From 64cf1a6758da2bc15b362e845cc14df545bc6373 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 24 Jul 2024 16:02:16 -0500 Subject: [PATCH 1/3] Update TLS ciphers for ingress controller rule The following ciphers are all supported with TLS v1.3, but we weren't checking for them in the OpenShift ingress controller configuration: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 This commit updates the regular expression in the rule to check for those ciphers so the check doesn't fail if OpenShift is using them. It also add some formatting to the rule so it's consistent with other TLS-related rules, like for the API server. The following ciphers were listed in the "old" profile, or insecure, which should only be used as a last resort for server TLS configuration: - AES128-GCM-SHA256 - AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 This commit removes them from the ingress controller rule so that it fails if a cluster is using these ciphers. References: - https://wiki.mozilla.org/Security/Server_Side_TLS - https://docs.openssl.org/1.1.1/man1/ciphers/ --- .../rule.yml | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml index 05986eff309..28ea576297e 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml @@ -18,18 +18,30 @@ severity: medium # cce@ocp4: references: - cis@ocp4: 4.2.13 + cis@ocp4: 4.2.12 -ocil_clause: "TLS cipher suite configuration is not configured" +ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure" ocil: |- Run the following command on the kubelet nodes(s): - {{% raw %}}
oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384"],"minTLSVersion":"VersionTLS12"} } } }'
{{% endraw %}} + 
oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305"],"minTLSVersion":"VersionTLS12"} } } }'
warnings: - general: |- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}} +# Recommended ciphers +# ECDHE-ECDSA-AES128-GCM-SHA256 +# ECDHE-ECDSA-CHACHA20-POLY1305 +# ECDHE-ECDSA-AES256-GCM-SHA384 +# TLS_CHACHA20_POLY1305_SHA256 +# TLS_AES_128_GCM_SHA256 +# TLS_AES_256_GCM_SHA384 +# +# Secure ciphers +# ECDHE-RSA-AES128-GCM-SHA256 +# ECDHE-RSA-AES256-GCM-SHA384 +# ECDHE-RSA-CHACHA20-POLY1305 template: name: yamlfile_value vars: @@ -37,5 +49,5 @@ template: filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' yamlpath: ".status.tlsProfile.ciphers[:]" values: - - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$' + - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$' operation: 'pattern match' From cd81b94d1a276c93bc0aeaeb8010a486afb9882a Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 26 Jul 2024 15:58:32 -0500 Subject: [PATCH 2/3] Update ciphers in ingress controller remediation Since we're updating the recommended OCIL, we can also update the remediation shipped with the content so that it matches. This will allow users to apply a remediation that updates their TLS ciphers so their either Recommended or Secure. This commit has a dependency on a permission change to the operator cluster role so that it can actually apply the remediation at runtime: https://github.com/ComplianceAsCode/compliance-operator/pull/558 --- .../kubernetes/shared.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml index dc86ab30060..40a7037fb45 100644 --- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml +++ b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml @@ -11,6 +11,12 @@ spec: ciphers: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-RSA-CHACHA20-POLY1305 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 minTLSVersion: VersionTLS12 type: Custom From 3c24d289a2eb4df9476542197623b65c72d40232 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Fri, 26 Jul 2024 16:12:37 -0500 Subject: [PATCH 3/3] Add kubelet tls ingresscontroller rule to CIS benchmarks This rule was originally written for CIS benchmarks, but somewhere along the way it was refactored out. This could have been due to a re-indexing of the controls from the benchmark. This commit adds the rule back into the CIS profiles so that it's run with all supports CIS benchmarks. We should be able to prevent against regressions by including it to the e2e rule assertion files. --- controls/cis_ocp_1_4_0/section-4.yml | 1 + tests/assertions/ocp4/ocp4-cis-4.12.yml | 3 +++ tests/assertions/ocp4/ocp4-cis-4.13.yml | 3 +++ tests/assertions/ocp4/ocp4-cis-4.14.yml | 3 +++ tests/assertions/ocp4/ocp4-cis-4.15.yml | 3 +++ tests/assertions/ocp4/ocp4-cis-4.16.yml | 3 +++ 6 files changed, 16 insertions(+) diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml index 6ad340af6e5..de78224ab04 100644 --- a/controls/cis_ocp_1_4_0/section-4.yml +++ b/controls/cis_ocp_1_4_0/section-4.yml @@ -157,5 +157,6 @@ controls: status: automated rules: - kubelet_configure_tls_cipher_suites + - kubelet_configure_tls_cipher_suites_ingresscontroller levels: [ level_1, ] diff --git a/tests/assertions/ocp4/ocp4-cis-4.12.yml b/tests/assertions/ocp4/ocp4-cis-4.12.yml index 61db2908f74..9edf04303b9 100644 --- a/tests/assertions/ocp4/ocp4-cis-4.12.yml +++ b/tests/assertions/ocp4/ocp4-cis-4.12.yml @@ -89,6 +89,9 @@ rule_results: e2e-cis-api-server-kubelet-client-key-pre-4-9: default_result: NOT-APPLICABLE result_after_remediation: NOT-APPLICABLE + e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS e2e-cis-api-server-oauth-https-serving-cert: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-cis-4.13.yml b/tests/assertions/ocp4/ocp4-cis-4.13.yml index 47295d4304e..171217591a7 100644 --- a/tests/assertions/ocp4/ocp4-cis-4.13.yml +++ b/tests/assertions/ocp4/ocp4-cis-4.13.yml @@ -87,6 +87,9 @@ rule_results: e2e-cis-api-server-kubelet-client-key-pre-4-9: default_result: NOT-APPLICABLE result_after_remediation: NOT-APPLICABLE + e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS e2e-cis-api-server-oauth-https-serving-cert: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-cis-4.14.yml b/tests/assertions/ocp4/ocp4-cis-4.14.yml index 47295d4304e..171217591a7 100644 --- a/tests/assertions/ocp4/ocp4-cis-4.14.yml +++ b/tests/assertions/ocp4/ocp4-cis-4.14.yml @@ -87,6 +87,9 @@ rule_results: e2e-cis-api-server-kubelet-client-key-pre-4-9: default_result: NOT-APPLICABLE result_after_remediation: NOT-APPLICABLE + e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS e2e-cis-api-server-oauth-https-serving-cert: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-cis-4.15.yml b/tests/assertions/ocp4/ocp4-cis-4.15.yml index bbc3eb065a6..d2500292e6c 100644 --- a/tests/assertions/ocp4/ocp4-cis-4.15.yml +++ b/tests/assertions/ocp4/ocp4-cis-4.15.yml @@ -89,6 +89,9 @@ rule_results: e2e-cis-api-server-kubelet-client-key-pre-4-9: default_result: NOT-APPLICABLE result_after_remediation: NOT-APPLICABLE + e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS e2e-cis-api-server-oauth-https-serving-cert: default_result: PASS result_after_remediation: PASS diff --git a/tests/assertions/ocp4/ocp4-cis-4.16.yml b/tests/assertions/ocp4/ocp4-cis-4.16.yml index 47295d4304e..f36faaf60f9 100644 --- a/tests/assertions/ocp4/ocp4-cis-4.16.yml +++ b/tests/assertions/ocp4/ocp4-cis-4.16.yml @@ -207,6 +207,9 @@ rule_results: e2e-cis-kubelet-disable-readonly-port: default_result: PASS result_after_remediation: PASS + e2e-cis-kubelet-configure-tls-cipher-suites-ingresscontroller: + default_result: FAIL + result_after_remediation: PASS e2e-cis-ocp-allowed-registries: default_result: FAIL e2e-cis-ocp-allowed-registries-for-import: