
text: "flag value is less than some number (via env)"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- env: "MAX_BACKLOG"
|
|
|
|
compare:
|
|
|
|
op: lt
|
|
|
|
value: 30
|
|
|
|
set: true
|
2020-03-03 16:54:38 +00:00
|
|
|
|
2019-10-14 14:37:10 +00:00
|
|
|
- id: 2.1
|
|
|
|
text: "audit and audit_config commands"
|
|
|
|
checks:
|
|
|
|
- id: 0
|
|
|
|
text: "audit finds flag and passes, audit_config doesn't exist -> pass"
|
|
|
|
audit: "echo flag=correct"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 1
|
|
|
|
text: "audit finds flag and fails, audit_config doesn't exist -> fail"
|
|
|
|
audit: "echo flag=wrong"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 2
|
|
|
|
text: "audit doesn't find flag, audit_config doesn't exist -> fail"
|
|
|
|
audit: "echo somethingElse=correct"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 3
|
|
|
|
text: "audit doesn't find flag, audit_config has correct setting -> pass"
|
|
|
|
audit: "echo somethingElse=correct"
|
|
|
|
audit_config: "echo 'flag: correct'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 4
|
|
|
|
text: "audit doesn't find flag, audit_config has wrong setting -> fail"
|
|
|
|
audit: "echo somethingElse=correct"
|
|
|
|
audit_config: "echo 'flag: wrong'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 5
|
|
|
|
text: "audit finds correct flag, audit_config has wrong setting -> pass"
|
|
|
|
audit: "echo flag=correct"
|
|
|
|
audit_config: "echo 'flag: wrong'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 6
|
|
|
|
text: "neither audit nor audit_config has correct setting -> fail"
|
|
|
|
audit: "echo flag=wrong"
|
|
|
|
audit_config: "echo 'flag: wrong'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 7
|
|
|
|
text: "audit isn't present, superfluous flag field,audit_config is correct -> pass"
|
|
|
|
audit_config: "echo 'flag: correct'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 8
|
|
|
|
text: "audit isn't present, superfluous flag field,audit_config is wrong -> fail"
|
|
|
|
audit_config: "echo 'flag: wrong'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
2020-08-03 07:31:54 +00:00
|
|
|
- id: 9
|
|
|
|
text: "test use_multiple_values is correct -> pass"
|
|
|
|
audit: "printf 'permissions=600\npermissions=600\npermissions=600'"
|
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "permissions"
|
|
|
|
compare:
|
|
|
|
op: bitmask
|
|
|
|
value: "600"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 10
|
|
|
|
text: "test use_multiple_values is wrong -> fail"
|
|
|
|
audit: "printf 'permissions=600\npermissions=600\npermissions=644'"
|
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "permissions"
|
|
|
|
compare:
|
|
|
|
op: bitmask
|
|
|
|
value: "600"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 11
|
|
|
|
text: "test use_multiple_values include empty value -> fail"
|
|
|
|
audit: "printf 'permissions=600\n\npermissions=600'"
|
|
|
|
use_multiple_values: true
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "permissions"
|
|
|
|
compare:
|
|
|
|
op: bitmask
|
|
|
|
value: "600"
|
|
|
|
set: true
|
|
|
|
scored: true
|
2020-08-12 13:32:42 +00:00
|
|
|
- id: 12
|
|
|
|
text: "audit is present and wrong, audit_config is right -> fail (command line parameters override config file)"
|
|
|
|
audit: "echo flag=wrong"
|
|
|
|
audit_config: "echo 'flag: correct'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 13
|
|
|
|
text: "parameter and config file don't have same default - parameter has failing value"
|
|
|
|
audit: "echo '--read-only-port=1'"
|
|
|
|
audit_config: "echo 'readOnlyPort: 0'"
|
|
|
|
tests:
|
|
|
|
bin_op: and
|
|
|
|
test_items:
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: "{.readOnlyPort}"
|
|
|
|
set: true
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: false
|
|
|
|
scored: true
|
|
|
|
- id: 14
|
|
|
|
text: "parameter and config file don't have same default - config file has failing value"
|
|
|
|
audit: "echo ''"
|
|
|
|
audit_config: "echo 'readOnlyPort: 1'"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: true
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: false
|
|
|
|
scored: true
|
|
|
|
- id: 15
|
|
|
|
text: "parameter and config file don't have same default - passing"
|
|
|
|
audit: "echo ''"
|
|
|
|
audit_config: "echo ''"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: true
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: false
|
|
|
|
scored: true
|
2020-12-24 14:38:22 +00:00
|
|
|
- id: 16
|
2020-08-12 13:32:42 +00:00
|
|
|
text: "parameter and config file don't have same default - parameter has bad value and config is not present - failing"
|
|
|
|
audit: "echo '--read-only-port=1'"
|
|
|
|
audit_config: "echo ''"
|
|
|
|
tests:
|
|
|
|
bin_op: or
|
|
|
|
test_items:
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: true
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: 0
|
|
|
|
- flag: "--read-only-port"
|
|
|
|
path: '{.readOnlyPort}'
|
|
|
|
set: false
|
|
|
|
scored: true
|
2020-12-21 11:18:54 +00:00
|
|
|
|
|
|
|
- id: 3.1
|
|
|
|
text: "audit_env commands"
|
|
|
|
checks:
|
|
|
|
- id: 0
|
|
|
|
text: "audit fails to find flag, audit_env finds flag -> pass"
|
|
|
|
audit: "echo in=incorrect"
|
|
|
|
audit_env: "echo flag=correct"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 1
|
|
|
|
text: "audit fails to find flag, audit_env finds flag and fails -> fail"
|
|
|
|
audit: "echo in=wrong"
|
|
|
|
audit_env: "echo flag=wrong"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 2
|
|
|
|
text: "audit finds correct flag, audit_env is incorrect -> pass"
|
|
|
|
audit: "echo flag=correct"
|
|
|
|
audit_env: "echo flag=incorrect"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 3
|
|
|
|
text: "audit doesn't flag flag, audit_config finds it and passes, audit_env is not present -> pass"
|
|
|
|
audit: "echo in=correct"
|
|
|
|
audit_config: "echo 'flag: correct'"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 4
|
|
|
|
text: "audit doesn't flag flag, audit_config doesn't find flag, audit_env finds and passes -> pass"
|
|
|
|
audit: "echo in=correct"
|
|
|
|
audit_config: "echo 'in: correct'"
|
|
|
|
audit_env: "echo flag=correct"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 5
|
|
|
|
text: "audit doesn't find flag, audit_config doesn't find flag, audit_env finds and fails -> fails"
|
|
|
|
audit: "echo in=correct"
|
|
|
|
audit_config: "echo 'in: correct'"
|
|
|
|
audit_env: "echo flag=incorrect"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|
|
|
|
- id: 6
|
|
|
|
text: "audit finds flag and fails, audit_config finds flag and fails, audit_env finds and passes -> fails"
|
|
|
|
audit: "echo flag=incorrect"
|
|
|
|
audit_config: "echo 'flag: incorrect'"
|
|
|
|
audit_env: "echo flag=correct"
|
|
|
|
tests:
|
|
|
|
test_items:
|
|
|
|
- flag: "flag"
|
|
|
|
path: "{.flag}"
|
|
|
|
env: "flag"
|
|
|
|
compare:
|
|
|
|
op: eq
|
|
|
|
value: "correct"
|
|
|
|
set: true
|
|
|
|
scored: true
|