diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml
new file mode 100644
index 000000000000..bc68010d3233
--- /dev/null
+++ b/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml
@@ -0,0 +1,15 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_security_profile_custom_min_tls_version
+# and tls_version_check_apiserver
+# if you change one, you should change the other two
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+ name: cluster
+spec:
+ tlsSecurityProfile:
+ type: Custom
+ custom:
+ ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_apiserver }}
diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
index cb41de1fa050..788b32bacdfb 100644
--- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
+++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
@@ -19,15 +19,7 @@ description: |-
"servingInfo":{
...
"cipherSuites": [
- "TLS_AES_128_GCM_SHA256",
- "TLS_AES_256_GCM_SHA384",
- "TLS_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ {{{ xccdf_value("var_apiserver_tls_cipher_suites") | indent(8) }}}
],
...
@@ -48,22 +40,14 @@ references:
platform: not ocp4-on-hypershift-hosted
-ocil_clause: 'cipherSuites is not configured, or contains ciphers (possibly insecure) other than TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 in servingInfo'
+ocil_clause: 'cipherSuites is not configured, or contains ciphers (possibly insecure) other than {{ .var_apiserver_tls_cipher_suites }} in servingInfo'
ocil: |-
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.servingInfo["cipherSuites"]'
Verify that the set of ciphers contains only the following:
- "TLS_AES_128_GCM_SHA256",
- "TLS_AES_256_GCM_SHA384",
- "TLS_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+ {{.var_apiserver_tls_cipher_suites}}
warnings:
@@ -81,7 +65,5 @@ template:
entity_check: "all"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.servingInfo.cipherSuites[:]'
- values:
- - value: 'TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
- operation: "pattern match"
- type: "string"
+ regex_data: "true"
+ xccdf_variable: var_apiserver_tls_cipher_suites_regex
diff --git a/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml b/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
index 9f14f075be33..488f4a9af5b4 100644
--- a/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
+++ b/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
@@ -1,9 +1,15 @@
+---
# platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_cipher_suites
+# and tls_version_check_apiserver
+# if you change one, you should change the other two
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
- name: cluster
+ name: cluster
spec:
- tlsSecurityProfile:
- Custom:
- minTLSVersion: VersionTLS12
+ tlsSecurityProfile:
+ type: Custom
+ custom:
+ ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_apiserver }}
diff --git a/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/rule.yml b/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/rule.yml
index 3ce362e4447e..69345140d38b 100644
--- a/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/rule.yml
+++ b/applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/rule.yml
@@ -8,12 +8,13 @@ description: |-
to be used while establishing connections with the externally exposed
servers. Though secure transport mode is used for establishing connections,
the protocols used may not always be strong enough to avoid interception and
- manipulation of the data in transport. When Custom TLS Security profile is
+ manipulation of the data in transport. When Custom TLS Security profile is
used it's always better to configure TLS version 1.2 or newer to avoid any
security breaches.
Update minTLSVersion configured in Custom tlsSecurityProfile using the following command:
{{% raw %}}oc patch apiservers.config.openshift.io cluster --type 'merge' --patch '{"spec":{"tlsSecurityProfile":{"custom":{"minTLSVersion":"VersionTLS12"}}}}'{{% endraw %}}
+ Replace VersionTLS12 with the configured value {{ .var_tls_version_apiserver }} if necessary.
For more information, follow
OpenShift documentation:
@@ -42,20 +43,18 @@ ocil: |-
To check for the configured tlsSecurityProfile use below command:
$ oc get apiservers.config.openshift.io cluster -o jsonpath='{.spec.tlsSecurityProfile.custom.minTLSVersion}{"\n"}'
The output shows the minTLSVersion configured in Custom tlsSecurityProfile
- for API Server, which should be TLSv1.2 or newer.
+ for API Server, which should be TLSv1.2 or newer. The current configured value is {{ .var_tls_version_apiserver }}.
