File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.79-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,704 kB
  • sloc: xml: 244,677; sh: 84,647; python: 33,203; makefile: 27
file content (77 lines) | stat: -rw-r--r-- 2,967 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
documentation_complete: true


title: "Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers"

description: |-
  Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
  To set the cipher suites for the kubelet, create new or modify existing
  <tt>KubeletConfig</tt> object along these lines, one for every
  <tt>MachineConfigPool</tt>:
    <pre>
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
       name: kubelet-config-$pool
    spec:
        machineConfigPoolSelector:
            matchLabels:
                pools.operator.machineconfiguration.openshift.io/$pool_name: ""
        kubeletConfig:
          tlsCipherSuites:
          - TLS_AES_128_GCM_SHA256
          - TLS_AES_256_GCM_SHA384
          - TLS_CHACHA20_POLY1305_SHA256
          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
          - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    </pre>
  In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
  and var_kubelet_tls_cipher_suites have to be set
rationale: |-
  TLS ciphers have had a number of known vulnerabilities and weaknesses,
  which can reduce the protection provided by them. By default Kubernetes
  supports a number of TLS ciphersuites including some that have security
  concerns, weakening the protection provided.

severity: medium

identifiers:
    cce@ocp4: CCE-86030-4

references:
  cis@ocp4: 4.2.12
  nerc-cip: CIP-003-8 R6,CIP-004-6 R3,CIP-007-3 R6.1
  nist: CM-6,CM-6(1)
  srg: SRG-APP-000516-CTR-001325

platform: ocp4-node

ocil_clause: "TLS cipher suite configuration is not configured or contains insecure ciphers"

ocil: |-
    Run the following command on the kubelet node(s):
    <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites'; done</pre>
    Verify that the set of ciphers contains only the following:
    <pre>
    TLS_AES_128_GCM_SHA256,
    TLS_AES_256_GCM_SHA384,
    TLS_CHACHA20_POLY1305_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    </pre>

template:
    name: yamlfile_value
    vars:
        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
        yamlpath: ".kubeletconfig.tlsCipherSuites[:]"
        xccdf_variable: var_kubelet_tls_cipher_suites_regex
        regex_data: true