From f6d6794e3eda8d47599e1bdf8f7cfa0dcd9f3582 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Thu, 19 Dec 2024 11:31:24 +0100 Subject: [PATCH 1/2] retire old tls cipher suites rules --- .../kubernetes/shared.yml | 18 -------- .../rule.yml | 41 ------------------- .../tests/ocp4/e2e.yml | 3 -- .../kubernetes/shared.yml | 17 -------- .../rule.yml | 41 ------------------- .../tests/ocp4/e2e.yml | 3 -- products/ocp4/profiles/default.profile | 2 - 7 files changed, 125 deletions(-) delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml delete mode 100644 applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml deleted file mode 100644 index 9e4baaee31e..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# platform = multi_platform_ocp -apiVersion: operator.openshift.io/v1 -kind: KubeAPIServer -metadata: - name: cluster -spec: - unsupportedConfigOverrides: - servingInfo: - cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_RSA_WITH_AES_256_GCM_SHA384 - - TLS_RSA_WITH_AES_128_GCM_SHA256 diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml deleted file mode 100644 index 4825a381724..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml +++ /dev/null @@ -1,41 +0,0 @@ -documentation_complete: true - - -title: "Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers" - -description: |- - Ensure that the Kubernetes API Server Operator is configured to only use strong cryptographic ciphers. - -rationale: |- - TLS ciphers have had a number of known vulnerabilities and weaknesses, - which can reduce the protection provided by them. By default Kubernetes - supports a number of TLS ciphersuites including some that have security - concerns, weakening the protection provided. - -severity: medium - -#identifiers: -# cce@ocp4: - -references: - cis@ocp4: 4.2.13 - -ocil_clause: "TLS cipher suite configuration is not configured" - -ocil: |- - Run the following comman on the kubelete nodes(s): - {{% raw %}}
oc patch kubeapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"]} } } }'
{{% endraw %}} - -warnings: -- general: |- - {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/kubeapiservers/cluster") | indent(4) }}} - -template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: '/apis/operator.openshift.io/v1/kubeapiservers/cluster' - yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]" - values: - - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$' - operation: 'pattern match' diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml deleted file mode 100644 index fd9b313e87b..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -default_result: FAIL -result_after_remediation: PASS diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml deleted file mode 100644 index 6d184aaef73..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# platform = multi_platform_ocp -apiVersion: operator.openshift.io/v1kind: OpenShiftAPIServer -metadata: - name: cluster -spec: - unsupportedConfigOverrides: - servingInfo: - cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_RSA_WITH_AES_256_GCM_SHA384 - - TLS_RSA_WITH_AES_128_GCM_SHA256 diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml deleted file mode 100644 index 0b1423ac3ac..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml +++ /dev/null @@ -1,41 +0,0 @@ -documentation_complete: true - - -title: "Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers" - -description: |- - Ensure that the OpenShift API Server Operator is configured to only use strong cryptographic ciphers. - -rationale: |- - TLS ciphers have had a number of known vulnerabilities and weaknesses, - which can reduce the protection provided by them. By default Kubernetes - supports a number of TLS ciphersuites including some that have security - concerns, weakening the protection provided. - -severity: medium - -#identifiers: -# cce@ocp4: - -references: - cis@ocp4: 4.2.13 - -ocil_clause: "TLS cipher suite configuration is not configured" - -ocil: |- - Run the following command on the kubelet node(s): - {{% raw %}}
oc patch openshiftapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"] } } } }'
{{% endraw %}} - -warnings: -- general: |- - {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/openshiftapiservers/cluster") | indent(4) }}} - -template: - name: yamlfile_value - vars: - ocp_data: "true" - filepath: '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' - yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]" - values: - - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$' - operation: 'pattern match' diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml deleted file mode 100644 index fd9b313e87b..00000000000 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -default_result: FAIL -result_after_remediation: PASS diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile index aa4a79e4196..90bdb14c781 100644 --- a/products/ocp4/profiles/default.profile +++ b/products/ocp4/profiles/default.profile @@ -25,7 +25,6 @@ selections: - file_permissions_var_lib_etcd - file_owner_openvswitch - file_permissions_openvswitch - - kubelet_configure_tls_cipher_suites_openshiftapiserver_operator - file_groupowner_ovs_conf_db_lock_not_s390x - oauth_inactivity_timeout - kubelet_eviction_thresholds_set_soft_nodefs_inodesfree @@ -56,7 +55,6 @@ selections: - file_owner_pod_logs - project_config_has_template - kubelet_eviction_thresholds_set_soft_imagefs_available - - kubelet_configure_tls_cipher_suites_kubeapiserver_operator - file_groupowner_ovs_sys_id_conf_not_s390x - ingress_controller_tls_security_profile_custom_min_tls_version - kubelet_read_only_port_secured From c9231f7aaceede77ae03d070e3eb47ea9105e5c8 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Thu, 19 Dec 2024 11:32:04 +0100 Subject: [PATCH 2/2] move ingress_controller_tls_cipher_suites to networking --- .../ingress_controller_tls_cipher_suites}/kubernetes/shared.yml | 0 .../ingress_controller_tls_cipher_suites}/rule.yml | 0 .../ingress_controller_tls_cipher_suites}/tests/ocp4/e2e.yml | 0 controls/cis_ocp_1_4_0/section-4.yml | 2 +- products/ocp4/profiles/default.profile | 1 - 5 files changed, 1 insertion(+), 2 deletions(-) rename applications/openshift/{kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller => networking/ingress_controller_tls_cipher_suites}/kubernetes/shared.yml (100%) rename applications/openshift/{kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller => networking/ingress_controller_tls_cipher_suites}/rule.yml (100%) rename applications/openshift/{kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller => networking/ingress_controller_tls_cipher_suites}/tests/ocp4/e2e.yml (100%) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml similarity index 100% rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml similarity index 100% rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/tests/ocp4/e2e.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/tests/ocp4/e2e.yml similarity index 100% rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/tests/ocp4/e2e.yml rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/tests/ocp4/e2e.yml diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml index 9fa0e8f27a7..5fac05f8433 100644 --- a/controls/cis_ocp_1_4_0/section-4.yml +++ b/controls/cis_ocp_1_4_0/section-4.yml @@ -158,6 +158,6 @@ controls: status: automated rules: - kubelet_configure_tls_cipher_suites - - kubelet_configure_tls_cipher_suites_ingresscontroller + - ingress_controller_tls_cipher_suites levels: [ level_1, ] diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile index 90bdb14c781..45d80e491fd 100644 --- a/products/ocp4/profiles/default.profile +++ b/products/ocp4/profiles/default.profile @@ -45,7 +45,6 @@ selections: - api_server_api_priority_v1_flowschema_catch_all - file_groupowner_openvswitch - gcp_disk_encryption_enabled - - kubelet_configure_tls_cipher_suites_ingresscontroller - file_groupowner_ovs_conf_db_lock_s390x - ebs_encryption_enabled_on_machinesets - project_template_network_policy