Update TLS ciphers for ingress controller rule

rhmdnd · rhmdnd · commit dc7c6baedfb8 · 2024-07-26T13:33:33.000-05:00
The following ciphers are all supported with TLS v1.3, but we weren't checking for them in the OpenShift ingress controller configuration: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 This commit updates the regular expression in the rule to check for those ciphers so the check doesn't fail if OpenShift is using them. It also add some formatting to the rule so it's consistent with other TLS-related rules, like for the API server. The following ciphers were listed in the "old" profile, or insecure, which should only be used as a last resort for server TLS configuration: - AES128-GCM-SHA256 - AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 This commit removes them from the ingress controller rule so that it fails if a cluster is using these ciphers. References: - https://wiki.mozilla.org/Security/Server_Side_TLS - https://docs.openssl.org/1.1.1/man1/ciphers/
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml
@@ -18,24 +18,36 @@ severity: medium
 #    cce@ocp4:
 
 references:
-  cis@ocp4: 4.2.13
+  cis@ocp4: 4.2.12
 
-ocil_clause: "TLS cipher suite configuration is not configured"
+ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure"
 
 ocil: |-
   Run the following command on the kubelet nodes(s):
-  {{% raw %}}<pre>oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"} } } }'</pre>{{% endraw %}}
+  <pre>oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"],"minTLSVersion":"VersionTLS12"} } } }'</pre>
 
 warnings:
 - general: |-
     {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}}
 
+# Recommended ciphers
+# ECDHE-ECDSA-AES128-GCM-SHA256
+# ECDHE-ECDSA-CHACHA20-POLY1305
+# ECDHE-ECDSA-AES256-GCM-SHA384
+# TLS_CHACHA20_POLY1305_SHA256
+# TLS_AES_128_GCM_SHA256
+# TLS_AES_256_GCM_SHA384
+#
+# Secure ciphers
+# ECDHE-RSA-AES128-GCM-SHA256
+# ECDHE-RSA-AES256-GCM-SHA384
+# ECDHE-RSA-CHACHA20-POLY1305
 template:
   name: yamlfile_value
   vars:
     ocp_data: "true"
     filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
     yamlpath: ".status.tlsProfile.ciphers[:]"
     values:
-    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$'
+    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$'
       operation: 'pattern match'
