OCP: Add vaiabled support for kubelet_configure_tls_cipher_suites

User can choose which cipher to be used by setting two variable, var_kubelet_tls_cipher_suites_regex, and var_kubelet_tls_cipher_suites Add regex varaible support to yamlfile_value template
ComplianceAsCode · Mar 11, 2022 · 37e5278 · 37e5278
1 parent dfad74d
commit 37e5278
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 10 deletions.
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/kubernetes/shared.yml
@@ -1,11 +1,8 @@
 ---
 # platform = multi_platform_ocp
+# {{.var_kubelet_tls_cipher_suites_regex}} we have to put variable array name here for mutilines remediation 
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
 spec:
   kubeletConfig:
-    tlsCipherSuites:
-    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
@@ -27,7 +27,8 @@ description: |-
           - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
           - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     </pre>
-
+  In order to configure this rule to check alternative cipher, both var_kubelet_tls_cipher_suites_regex
+  and var_kubelet_tls_cipher_suites have to be set
 rationale: |-
   TLS ciphers have had a number of known vulnerabilities and weaknesses,
   which can reduce the protection provided by them. By default Kubernetes
@@ -63,7 +64,4 @@ template:
   vars:
     filepath: /etc/kubernetes/kubelet.conf
     yamlpath: ".tlsCipherSuites[:]"
-    values:
-    - value: '^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)$'
-      operation: 'pattern match'
-
+    xccdf_variable: var_kubelet_tls_cipher_suites_regex
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
+
+description: 'Cryptographic Ciphers Available for Kubelet, seperated by comma'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
@@ -0,0 +1,14 @@
+documentation_complete: true
+
+title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
+
+description: 'Cryptographic Ciphers Available for Kubelet'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)$"
diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -818,6 +818,10 @@ The selected value can be changed in the profile (consult the actual variable fo
 
     -   **embedded_data** - if set to `"true"` and used combined with `xccdf_variable`, the data retrieved by `yamlpath`
         is considered as a blob and the field `value` has to contain a capture regex.
+
+    -   **regex_data** - if set to `"true"` and combined with `xccdf_variable`, it will use the value of `xccdf_variable` as a regex
+        and does pattern match operation instead of equal operation.
+
 
     -   **check_existence_yamlpath** - optional YAML Path that could be set to ensure that the target sequence from `yamlpath` has all
         required sub-elements. It is helpful when the `yamlpath` is targeting a map inside a sequence, and the document could be

diff --git a/shared/templates/yamlfile_value/oval.template b/shared/templates/yamlfile_value/oval.template
@@ -113,8 +113,12 @@
       {{% if XCCDF_VARIABLE and not EMBEDDED_DATA %}}
       {{% set name = "#" if not VALUES else (VALUES|first).key|default("#")|escape_yaml_key %}}
       {{% set datatype = "string" if not VALUES else (VALUES|first).type|default("string") %}}
+      {{% if not REGEX_DATA %}}
       <field {{{ {'name': name, 'datatype': datatype, 'operation': 'equals'}|xmlattr }}} var_ref="{{{ XCCDF_VARIABLE }}}" />
       {{% else %}}
+      <field {{{ {'name': "#", 'operation': 'pattern match'}|xmlattr }}} var_ref="{{{ XCCDF_VARIABLE }}}" />
+      {{% endif %}}
+      {{% else %}}
       {{% for val in VALUES %}}
       <field {{{ {'name': val.key|default("#")|escape_yaml_key, 'datatype': val.type,  'operation':  val.operation, 'entity_check': val.entity_check}|xmlattr }}}>{{{ val.value }}}</field>
       {{% endfor %}}

diff --git a/shared/templates/yamlfile_value/template.py b/shared/templates/yamlfile_value/template.py
@@ -6,6 +6,9 @@ def preprocess(data, lang):
     embedded_data = parse_template_boolean_value(data, parameter="embedded_data", default_value=False)
     data["embedded_data"] = embedded_data
 
+    regex_data = parse_template_boolean_value(data, parameter="regex_data", default_value=False)
+    data["regex_data"] = regex_data
+
     if data.get("xccdf_variable") and embedded_data:
         values = data.get("values", [{}])
         if len(values) > 1: