feat(query): Added Audit Log Maxsize Not Properly Set for Kubernetes (C…

…heckmarx#5105) * + Audit Log Maxsize Not Properly Set * typo correction * correct positive_expected_result
jaevans · Apr 12, 2022 · 2558da6 · 2558da6
1 parent 6e6b3f2
commit 2558da6
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 0 deletions.
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/metadata.json
@@ -0,0 +1,10 @@
+{
+  "id": "35c0a471-f7c8-4993-aa2c-503a3c712a66",
+  "queryName": "Audit Log Maxsize Not Properly Set",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes",
+  "descriptionUrl": "https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/",
+  "platform": "Kubernetes",
+  "descriptionID": "9609fc23"
+}
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/query.rego b/assets/queries/k8s/audit_log_maxsize_not_properly_set/query.rego
@@ -0,0 +1,43 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.k8s as k8sLib
+
+CxPolicy[result] {
+	resource := input.document[i]
+	metadata := resource.metadata
+	specInfo := k8sLib.getSpecInfo(resource)
+	types := {"initContainers", "containers"}
+	container := specInfo.spec[types[x]][j]
+	common_lib.inArray(container.command, "kube-apiserver")
+	k8sLib.startWithFlag(container, "--audit-log-maxsize")
+	not k8sLib.hasFlagEqualOrGreaterThanValue(container, "--audit-log-maxsize", 100)
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "--audit-log-maxsize flag should be set to 100 or more MegaBytes",
+		"keyActualValue": "--audit-log-maxsize flag is set to less than 100 MegaBytes",
+		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]),
+	}
+}
+
+CxPolicy[result] {
+	resource := input.document[i]
+	metadata := resource.metadata
+	specInfo := k8sLib.getSpecInfo(resource)
+	types := {"initContainers", "containers"}
+	container := specInfo.spec[types[x]][j]
+	common_lib.inArray(container.command, "kube-apiserver")
+	not k8sLib.startWithFlag(container, "--audit-log-maxsize")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("metadata.name={{%s}}.%s.%s.name={{%s}}.command", [metadata.name, specInfo.path, types[x], container.name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "--audit-log-maxsize flag should be defined and set to 100 or more MegaBytes",
+		"keyActualValue": "--audit-log-maxsize flag is not defined",
+		"searchLine": common_lib.build_search_line(split(specInfo.path, "."), [types[x], j, "command"]),
+	}
+}
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/negative1.yaml b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/negative1.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--audit-log-maxsize=150"]
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/negative2.yaml b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/negative2.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver","--audit-log-maxsize=100"]
+      args: []
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive1.yaml b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive1.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: ["--audit-log-maxsize=50"]
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive2.yaml b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive2.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: command-demo
+  labels:
+    purpose: demonstrate-command
+spec:
+  containers:
+    - name: command-demo-container
+      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
+      command: ["kube-apiserver"]
+      args: []
+  restartPolicy: OnFailure
diff --git a/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json b/assets/queries/k8s/audit_log_maxsize_not_properly_set/test/positive_expected_result.json
@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Audit Log Maxsize Not Properly Set",
+		"severity": "LOW",
+		"line": 11,
+        "fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Audit Log Maxsize Not Properly Set",
+		"severity": "LOW",
+		"line": 11,
+        "fileName": "positive2.yaml"
+	}
+]