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(8) }}}
template:
-template:
name: yamlfile_value
- vars:
+ vars:
ocp_data: "true"
filepath: "/apis/config.openshift.io/v1/apiservers/cluster"
yamlpath: ".spec.tlsSecurityProfile.custom.minTLSVersion"
- check_existence: "any_exist"
- values:
- - value: "^(?!VersionTLS10|VersionTLS11)"
- operation: "pattern match"
+ xccdf_variable: var_tls_version_apiserver_regex
+ regex_data: true
+ check_existence: "any_exist"
\ No newline at end of file
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
new file mode 100644
index 000000000000..78b0d59016ba
--- /dev/null
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS Cipher Suites'
+
+description: |
+ OpenShift Kube APIServer TLS Cipher Suites comma separated string,
+ used for Remediation and manual check text. They need to follow openSSL notation.
+ You should not provide a cipher list, which only provides TLS1.3 ciphers, as some
+ TLS1.2 ciphers are currently expected.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
new file mode 100644
index 000000000000..1e2a994ae277
--- /dev/null
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+description: 'OpenShift Kube APIServer TLS cipher suites regex, following IANA Notation, used for automatic check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml b/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
index 0f9de836f706..3a4f21866ca0 100644
--- a/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
+++ b/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
@@ -23,8 +23,8 @@ ocil_clause: 'ETCD cipher suite does not meet requirements'
ocil: |-
Run the following command to check the cipher suites for ETCD:
- $ oc get configmaps etcd-pod -n openshift-etcd -o yaml | grep -oE 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
- Make sure that the result has at least one cipher.
+ $ oc get configmaps etcd-pod -n openshift-etcd -o json | jq -r '.data["pod.yaml"]' | grep -P "{{ .var_etcd_tls_cipher_suites_regex }}"
+ Make sure that the result prints the configured cipher suites. If the result is empty, the cipher suites are not configured properly.
severity: medium
@@ -37,6 +37,5 @@ template:
ocp_data: "true"
filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
yamlpath: ".data['pod.yaml']"
- values:
- - value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
- operation: 'pattern match'
+ xccdf_variable: var_etcd_tls_cipher_suites_regex
+ regex_data: true
diff --git a/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
new file mode 100644
index 000000000000..7f2bacd4171f
--- /dev/null
+++ b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+description: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+type: string
+
+operator: pattern match
+
+interactive: false
+
+# in contrast to other cipher regexes this one is not for a single string, but for multiple
+# since the pod.yaml configures them multiple times for different containers.
+# due to this we cant compare line by line and to do some more complex regex magic
+options:
+ # these regex catch all configured, allowed ciphers in the list PLUS some config around. If there are additional ciphers, which are catched by the negative lookahead, the expression fails.
+ # the regex is focussed only on the lines with "value:"
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ default: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)[A-Z0-9_]+).*\"'
+ mozilla_intermediate: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305))(?!.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305)[A-Z0-9_]+).*\"'
+ 2024-01-BSI-TR-02102-2: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384)[A-Z0-9_]+).*\"'
diff --git a/applications/openshift/general/tls_version_check_apiserver/kubernetes/shared.yml b/applications/openshift/general/tls_version_check_apiserver/kubernetes/shared.yml
new file mode 100644
index 000000000000..6f17fa01df5a
--- /dev/null
+++ b/applications/openshift/general/tls_version_check_apiserver/kubernetes/shared.yml
@@ -0,0 +1,15 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_cipher_suites
+# and api_server_tls_security_profile_custom_min_tls_version
+# if you change one, you should change the other two
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+ name: cluster
+spec:
+ tlsSecurityProfile:
+ type: Custom
+ custom:
+ ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_apiserver }}
diff --git a/applications/openshift/general/tls_version_check_apiserver/rule.yml b/applications/openshift/general/tls_version_check_apiserver/rule.yml
index be5d1277cdb7..df4c1bb9bedd 100644
--- a/applications/openshift/general/tls_version_check_apiserver/rule.yml
+++ b/applications/openshift/general/tls_version_check_apiserver/rule.yml
@@ -1,5 +1,5 @@
-title: Ensure TLS v1.2 is minimum for Openshift APIServer
+title: Ensure TLS configured on a minimum for Openshift APIServer
description: |-
Verify tls version for the openshift APIServer.
