{input:"Replace $thisbin and $herebin",subst:map[string]string{"this":"that","here":"there"},exp:"Replace that and there"},
{input:"Replace $thisbin and $herebin",subst:map[string]string{"this":"that","here":"there"},exp:"Replace that and there", expectedSubs:[]string{"that","there"}},
@ -150,8 +150,8 @@ pass a check. This criteria is made up of keywords extracted from the output of
the `audit` command and operations that compare these keywords against
the `audit` command and operations that compare these keywords against
values expected by the CIS Kubernetes Benchmark.
values expected by the CIS Kubernetes Benchmark.
There are two ways to extract keywords from the output of the `audit` command,
There are three ways to extract keywords from the output of the `audit` command,
`flag` and `path`.
`flag`, `path`, `env`.
`flag` is used when the keyword is a command-line flag. The associated `audit`
`flag` is used when the keyword is a command-line flag. The associated `audit`
command is usually a `ps` command and a `grep` for the binary whose flag we are
command is usually a `ps` command and a `grep` for the binary whose flag we are
@ -186,6 +186,23 @@ tests:
# ...
# ...
```
```
`env` is used to check if the value is present within a specified environment variable. The presence of `env` is treated as an OR operation, if both `flag` and `env` are supplied it will use either to attempt pass the check.
The command used for checking the environment variables of a process **is generated by default**.
If the command being generated is causing errors, you can override the command used by setting `auditEnv` on the check.
Similarly, if you don't want the environment checking command to be generated or run at all, specify `disableEnvTesting` as true on the check.
The example below will check if the flag `--auto-tls` is equal to false *OR*`ETCD_AUTO_TLS` is equal to false
```yml
test_items:
- flag: "--auto-tls"
env: "ETCD_AUTO_TLS"
compare:
op: eq
value: false
```
`test_item` compares the output of the audit command and keywords using the
`test_item` compares the output of the audit command and keywords using the