diff --git a/check/data b/check/data index 8e03efa..73575b3 100644 --- a/check/data +++ b/check/data @@ -7,59 +7,42 @@ groups: - id: 1.1 text: "Kube-apiserver" checks: - - id: 1.1.1 - text: "Ensure that the --allow-privileged argument is set (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 0 + text: "flag is set" tests: test_items: - - - flag: "--allow-privileged" + - flag: "--allow-privileged" set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.2 - text: "Ensure that the --basic-auth argument is not set (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 1 + text: "flag is not set" tests: test_item: - - - flag: "--basic-auth" + - flag: "--basic-auth" set: false - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.3 - text: "Ensure that the --insecure-port argument is set to 0 (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 2 + text: "flag value is set to some value" tests: test_items: - - - flag: "--insecure-port" + - flag: "--insecure-port" compare: op: eq value: 0 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.4 - text: "Ensure that the --audit-log-maxage argument is set to 30 or appropriate (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 3 + text: "flag value is greater than or equal some number" tests: test_items: - - - flag: "--audit-log-maxage" + - flag: "--audit-log-maxage" compare: op: gte value: 30 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.5 - text: "Ensure that the --max-backlog argument is set to 30 or less (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 4 + text: "flag value is less than some number" tests: test_items: - flag: "--max-backlog" @@ -67,26 +50,19 @@ groups: op: lt value: 30 set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.6 - text: "Ensure admission control does not include AlwaysAdmit (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 5 + text: "flag value does not have some value" tests: test_items: - - - flag: "--admission-control" + - flag: "--admission-control" compare: op: nothave value: AlwaysAdmit set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.7 - text: "Ensure that the --kubelet-client-certificate and --kubelet-clientkey arguments are set as appropriate (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 6 + text: "test AND binary operation" tests: bin_op: and test_items: @@ -94,17 +70,13 @@ groups: set: true - flag: "--kubelet-clientkey" set: true - remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" - scored: true - - id: 1.1.8 - text: "Ensure that the --secure-port argument is not set to 0 (Scored)" - audit: "ps -ef | grep kube-apiserver | grep -v grep" + - id: 7 + text: "test OR binary operation" tests: bin_op: or test_items: - - - flag: "--secure-port" + - flag: "--secure-port" compare: op: eq value: 0 @@ -112,28 +84,13 @@ groups: - flag: "--secure-port" set: false - remediation: "Edit the /etc/kubernetes/apiserver file on the master node and either remove the -secure-port argument from the KUBE_API_ARGS parameter or set it to a different desired port." - scored: true - - id: 1.4.1 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "stat -c %a /etc/kubernetes/apiserver" + - id: 8 + text: "test flag with arbitrary text" tests: test_items: - flag: "644" - set: true - remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" - scored: true - - - id: 2.1.14 - text: "Ensure that the apiserver file permissions are set to 644 or more restrictive (Scored)" - audit: "ps -ef | grep kubelet | grep -v grep" - tests: - test_items: - - flag: "KubeletClient" compare: op: eq - value: true + value: "644" set: true - remediation: "Run the below command (based on the file location on your system) on the master node. For example, chmod 644 /etc/kubernetes/apiserver" - scored: true diff --git a/check/test_test.go b/check/test_test.go index 7fc5832..f605309 100644 --- a/check/test_test.go +++ b/check/test_test.go @@ -16,6 +16,8 @@ package check import ( "io/ioutil" + "os" + "strings" "testing" ) @@ -30,79 +32,66 @@ func init() { if err != nil { panic("Failed reading test data: " + err.Error()) } - controls, err = NewControls(MASTER, in) + + // substitute variables in data file + user := os.Getenv("USER") + s := strings.Replace(string(in), "$user", user, -1) + + controls, err = NewControls(MASTER, []byte(s)) + // controls, err = NewControls(MASTER, in) if err != nil { panic("Failed creating test controls: " + err.Error()) } } func TestTestExecute(t *testing.T) { + cases := []struct { - *tests - testfor string - str string + *Check + str string }{ { - controls.Groups[0].Checks[0].Tests, - "flag set", + controls.Groups[0].Checks[0], "2:45 ../kubernetes/kube-apiserver --allow-privileged=false --option1=20,30,40", }, { - controls.Groups[0].Checks[1].Tests, - "flag not set", + controls.Groups[0].Checks[1], "2:45 ../kubernetes/kube-apiserver --allow-privileged=false", }, { - controls.Groups[0].Checks[2].Tests, - "flag and value set", + controls.Groups[0].Checks[2], "niinai 13617 2635 99 19:26 pts/20 00:03:08 ./kube-apiserver --insecure-port=0 --anonymous-auth", }, { - controls.Groups[0].Checks[3].Tests, - "flag value greater than value", + controls.Groups[0].Checks[3], "2:45 ../kubernetes/kube-apiserver --secure-port=0 --audit-log-maxage=40 --option", }, { - controls.Groups[0].Checks[4].Tests, - "flag value less than value", + controls.Groups[0].Checks[4], "2:45 ../kubernetes/kube-apiserver --max-backlog=20 --secure-port=0 --audit-log-maxage=40 --option", }, { - controls.Groups[0].Checks[5].Tests, - "flag value does not have", + controls.Groups[0].Checks[5], "2:45 ../kubernetes/kube-apiserver --option --admission-control=WebHook,RBAC ---audit-log-maxage=40", }, { - controls.Groups[0].Checks[6].Tests, - "AND multiple tests, all testitems pass", + controls.Groups[0].Checks[6], "2:45 .. --kubelet-clientkey=foo --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", }, { - controls.Groups[0].Checks[7].Tests, - "OR multiple tests", + controls.Groups[0].Checks[7], "2:45 .. --secure-port=0 --kubelet-client-certificate=bar --admission-control=Webhook,RBAC", }, { - controls.Groups[0].Checks[8].Tests, - "text", + controls.Groups[0].Checks[8], "644", }, - { - controls.Groups[0].Checks[9].Tests, - "flag value is comma-separated", - "2:35 ../kubelet --features-gates=KubeletClient=true,KubeletServer=true", - }, - { - controls.Groups[0].Checks[9].Tests, - "flag value is comma-separated", - "2:35 ../kubelet --features-gates=KubeletServer=true,KubeletClient=true", - }, } for _, c := range cases { - res := c.tests.execute(c.str) + res := c.Tests.execute(c.str) if !res { - t.Errorf("%s, expected:%v, got:%v\n", c.testfor, true, res) + t.Errorf("%s, expected:%v, got:%v\n", c.Text, true, res) } } }