Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2331

CIS scan rules fail to validate newer TLS cipher suites

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 4.12, 4.11, 4.10
    • Compliance Operator
    • None
    • +
    • Important
    • None
    • 2
    • CMP Sprint 54, CMP Sprint 55
    • 2
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      If you scan your cluster using the Compliance Operator's CIS scan, you'll see a failure for tls cipher suites.

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install the compliance operator (I installed 0.1.55 from upstream, but 0.1.53 will reproduce the issue, too)
      2. Create a scan binding for CIS
      3. Observe the ocp4-cis-kubelet-configure-tls-cipher-suites  rule fails 

      Actual results:

      The ocp4-cis-kubelet-configure-tls-cipher-suites rule evaluates as FAIL

      Expected results:

      I'd expect it to pass since the default tlsCipherSuite includes all the defaults recommended by CIS and two additional ciphers.
      
      https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256/
      https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256/

       

      Additional info:

       

       

              wenshen@redhat.com Vincent Shen
              lbragsta@redhat.com Lance Bragstad
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: