From dc7c6baedfb896c468939b8db3ec787bc80a5ca8 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 24 Jul 2024 16:02:16 -0500 Subject: [PATCH] Update TLS ciphers for ingress controller rule The following ciphers are all supported with TLS v1.3, but we weren't checking for them in the OpenShift ingress controller configuration: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 This commit updates the regular expression in the rule to check for those ciphers so the check doesn't fail if OpenShift is using them. It also add some formatting to the rule so it's consistent with other TLS-related rules, like for the API server. The following ciphers were listed in the "old" profile, or insecure, which should only be used as a last resort for server TLS configuration: - AES128-GCM-SHA256 - AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 This commit removes them from the ingress controller rule so that it fails if a cluster is using these ciphers. References: - https://wiki.mozilla.org/Security/Server_Side_TLS - https://docs.openssl.org/1.1.1/man1/ciphers/ --- .../rule.yml | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml index 05986eff3099..28ea576297ed 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml @@ -18,18 +18,30 @@ severity: medium # cce@ocp4: references: - cis@ocp4: 4.2.13 + cis@ocp4: 4.2.12 -ocil_clause: "TLS cipher suite configuration is not configured" +ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure" ocil: |- Run the following command on the kubelet nodes(s): - {{% raw %}}
oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"} } } }'
{{% endraw %}} + 
oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"],"minTLSVersion":"VersionTLS12"} } } }'
warnings: - general: |- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}} +# Recommended ciphers +# ECDHE-ECDSA-AES128-GCM-SHA256 +# ECDHE-ECDSA-CHACHA20-POLY1305 +# ECDHE-ECDSA-AES256-GCM-SHA384 +# TLS_CHACHA20_POLY1305_SHA256 +# TLS_AES_128_GCM_SHA256 +# TLS_AES_256_GCM_SHA384 +# +# Secure ciphers +# ECDHE-RSA-AES128-GCM-SHA256 +# ECDHE-RSA-AES256-GCM-SHA384 +# ECDHE-RSA-CHACHA20-POLY1305 template: name: yamlfile_value vars: @@ -37,5 +49,5 @@ template: filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' yamlpath: ".status.tlsProfile.ciphers[:]" values: - - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$' + - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$' operation: 'pattern match'