diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml
new file mode 100644
index 00000000000..c32da319bdd
--- /dev/null
+++ b/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml
@@ -0,0 +1,12 @@
+---
+# platform = multi_platform_ocp
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+ name: cluster
+spec:
+ tlsSecurityProfile:
+ type: Custom
+ custom:
+ ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+ minTLSVersion: VersionTLS12
diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
index cb41de1fa05..788b32bacdf 100644
--- a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
+++ b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
@@ -19,15 +19,7 @@ description: |-
"servingInfo":{
...
"cipherSuites": [
- "TLS_AES_128_GCM_SHA256",
- "TLS_AES_256_GCM_SHA384",
- "TLS_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ {{{ xccdf_value("var_apiserver_tls_cipher_suites") | indent(8) }}}
],
...
@@ -48,22 +40,14 @@ references:
platform: not ocp4-on-hypershift-hosted
-ocil_clause: 'cipherSuites is not configured, or contains ciphers (possibly insecure) other than TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 in servingInfo'
+ocil_clause: 'cipherSuites is not configured, or contains ciphers (possibly insecure) other than {{ .var_apiserver_tls_cipher_suites }} in servingInfo'
ocil: |-
Run the following command:
$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.servingInfo["cipherSuites"]'
Verify that the set of ciphers contains only the following:
- "TLS_AES_128_GCM_SHA256",
- "TLS_AES_256_GCM_SHA384",
- "TLS_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+ {{.var_apiserver_tls_cipher_suites}}
warnings:
@@ -81,7 +65,5 @@ template:
entity_check: "all"
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: '.servingInfo.cipherSuites[:]'
- values:
- - value: 'TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
- operation: "pattern match"
- type: "string"
+ regex_data: "true"
+ xccdf_variable: var_apiserver_tls_cipher_suites_regex
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
new file mode 100644
index 00000000000..cb6e9397372
--- /dev/null
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS Cipher Suites'
+
+description: 'OpenShift Kube APIServer TLS Cipher Suites comma separated string, used for Remediation and manual check text. They need to follow openSSL notation'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
new file mode 100644
index 00000000000..1e2a994ae27
--- /dev/null
+++ b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+description: 'OpenShift Kube APIServer TLS cipher suites regex, following IANA Notation, used for automatic check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml b/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
index 0f9de836f70..3a4f21866ca 100644
--- a/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
+++ b/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
@@ -23,8 +23,8 @@ ocil_clause: 'ETCD cipher suite does not meet requirements'
ocil: |-
Run the following command to check the cipher suites for ETCD:
- $ oc get configmaps etcd-pod -n openshift-etcd -o yaml | grep -oE 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
- Make sure that the result has at least one cipher.
+ $ oc get configmaps etcd-pod -n openshift-etcd -o json | jq -r '.data["pod.yaml"]' | grep -P "{{ .var_etcd_tls_cipher_suites_regex }}"
+ Make sure that the result prints the configured cipher suites. If the result is empty, the cipher suites are not configured properly.
severity: medium
@@ -37,6 +37,5 @@ template:
ocp_data: "true"
filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
yamlpath: ".data['pod.yaml']"
- values:
- - value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
- operation: 'pattern match'
+ xccdf_variable: var_etcd_tls_cipher_suites_regex
+ regex_data: true
diff --git a/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
new file mode 100644
index 00000000000..7f2bacd4171
--- /dev/null
+++ b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+description: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+type: string
+
+operator: pattern match
+
+interactive: false
+
+# in contrast to other cipher regexes this one is not for a single string, but for multiple
+# since the pod.yaml configures them multiple times for different containers.
+# due to this we cant compare line by line and to do some more complex regex magic
+options:
+ # these regex catch all configured, allowed ciphers in the list PLUS some config around. If there are additional ciphers, which are catched by the negative lookahead, the expression fails.