@@ -27,12 +27,13 @@ references:
platform: not ocp4-on-hypershift-hosted
-ocil_clause: 'Ensure TLS version is equal to 1.2 or greater for the openshift api server'
+ocil_clause: 'Ensure TLS version is equal to {{ .var_tls_version_apiserver }} or greater for the openshift api server'
ocil: |-
Run the following command to check for TLS version:
$ oc get configmap config -n openshift-apiserver -o json | grep -o VersionTLS[0-9]*
- Make sure that the result has a value of VersionTLSXX where XX is 12 or greater.
+ Make sure that the result has a value of VersionTLSXX where XX is 12 or greater, depending on the configured value.
+ The current configured value is {{ .var_tls_version_apiserver }}.
severity: medium
@@ -44,10 +45,7 @@ template:
name: yamlfile_value
vars:
ocp_data: "true"
- entity_check: "at least one"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.servingInfo["minTLSVersion"]'
- values:
- - value: 'VersionTLS1[2-9]{1}'
- operation: "pattern match"
- type: "string"
+ xccdf_variable: var_tls_version_apiserver_regex
+ regex_data: true
\ No newline at end of file
diff --git a/applications/openshift/general/tls_version_check_masters_workers/rule.yml b/applications/openshift/general/tls_version_check_masters_workers/rule.yml
index 769a7ddb70c2..c67e92c847b0 100755
--- a/applications/openshift/general/tls_version_check_masters_workers/rule.yml
+++ b/applications/openshift/general/tls_version_check_masters_workers/rule.yml
@@ -20,6 +20,7 @@ description: |-
kubeletConfig:
tlsMinVersion: VersionTLS12
+ where VersionTLS12 is replaced with the desired TLS version.
rationale: |-
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
diff --git a/applications/openshift/general/tls_version_check_router/kubernetes/shared.yml b/applications/openshift/general/tls_version_check_router/kubernetes/shared.yml
new file mode 100644
index 000000000000..30e8d3e78397
--- /dev/null
+++ b/applications/openshift/general/tls_version_check_router/kubernetes/shared.yml
@@ -0,0 +1,16 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as ingress_controller_tls_security_profile_custom_min_tls_version
+# and ingress_controller_tls_cipher_suites
+# if you change one, you should change the other two
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+ name: default
+ namespace: openshift-ingress-operator
+spec:
+ tlsSecurityProfile:
+ custom:
+ ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_ingress }}
+ type: Custom
diff --git a/applications/openshift/general/tls_version_check_router/rule.yml b/applications/openshift/general/tls_version_check_router/rule.yml
index 6d0384a2789c..5e6d8822aa40 100644
--- a/applications/openshift/general/tls_version_check_router/rule.yml
+++ b/applications/openshift/general/tls_version_check_router/rule.yml
@@ -1,5 +1,5 @@
-title: Ensure TLS v1.2 is minimum for Openshift Router
+title: Ensure TLS Version is at a Safe Minimum for Openshift Router
description: |-
Verify tls version for the Openshift Router.
@@ -22,7 +22,7 @@ ocil_clause: 'TLS version is not configured or contains insecure version'
ocil: |-
Run the following command to check the TLS version for the openshift router:
$ oc get deployment.apps/router-default -n openshift-ingress -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="SSL_MIN_VERSION")].value}'
- Make sure that the result has a one of TLSvX.X where X.X is 1.2 or greater.
+ Make sure that the result has a one of TLSvX.X where X.X is 1.2 or greater, depending on the configured value {{ .var_tls_version_ingress }}.
severity: medium
warnings:
@@ -35,6 +35,5 @@ template:
filepath: |-
{{{ openshift_filtered_path('/apis/apps/v1/namespaces/openshift-ingress/deployments/router-default','.spec.template.spec.containers[0].env[] | select(.name == "SSL_MIN_VERSION")') }}}
yamlpath: ".value"
- values:
- - value: "TLSv1.[2-9]{1}"
- operation: "pattern match"
+ xccdf_variable: var_tls_version_ingress_regex
+ regex_data: true
diff --git a/applications/openshift/general/var_tls_version_apiserver.var b/applications/openshift/general/var_tls_version_apiserver.var
new file mode 100644
index 000000000000..bdb2918da6da
--- /dev/null
+++ b/applications/openshift/general/var_tls_version_apiserver.var
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Configure Apiserver to use secure TLS version'
+
+description: |
+ Secure version of TLS available for configuring Apiserver.
+ Do not forget to also configure the regex value.
+ Currently only VersionTLS12 and earlier are possible.
+ VersionTLS13 will cause remediation errors, as it currently
+ expects to be used without cipher-list, but the remediation
+ provides one
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "VersionTLS12"
+ TLS13: "VersionTLS13"
diff --git a/applications/openshift/general/var_tls_version_apiserver_regex.var b/applications/openshift/general/var_tls_version_apiserver_regex.var
new file mode 100644
index 000000000000..37542e4d8e64
--- /dev/null
+++ b/applications/openshift/general/var_tls_version_apiserver_regex.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Configure Apiserver to use secure TLS version'
+
+description: |
+ TLS versions available for configuring Apiserver, excluding insecure versions.
+ Do not forget to also configure the non regex value.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(?!VersionTLS10|VersionTLS11)"
+ TLS13: "^(?!VersionTLS10|VersionTLS11|VersionTLS12)"
diff --git a/applications/openshift/general/var_tls_version_ingress.var b/applications/openshift/general/var_tls_version_ingress.var
new file mode 100644
index 000000000000..188925ce8c8a
--- /dev/null
+++ b/applications/openshift/general/var_tls_version_ingress.var
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Configure Ingress to use secure TLS version'
+
+description: |-
+ Secure version of TLS available for configuring Ingress Router.
+ Do not forget to also configure the regex value.
+ Be aware of potential not working combinations of VersionTLS12 and TLS1.3 only Ciphers.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "VersionTLS12"
+ TLS13: "VersionTLS13"
diff --git a/applications/openshift/general/var_tls_version_ingress_regex.var b/applications/openshift/general/var_tls_version_ingress_regex.var
new file mode 100644
index 000000000000..a8fb8522794d
--- /dev/null
+++ b/applications/openshift/general/var_tls_version_ingress_regex.var
@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Configure Ingress to use secure TLS version'
+
+description: |
+ TLS versions available for configuring Ingress, excluding insecure versions.
+ Do not forget to also configure the non regex value.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(?!TLSv1.0|TLSv1.1)"
+ TLS13: "^(?!TLSv1.0|TLSv1.1|TLS1.2)"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
index 9b487f16d07e..703b56bcc34c 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
@@ -1,7 +1,10 @@
---
# platform = multi_platform_ocp
+# this remediation is the same as kubelet_configure_tls_min_version
+# if you change one, you should change the other
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
spec:
kubeletConfig:
tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
+ tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
index 3d966c4b582d..004774b0079e 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
@@ -12,25 +12,18 @@ description: |-
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
- name: kubelet-config-$pool
+ name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
- tlsCipherSuites:
- - TLS_AES_128_GCM_SHA256
- - TLS_AES_256_GCM_SHA384
- - TLS_CHACHA20_POLY1305_SHA256
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ tlsCipherSuites: [ {{ .var_kubelet_tls_cipher_suites }} ]
+ tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
- and var_kubelet_tls_cipher_suites have to be set
+ and var_kubelet_tls_cipher_suites have to be set. Furthermore you can set var_kubelet_tls_min_version to configure the tlsMinVersion.
