[RFE-6859] Configurable cipher suites

applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml

@@ -0,0 +1,15 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_security_profile_custom_min_tls_version
+# and tls_version_check_apiserver
+# if you change one, you should change the other two
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  tlsSecurityProfile:
+    type: Custom
+    custom:
+      ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+      minTLSVersion: {{ .var_tls_version_apiserver }}

applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml

@@ -19,15 +19,7 @@ description: |-
     "servingInfo":{
       ...
       "cipherSuites": [
-        "TLS_AES_128_GCM_SHA256",
-        "TLS_AES_256_GCM_SHA384",
-        "TLS_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      {{{ xccdf_value("var_apiserver_tls_cipher_suites") | indent(8) }}}
       ],
       ...
     </pre>
@@ -48,22 +40,14 @@ references:
 
 platform: not ocp4-on-hypershift-hosted
 
-ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than  TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 in servingInfo'
+ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than  {{ .var_apiserver_tls_cipher_suites }} in servingInfo'
 
 ocil: |-
     Run the following command:
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.servingInfo["cipherSuites"]'</pre>
     Verify that the set of ciphers contains only the following:
     <pre>
-    "TLS_AES_128_GCM_SHA256",
-    "TLS_AES_256_GCM_SHA384",
-    "TLS_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+    {{.var_apiserver_tls_cipher_suites}}
     </pre>
 
 warnings:
@@ -81,7 +65,5 @@ template:
     entity_check: "all"
     filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
     yamlpath: '.servingInfo.cipherSuites[:]'
-    values:
-    - value: 'TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
-      operation: "pattern match"
-      type: "string"
+    regex_data: "true"
+    xccdf_variable: var_apiserver_tls_cipher_suites_regex

applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/kubernetes/shared.yml

@@ -1,9 +1,15 @@
+---
 # platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_cipher_suites
+# and tls_version_check_apiserver
+# if you change one, you should change the other two
 apiVersion: config.openshift.io/v1
 kind: APIServer
 metadata:
-    name: cluster
+  name: cluster
 spec:
-    tlsSecurityProfile:
-        Custom:
-            minTLSVersion: VersionTLS12
+  tlsSecurityProfile:
+    type: Custom
+    custom:
+      ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+      minTLSVersion: {{ .var_tls_version_apiserver }}

applications/openshift/api-server/api_server_tls_security_profile_custom_min_tls_version/rule.yml

@@ -8,12 +8,13 @@ description: |-
     to be used while establishing connections with the externally exposed
     servers. Though secure transport mode is used for establishing connections,
     the protocols used may not always be strong enough to avoid interception and
-    manipulation of the data in transport. When Custom TLS Security profile is 
+    manipulation of the data in transport. When Custom TLS Security profile is
     used it's always better to configure TLS version 1.2 or newer to avoid any
     security breaches.
 
     Update minTLSVersion configured in Custom tlsSecurityProfile using the following command:
     {{% raw %}}<pre>oc patch apiservers.config.openshift.io cluster --type 'merge' --patch '{"spec":{"tlsSecurityProfile":{"custom":{"minTLSVersion":"VersionTLS12"}}}}'</pre>{{% endraw %}}
+    Replace VersionTLS12 with the configured value {{ .var_tls_version_apiserver }} if necessary.
 
     For more information, follow
     OpenShift documentation:
@@ -42,20 +43,18 @@ ocil: |-
     To check for the configured tlsSecurityProfile use below command:
     <tt>$ oc get apiservers.config.openshift.io cluster -o jsonpath='{.spec.tlsSecurityProfile.custom.minTLSVersion}{"\n"}'</tt>
     The output shows the minTLSVersion configured in Custom tlsSecurityProfile
-    for API Server, which should be TLSv1.2 or newer.
+    for API Server, which should be TLSv1.2 or newer. The current configured value is {{ .var_tls_version_apiserver }}.
 
 warnings:
     - general: |-
         {{{ openshift_cluster_setting("/apis/config.openshift.io/v1/apiservers/cluster") | indent(8) }}}
 
 template:
-template: 
     name: yamlfile_value
-    vars: 
+    vars:
         ocp_data: "true"
         filepath: "/apis/config.openshift.io/v1/apiservers/cluster"
         yamlpath: ".spec.tlsSecurityProfile.custom.minTLSVersion"
-        check_existence: "any_exist"
-        values: 
-            - value: "^(?!VersionTLS10|VersionTLS11)"
-              operation: "pattern match"
+        xccdf_variable: var_tls_version_apiserver_regex
+        regex_data: true
+        check_existence: "any_exist"

applications/openshift/api-server/var_apiserver_tls_cipher_suites.var

@@ -0,0 +1,23 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS Cipher Suites'
+
+description: |
+  OpenShift Kube APIServer TLS Cipher Suites comma separated string,
+  used for Remediation and manual check text. They need to follow openSSL notation.
+  You should not provide a cipher list, which only provides TLS1.3 ciphers, as some
+  TLS1.2 ciphers are currently expected.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305"'
+  mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+  2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'

applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var

@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+description: 'OpenShift Kube APIServer TLS cipher suites regex, following IANA Notation, used for automatic check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|)$"
+  mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+  2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"

applications/openshift/etcd/etcd_check_cipher_suite/rule.yml

@@ -23,8 +23,8 @@ ocil_clause: 'ETCD cipher suite does not meet requirements'
 
 ocil: |-
     Run the following command to check the cipher suites for ETCD:
-    <pre>$  oc get configmaps etcd-pod -n openshift-etcd -o yaml | grep -oE 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'</pre>
-    Make sure that the result has at least one cipher.
+    <pre>$ oc get configmaps etcd-pod -n openshift-etcd -o json | jq -r '.data["pod.yaml"]' |  grep -P "{{ .var_etcd_tls_cipher_suites_regex }}" </pre>
+    Make sure that the result prints the configured cipher suites. If the result is empty, the cipher suites are not configured properly.
 
 severity: medium
 
@@ -37,6 +37,5 @@ template:
     ocp_data: "true"
     filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
     yamlpath: ".data['pod.yaml']"
-    values:
-    - value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
-      operation: 'pattern match'
+    xccdf_variable: var_etcd_tls_cipher_suites_regex
+    regex_data: true

applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var

@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+description: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+type: string
+
+operator: pattern match
+
+interactive: false
+
+# in contrast to other cipher regexes this one is not for a single string, but for multiple
+# since the pod.yaml configures them multiple times for different containers.
+# due to this we cant compare line by line and to do some more complex regex magic
+options:
+  # these regex catch all configured, allowed ciphers in the list PLUS some config around. If there are additional ciphers, which are catched by the negative lookahead, the expression fails.
+  # the regex is focussed only on the lines with "value:"
+  # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+  default: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)[A-Z0-9_]+).*\"'
+  mozilla_intermediate: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305))(?!.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305)[A-Z0-9_]+).*\"'
+  2024-01-BSI-TR-02102-2: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384)[A-Z0-9_]+).*\"'

applications/openshift/general/tls_version_check_apiserver/kubernetes/shared.yml

@@ -0,0 +1,15 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as api_server_tls_cipher_suites
+# and api_server_tls_security_profile_custom_min_tls_version
+# if you change one, you should change the other two
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  tlsSecurityProfile:
+    type: Custom
+    custom:
+      ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+      minTLSVersion: {{ .var_tls_version_apiserver }}

applications/openshift/general/tls_version_check_apiserver/rule.yml

@@ -1,5 +1,5 @@
 
-title: Ensure TLS v1.2 is minimum for Openshift APIServer
+title: Ensure TLS configured on a minimum for Openshift APIServer
 
 description: |-
   Verify tls version for the openshift APIServer.
@@ -27,12 +27,13 @@ references:
 
 platform: not ocp4-on-hypershift-hosted
 
-ocil_clause: 'Ensure TLS version is equal to 1.2 or greater for the openshift api server'
+ocil_clause: 'Ensure TLS version is equal to {{ .var_tls_version_apiserver }} or greater for the openshift api server'
 
 ocil: |-
     Run the following command to check for TLS version:
     <pre>$ oc get configmap config  -n openshift-apiserver -o json | grep -o VersionTLS[0-9]*</pre>
-    Make sure that the result has a value of VersionTLSXX where XX is 12 or greater.
+    Make sure that the result has a value of VersionTLSXX where XX is 12 or greater, depending on the configured value.
+    The current configured value is {{ .var_tls_version_apiserver }}.
 
 severity: medium
 
@@ -44,10 +45,7 @@ template:
   name: yamlfile_value
   vars:
     ocp_data: "true"
-    entity_check: "at least one"
     filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
     yamlpath:  '.servingInfo["minTLSVersion"]'
-    values:
-    - value: 'VersionTLS1[2-9]{1}'
-      operation: "pattern match"
-      type: "string"
+    xccdf_variable: var_tls_version_apiserver_regex
+    regex_data: true

applications/openshift/general/tls_version_check_masters_workers/rule.yml

@@ -20,6 +20,7 @@ description: |-
         kubeletConfig:
           tlsMinVersion: VersionTLS12
     </pre>
+    where VersionTLS12 is replaced with the desired TLS version.
 
 rationale: |-
   Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to

applications/openshift/general/tls_version_check_router/kubernetes/shared.yml

@@ -0,0 +1,16 @@
+---
+# platform = multi_platform_ocp
+# this remediation is the same as ingress_controller_tls_security_profile_custom_min_tls_version
+# and ingress_controller_tls_cipher_suites
+# if you change one, you should change the other two
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
+spec:
+  tlsSecurityProfile:
+    custom:
+      ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
+      minTLSVersion: {{ .var_tls_version_ingress }}
+    type: Custom

applications/openshift/general/tls_version_check_router/rule.yml

@@ -1,5 +1,5 @@
 
-title: Ensure TLS v1.2 is minimum for Openshift Router
+title: Ensure TLS Version is at a Safe Minimum for Openshift Router
 
 description: |-
   Verify tls version for the Openshift Router.
@@ -22,7 +22,7 @@ ocil_clause: 'TLS version is not configured or contains insecure version'
 ocil: |-
     Run the following command to check the TLS version for the openshift router:
     <pre>$  oc get deployment.apps/router-default -n openshift-ingress -o jsonpath='{.spec.template.spec.containers[0].env[?(@.name=="SSL_MIN_VERSION")].value}'</pre>
-    Make sure that the result has a one of TLSvX.X where X.X is 1.2 or greater.
+    Make sure that the result has a one of TLSvX.X where X.X is 1.2 or greater, depending on the configured value {{ .var_tls_version_ingress }}.
 
 severity: medium
 warnings:
@@ -35,6 +35,5 @@ template:
     filepath: |-
       {{{ openshift_filtered_path('/apis/apps/v1/namespaces/openshift-ingress/deployments/router-default','.spec.template.spec.containers[0].env[] | select(.name == "SSL_MIN_VERSION")') }}}
     yamlpath: ".value"
-    values:
-      - value: "TLSv1.[2-9]{1}"
-        operation: "pattern match"
+    xccdf_variable: var_tls_version_ingress_regex
+    regex_data: true

applications/openshift/general/var_tls_version_apiserver.var

@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Configure Apiserver to use secure TLS version'
+
+description: |
+  Secure version of TLS available for configuring Apiserver.
+  Do not forget to also configure the regex value.
+  Currently only VersionTLS12 and earlier are possible.
+  VersionTLS13 will cause remediation errors, as it currently
+  expects to be used without cipher-list, but the remediation
+  provides one
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "VersionTLS12"
+  TLS13: "VersionTLS13"

applications/openshift/general/var_tls_version_apiserver_regex.var

@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Configure Apiserver to use secure TLS version'
+
+description: |
+  TLS versions available for configuring Apiserver, excluding insecure versions.
+  Do not forget to also configure the non regex value.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "^(?!VersionTLS10|VersionTLS11)"
+  TLS13: "^(?!VersionTLS10|VersionTLS11|VersionTLS12)"

applications/openshift/general/var_tls_version_ingress.var

@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Configure Ingress to use secure TLS version'
+
+description: |-
+  Secure version of TLS available for configuring Ingress Router.
+  Do not forget to also configure the regex value.
+  Be aware of potential not working combinations of VersionTLS12 and TLS1.3 only Ciphers.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "VersionTLS12"
+  TLS13: "VersionTLS13"

applications/openshift/general/var_tls_version_ingress_regex.var

@@ -0,0 +1,17 @@
+documentation_complete: true
+
+title: 'Configure Ingress to use secure TLS version'
+
+description: |
+  TLS versions available for configuring Ingress, excluding insecure versions.
+  Do not forget to also configure the non regex value.
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "^(?!TLSv1.0|TLSv1.1)"
+  TLS13: "^(?!TLSv1.0|TLSv1.1|TLS1.2)"