+ # the regex is focussed only on the lines with "value:"
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ default: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)[A-Z0-9_]+).*\"'
+ mozilla_intermediate: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305))(?!.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305)[A-Z0-9_]+).*\"'
+ 2024-01-BSI-TR-02102-2: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384)[A-Z0-9_]+).*\"'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
index 3d966c4b582..4d777f96235 100644
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
+++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
@@ -12,22 +12,14 @@ description: |-
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
- name: kubelet-config-$pool
+ name: kubelet-config-$pool
spec:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
kubeletConfig:
tlsCipherSuites:
- - TLS_AES_128_GCM_SHA256
- - TLS_AES_256_GCM_SHA384
- - TLS_CHACHA20_POLY1305_SHA256
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ [ {{ .var_kubelet_tls_cipher_suites }} ]
In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
and var_kubelet_tls_cipher_suites have to be set
@@ -57,15 +49,7 @@ ocil: |-
$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites'; done
Verify that the set of ciphers contains only the following:
- TLS_AES_128_GCM_SHA256,
- TLS_AES_256_GCM_SHA384,
- TLS_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ {{ .var_kubelet_tls_cipher_suites }}
template:
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
index 1847e96e93b..c249705c71e 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
-description: 'Cryptographic Ciphers Available for Kubelet, separated by comma'
+description: 'Cryptographic Ciphers Available for Kubelet comma separated string, used for Remediation and manual check text. They need to follow openSSL notation'
type: string
@@ -11,4 +11,8 @@ operator: equals
interactive: false
options:
- default: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+ default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
index c1a5d65b8ae..075323743fa 100644
--- a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
+++ b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
@@ -1,8 +1,8 @@
documentation_complete: true
-title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
+title: 'Configure Kubelet use of the Strong Cryptographic Ciphers Regex'
-description: 'Cryptographic Ciphers Available for Kubelet'
+description: 'Cryptographic Ciphers Available for Kubelet Regex, following IANA Notation, used for automatic check'
type: string
@@ -11,4 +11,9 @@ operator: equals
interactive: false
options:
- default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
index 40a7037fb45..51a44b3b06d 100644
--- a/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
+++ b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
@@ -8,15 +8,6 @@ metadata:
spec:
tlsSecurityProfile:
custom:
- ciphers:
- - ECDHE-ECDSA-AES128-GCM-SHA256
- - ECDHE-RSA-AES128-GCM-SHA256
- - ECDHE-ECDSA-CHACHA20-POLY1305
- - ECDHE-RSA-AES256-GCM-SHA384
- - ECDHE-RSA-CHACHA20-POLY1305
- - ECDHE-ECDSA-AES256-GCM-SHA384
- - TLS_AES_128_GCM_SHA256
- - TLS_AES_256_GCM_SHA384
- - TLS_CHACHA20_POLY1305_SHA256
+ ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
minTLSVersion: VersionTLS12
type: Custom
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
index 5e74b1740d6..f4e74a971b7 100644
--- a/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
+++ b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
@@ -23,33 +23,22 @@ references:
ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure"
ocil: |-
- Run the following command on the kubelet nodes(s):
+ Run the following command:
oc get ingresscontrollers/default -n openshift-ingress-operator -o=jsonpath='{.status.tlsProfile.ciphers[:]}'
- The output should only include relevant and modern TLS ciphers you deem
- acceptable for your cluster.
+ Verify that the set of ciphers contains only the following:
+
+ {{ .var_ingresscontroller_tls_cipher_suites }}
+
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}}
-# Recommended ciphers
-# ECDHE-ECDSA-AES128-GCM-SHA256
-# ECDHE-ECDSA-CHACHA20-POLY1305
-# ECDHE-ECDSA-AES256-GCM-SHA384
-# TLS_CHACHA20_POLY1305_SHA256
-# TLS_AES_128_GCM_SHA256
-# TLS_AES_256_GCM_SHA384
-#
-# Secure ciphers
-# ECDHE-RSA-AES128-GCM-SHA256
-# ECDHE-RSA-AES256-GCM-SHA384
-# ECDHE-RSA-CHACHA20-POLY1305
template:
name: yamlfile_value
vars:
ocp_data: "true"
filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
yamlpath: ".status.tlsProfile.ciphers[:]"
- values:
- - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$'
- operation: 'pattern match'
+ xccdf_variable: var_ingresscontroller_tls_cipher_suites_regex
+ regex_data: true
diff --git a/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var
new file mode 100644
index 00000000000..eabff2a2f21
--- /dev/null
+++ b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Configure Ingresscontroller use of the Strong Cryptographic Ciphers'
+
+description: 'Cryptographic Ciphers Available for Ingresscontroller comma separated string. Used for the Remediation and manual check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ # default is identical to remediation
+ default: '"ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"'
+ mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+ 2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var
new file mode 100644
index 00000000000..f1d526bb427
--- /dev/null
+++ b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites_regex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'Configure Ingresscontroller use of the Strong Cryptographic Ciphers Regex'
+
+description: 'Cryptographic Ciphers Available for Ingresscontroller Regex used for the automated checking'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+ default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$"
+ mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384|DHE-RSA-CHACHA20-POLY1305)$"
+
+ # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+ # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+ 2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$"
diff --git a/products/ocp4/profiles/bsi-2022.profile b/products/ocp4/profiles/bsi-2022.profile
index 35b65244527..4901e1a4768 100644
--- a/products/ocp4/profiles/bsi-2022.profile
+++ b/products/ocp4/profiles/bsi-2022.profile
@@ -35,3 +35,15 @@ selections:
### This is a helper rule to fetch the required api resource for detecting OCP version
- version_detect_in_ocp
- version_detect_in_hypershift
+ # variables
+ - var_apiserver_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ - var_apiserver_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_etcd_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_ingresscontroller_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2
+ - var_ingresscontroller_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ # to ensure that the cipher suites are used across all components, additional tests, which are not
+ # required in the control files for SYS.1.6 and APP.4.4, need to be added
+ # apiserver_tls_cipher_suites and kubelet_tls_cipher_suites are not needed, as they are covered by the
+ # controls for SYS.1.6 and APP.4.4
+ - ingress_controller_tls_cipher_suites
+ - etcd_check_cipher_suite
diff --git a/products/ocp4/profiles/bsi-node-2022.profile b/products/ocp4/profiles/bsi-node-2022.profile
index 9c7ca266971..6ff33f98cd4 100644
--- a/products/ocp4/profiles/bsi-node-2022.profile
+++ b/products/ocp4/profiles/bsi-node-2022.profile
@@ -31,3 +31,6 @@ filter_rules: '"ocp4-node" in platform or "ocp4-master-node" in platform or "ocp
selections:
- bsi_app_4_4:all
- bsi_sys_1_6:all
+ ### Variables
+ - var_kubelet_tls_cipher_suites=2024-01-BSI-TR-02102-2
+ - var_kubelet_tls_cipher_suites_regex=2024-01-BSI-TR-02102-2