+ Be aware that the tlsMinVersion must be set to a value that is supported by the cipher suites.
rationale: |-
TLS ciphers have had a number of known vulnerabilities and weaknesses,
which can reduce the protection provided by them. By default Kubernetes
@@ -57,15 +50,7 @@ ocil: |-
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites'; done
Verify that the set of ciphers contains only the following:
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- TLS_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ {{ .var_kubelet_tls_cipher_suites }}
template:
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
index d82f51c3451e..86f98db80f72 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/kubernetes/shared.yml
@@ -1,7 +1,10 @@
---
# platform = multi_platform_ocp
+# this remediation is the same as kubelet_configure_tls_cipher_suites
+# if you change one, you should change the other
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
spec:
kubeletConfig:
+ tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
tlsMinVersion: "{{.var_kubelet_tls_min_version}}"
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
index cd8973972c60..cbc09b074ae4 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_min_version/rule.yml
@@ -37,12 +37,8 @@ description: |-
tlsSecurityProfile:
type: Custom
custom:
- ciphers:
- - ECDHE-ECDSA-CHACHA20-POLY1305
- - ECDHE-RSA-CHACHA20-POLY1305
- - ECDHE-RSA-AES128-GCM-SHA256
- - ECDHE-ECDSA-AES128-GCM-SHA256
- minTLSVersion: {{{ xccdf_value("var_kubelet_tls_min_version") }}}
+ ciphers: [ {{ .var_kubelet_tls_cipher_suites }} ]
+ minTLSVersion: "{{.var_kubelet_tls_min_version}}"
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
index 1847e96e93b2..84ae0d934892 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
@@ -2,7 +2,11 @@ documentation_complete: true
title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
-description: 'Cryptographic Ciphers Available for Kubelet, separated by comma'
+description: |
+ Cryptographic Ciphers Available for Kubelet comma separated string,
+ used for Remediation and manual check text. They need to follow openSSL notation
+ You may not provide a cipher list, which only provides TLS1.3 ciphers, as some
+ TLS1.2 ciphers are currently expected.
type: string
@@ -11,4 +15,8 @@ operator: equals
interactive: false
options:
- default: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+ default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
index c1a5d65b8ae2..075323743fa2 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
@@ -1,8 +1,8 @@
documentation_complete: true
-title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
+title: 'Configure Kubelet use of the Strong Cryptographic Ciphers Regex'
-description: 'Cryptographic Ciphers Available for Kubelet'
+description: 'Cryptographic Ciphers Available for Kubelet Regex, following IANA Notation, used for automatic check'
type: string
@@ -11,4 +11,9 @@ operator: equals
interactive: false
options:
- default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/kubelet/var_kubelet_tls_min_version.var b/applications/openshift/kubelet/var_kubelet_tls_min_version.var
index cfc872704557..d48eaeafea8a 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_min_version.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_min_version.var
@@ -12,3 +12,4 @@ interactive: false
options:
default: "VersionTLS12"
+ TLS13: "VersionTLS13"
diff --git a/applications/openshift/kubelet/var_kubelet_tls_min_version_regex.var b/applications/openshift/kubelet/var_kubelet_tls_min_version_regex.var
index 96722b366ee7..8d0304413e61 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_min_version_regex.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_min_version_regex.var
@@ -12,3 +12,4 @@ interactive: false
options:
default: "^(?!VersionTLS10|VersionTLS11)"
+ TLS13: "^(?!VersionTLS10|VersionTLS11|VersionTLS12)"
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
index 40a7037fb45a..865d9f36ae70 100644
--- a/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
+++ b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
@@ -1,5 +1,8 @@
---
# platform = multi_platform_ocp
+# this remediation is the same as ingress_controller_tls_security_profile_custom_min_tls_version
+# and tls_version_check_router
+# if you change one, you should change the other two
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
@@ -8,15 +11,6 @@ metadata:
spec:
tlsSecurityProfile:
custom:
- ciphers:
- - ECDHE-ECDSA-AES128-GCM-SHA256
- - ECDHE-RSA-AES128-GCM-SHA256
- - ECDHE-ECDSA-CHACHA20-POLY1305
- - ECDHE-RSA-AES256-GCM-SHA384
- - ECDHE-RSA-CHACHA20-POLY1305
- - ECDHE-ECDSA-AES256-GCM-SHA384
- - TLS_AES_128_GCM_SHA256
- - TLS_AES_256_GCM_SHA384
- - TLS_CHACHA20_POLY1305_SHA256
- minTLSVersion: VersionTLS12
+ ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_ingress }}
type: Custom
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
index 5e74b1740d69..f4e74a971b7b 100644
--- a/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
+++ b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
@@ -23,33 +23,22 @@ references:
ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure"
ocil: |-
- Run the following command on the kubelet nodes(s):
+ Run the following command:
oc get ingresscontrollers/default -n openshift-ingress-operator -o=jsonpath='{.status.tlsProfile.ciphers[:]}'
- The output should only include relevant and modern TLS ciphers you deem
- acceptable for your cluster.
+ Verify that the set of ciphers contains only the following:
+
+ {{ .var_ingresscontroller_tls_cipher_suites }}
+
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}}
-# Recommended ciphers
-# ECDHE-ECDSA-AES128-GCM-SHA256
-# ECDHE-ECDSA-CHACHA20-POLY1305
-# ECDHE-ECDSA-AES256-GCM-SHA384
-# TLS_CHACHA20_POLY1305_SHA256
-# TLS_AES_128_GCM_SHA256
-# TLS_AES_256_GCM_SHA384
-#
-# Secure ciphers
-# ECDHE-RSA-AES128-GCM-SHA256
-# ECDHE-RSA-AES256-GCM-SHA384
-# ECDHE-RSA-CHACHA20-POLY1305
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
yamlpath: ".status.tlsProfile.ciphers[:]"
- values:
- - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$'
- operation: 'pattern match'
+ xccdf_variable: var_ingresscontroller_tls_cipher_suites_regex
+ regex_data: true
diff --git a/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
index 6eabafa81195..dfab37ccf700 100644
--- a/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
+++ b/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml
@@ -1,10 +1,16 @@
+---
# platform = multi_platform_ocp
+# this remediation is the same as tls_version_check_router
+# and ingress_controller_tls_cipher_suites
+# if you change one, you should change the other two
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
- name: default
- namespace: openshift-ingress-operator
+ name: default
+ namespace: openshift-ingress-operator
spec:
- tlsSecurityProfile:
- Custom:
- minTLSVersion: VersionTLS12
+ tlsSecurityProfile:
+ custom:
+ ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
+ minTLSVersion: {{ .var_tls_version_ingress }}
+ type: Custom
diff --git a/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/rule.yml b/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/rule.yml
index f5cafa484ed5..e04b3d2a7d2a 100644
--- a/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/rule.yml
+++ b/applications/openshift/networking/ingress_controller_tls_security_profile_custom_min_tls_version/rule.yml
@@ -8,12 +8,13 @@ description: |-
to be used while establishing connections with the externally exposed
servers. Though secure transport mode is used for establishing connections,
the protocols used may not always be strong enough to avoid interception and
- manipulation of the data in transport. When Custom TLS Security profile is
+ manipulation of the data in transport. When Custom TLS Security profile is
used it's always better to configure TLS version 1.2 or newer to avoid any
security breaches.
Update minTLSVersion configured in Custom tlsSecurityProfile using the following command:
{{% raw %}}oc patch -n openshift-ingress-operator ingresscontrollers.operator.openshift.io default --type 'merge' --patch '{"spec":{"tlsSecurityProfile":{"custom":{"minTLSVersion":"VersionTLS12"}}}}'{{% endraw %}}
+ Replace VersionTLS12 with the configured value {{ .var_tls_version_ingress }} if necessary.
For more information, follow
OpenShift documentation:
@@ -42,20 +43,20 @@ ocil: |-
To check for the configured tlsSecurityProfile use below command:
$ oc get -n openshift-ingress-operator ingresscontrollers.operator.openshift.io default -o jsonpath='{.spec.tlsSecurityProfile.custom.minTLSVersion}{"\n"}'
The output shows the minTLSVersion configured in Custom tlsSecurityProfile
- for IngressController, which should be TLSv1.2 or newer.
+ for IngressController, which should be TLSv1.2 or newer, depending on the configured value
+ which is currently set to {{ .var_tls_version_ingress }}.
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(8) }}}
template:
-template:
name: yamlfile_value
- vars:
+ vars:
ocp_data: "true"
filepath: "/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default"
yamlpath: ".spec.tlsSecurityProfile.custom.minTLSVersion"
check_existence: "any_exist"
- values:
- - value: "^(?!VersionTLS10|VersionTLS11)"
- operation: "pattern match"
+ # we do not use the regex variable here as we want to check the exact value
+ # the regex variable has a different format than the response from the API
+ xccdf_variable: var_tls_version_ingress
diff --git a/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var
new file mode 100644
index 000000000000..0db3d433e554
--- /dev/null
+++ b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Configure Ingresscontroller use of the Strong Cryptographic Ciphers'
+
+description: |
+ Cryptographic Ciphers Available for Ingresscontroller comma separated string.
+ Used for the Remediation and manual check
+ You may not provide a Cipher List, which only provides TLS1.3 Ciphers, as some
+ TLS1.2 Ciphers are currently expected.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ # default is identical to remediation
+ default: '"ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var
new file mode 100644
index 000000000000..f1d526bb4275
--- /dev/null
+++ b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Configure Ingresscontroller use of the Strong Cryptographic Ciphers Regex'
+
+description: 'Cryptographic Ciphers Available for Ingresscontroller Regex used for the automated checking'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384|DHE-RSA-CHACHA20-POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$"
diff --git a/products/ocp4/profiles/bsi-2022.profile b/products/ocp4/profiles/bsi-2022.profile
index 35b65244527f..4901e1a47680 100644
--- a/products/ocp4/profiles/bsi-2022.profile
+++ b/products/ocp4/profiles/bsi-2022.profile
@@ -35,3 +35,15 @@ selections:
### This is a helper rule to fetch the required api resource for detecting OCP version
- version_detect_in_ocp
- version_detect_in_hypershift
+ # variables
+ - var_apiserver_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ - var_apiserver_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_etcd_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_ingresscontroller_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_ingresscontroller_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ # to ensure that the cipher suites are used across all components, additional tests, which are not
+ # required in the control files for SYS.1.6 and APP.4.4, need to be added
+ # apiserver_tls_cipher_suites and kubelet_tls_cipher_suites are not needed, as they are covered by the
+ # controls for SYS.1.6 and APP.4.4
+ - ingress_controller_tls_cipher_suites
+ - etcd_check_cipher_suite
diff --git a/products/ocp4/profiles/bsi-node-2022.profile b/products/ocp4/profiles/bsi-node-2022.profile
index 9c7ca2669710..6ff33f98cd4a 100644
--- a/products/ocp4/profiles/bsi-node-2022.profile
+++ b/products/ocp4/profiles/bsi-node-2022.profile
@@ -31,3 +31,6 @@ filter_rules: '"ocp4-node" in platform or "ocp4-master-node" in platform or "ocp
selections:
- bsi_app_4_4:all
- bsi_sys_1_6:all
+ ### Variables
+ - var_kubelet_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ - var_kubelet_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2