implement configurable ciphers via variable for apiserver

sig-bsi-grundschutz · Jul 24, 2024 · 30a9b39 · 30a9b39
1 parent 215a768
commit 30a9b39
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 17 deletions.
diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
@@ -19,12 +19,7 @@ description: |-
     "servingInfo":{
       ...
       "cipherSuites": [
-        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      {{{ xccdf_value("var_apiserver_tls_cipher_suites") | indent(8) }}}
       ],
       ...
     </pre>
@@ -45,19 +40,14 @@ references:
 
 platform: not ocp4-on-hypershift-hosted
 
-ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 in servingInfo'
+ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than {{{ xccdf_value("var_apiserver_tls_cipher_suites") }}} in servingInfo'
 
 ocil: |-
     Run the following command:
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.servingInfo["cipherSuites"]'</pre>
     Verify that the set of ciphers contains only the following:
     <pre>
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+      {{.var_apiserver_tls_cipher_suites}}
     </pre>
 
 warnings:
@@ -75,7 +65,5 @@ template:
     entity_check: "all"
     filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
     yamlpath: '.servingInfo.cipherSuites[:]'
-    values:
-    - value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
-      operation: "pattern match"
-      type: "string"
+    regex_data: "true"
+    xccdf_variable: var_apiserver_tls_cipher_suites_regex
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites'
+
+description: 'OpenShift Kube APIServer TLS cipher suites'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    default: '"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"'
+    # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+    2024-01-BSI-TR-02102-2: '"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+description: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+    default: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+    # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+    2024-01-BSI-TR-02102-2: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"