{input:"Replace $thisbin and $herebin",subst:map[string]string{"this":"that","here":"there"},exp:"Replace that and there", expectedSubs:[]string{"that","there"}},
@ -150,8 +150,8 @@ pass a check. This criteria is made up of keywords extracted from the output of
the `audit` command and operations that compare these keywords against
values expected by the CIS Kubernetes Benchmark.
There are two ways to extract keywords from the output of the `audit` command,
`flag` and `path`.
There are three ways to extract keywords from the output of the `audit` command,
`flag`, `path`, `env`.
`flag` is used when the keyword is a command-line flag. The associated `audit`
command is usually a `ps` command and a `grep` for the binary whose flag we are
@ -186,6 +186,23 @@ tests:
# ...
```
`env` is used to check if the value is present within a specified environment variable. The presence of `env` is treated as an OR operation, if both `flag` and `env` are supplied it will use either to attempt pass the check.
The command used for checking the environment variables of a process **is generated by default**.
If the command being generated is causing errors, you can override the command used by setting `auditEnv` on the check.
Similarly, if you don't want the environment checking command to be generated or run at all, specify `disableEnvTesting` as true on the check.
The example below will check if the flag `--auto-tls` is equal to false *OR*`ETCD_AUTO_TLS` is equal to false
```yml
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
```
`test_item` compares the output of the audit command and keywords using the