ComplianceAsCode · sluetze · Sep 3, 2025 · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025
diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/kubernetes/shared.yml
@@ -0,0 +1,12 @@
+---
+# platform = multi_platform_ocp
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  tlsSecurityProfile:
+    type: Custom
+    custom:
+      ciphers: [ {{ .var_apiserver_tls_cipher_suites }} ]
+      minTLSVersion: VersionTLS12
diff --git a/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml b/applications/openshift/api-server/api_server_tls_cipher_suites/rule.yml
@@ -19,15 +19,7 @@ description: |-
     "servingInfo":{
       ...
       "cipherSuites": [
-        "TLS_AES_128_GCM_SHA256",
-        "TLS_AES_256_GCM_SHA384",
-        "TLS_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      {{{ xccdf_value("var_apiserver_tls_cipher_suites") | indent(8) }}}
       ],
       ...
     </pre>
@@ -48,22 +40,14 @@ references:
 
 platform: not ocp4-on-hypershift-hosted
 
-ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than  TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, or TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 in servingInfo'
+ocil_clause: '<tt>cipherSuites</tt> is not configured, or contains ciphers (possibly insecure) other than  {{ .var_apiserver_tls_cipher_suites }} in servingInfo'
 
 ocil: |-
     Run the following command:
     <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.servingInfo["cipherSuites"]'</pre>
     Verify that the set of ciphers contains only the following:
     <pre>
-    "TLS_AES_128_GCM_SHA256",
-    "TLS_AES_256_GCM_SHA384",
-    "TLS_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
-    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+    {{.var_apiserver_tls_cipher_suites}}
     </pre>
 
 warnings:
@@ -81,7 +65,5 @@ template:
     entity_check: "all"
     filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
     yamlpath: '.servingInfo.cipherSuites[:]'
-    values:
-    - value: 'TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
-      operation: "pattern match"
-      type: "string"
+    regex_data: "true"
+    xccdf_variable: var_apiserver_tls_cipher_suites_regex
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS Cipher Suites'
+
+description: 'OpenShift Kube APIServer TLS Cipher Suites comma separated string, used for Remediation and manual check text. They need to follow openSSL notation'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305"'
+  mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+  2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'
diff --git a/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var b/applications/openshift/api-server/var_apiserver_tls_cipher_suites_regex.var
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+title: 'OpenShift Kube APIServer TLS cipher suites regex'
+
+description: 'OpenShift Kube APIServer TLS cipher suites regex, following IANA Notation, used for automatic check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|)$"
+  mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+  2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml b/applications/openshift/etcd/etcd_check_cipher_suite/rule.yml
@@ -23,8 +23,8 @@ ocil_clause: 'ETCD cipher suite does not meet requirements'
 
 ocil: |-
     Run the following command to check the cipher suites for ETCD:
-    <pre>$  oc get configmaps etcd-pod -n openshift-etcd -o yaml | grep -oE 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'</pre>
-    Make sure that the result has at least one cipher.
+    <pre>$ oc get configmaps etcd-pod -n openshift-etcd -o json | jq -r '.data["pod.yaml"]' |  grep -P "{{ .var_etcd_tls_cipher_suites_regex }}" </pre>
+    Make sure that the result prints the configured cipher suites. If the result is empty, the cipher suites are not configured properly.
 
 severity: medium
 
@@ -37,6 +37,5 @@ template:
     ocp_data: "true"
     filepath: /api/v1/namespaces/openshift-etcd/configmaps/etcd-pod
     yamlpath: ".data['pod.yaml']"
-    values:
-    - value: 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'
-      operation: 'pattern match'
+    xccdf_variable: var_etcd_tls_cipher_suites_regex
+    regex_data: true
diff --git a/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var b/applications/openshift/etcd/var_etcd_tls_cipher_suites_regex.var
@@ -0,0 +1,22 @@
+documentation_complete: true
+
+title: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+description: 'OpenShift Etcd TLS Cipher Suites Regex'
+
+type: string
+
+operator: pattern match
+
+interactive: false
+
+# in contrast to other cipher regexes this one is not for a single string, but for multiple
+# since the pod.yaml configures them multiple times for different containers.
+# due to this we cant compare line by line and to do some more complex regex magic
+options:
+  # these regex catch all configured, allowed ciphers in the list PLUS some config around. If there are additional ciphers, which are catched by the negative lookahead, the expression fails.
+  # the regex is focussed only on the lines with "value:"
+  # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+  default: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)[A-Z0-9_]+).*\"'
+  mozilla_intermediate: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305))(?!.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|DHE_RSA_WITH_AES_128_GCM_SHA256,DHE_RSA_WITH_AES_256_GCM_SHA384,DHE_RSA_CHACHA20_POLY1305)[A-Z0-9_]+).*\"'
+  2024-01-BSI-TR-02102-2: 'value: \"(?=.*TLS_(?:AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384))(?!.*TLS_(?!AES_128_GCM_SHA256|AES_256_GCM_SHA384|ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|ECDHE_RSA_WITH_AES_128_GCM_SHA256|ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|ECDHE_RSA_WITH_AES_256_GCM_SHA384|DHE_RSA_WITH_AES_128_GCM_SHA256|DHE_RSA_WITH_AES_256_GCM_SHA384)[A-Z0-9_]+).*\"'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml
@@ -12,22 +12,14 @@ description: |-
     apiVersion: machineconfiguration.openshift.io/v1
     kind: KubeletConfig
     metadata:
-       name: kubelet-config-$pool
+        name: kubelet-config-$pool
     spec:
         machineConfigPoolSelector:
             matchLabels:
                 pools.operator.machineconfiguration.openshift.io/$pool_name: ""
         kubeletConfig:
           tlsCipherSuites:
-          - TLS_AES_128_GCM_SHA256
-          - TLS_AES_256_GCM_SHA384
-          - TLS_CHACHA20_POLY1305_SHA256
-          - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-          - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-          - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+            [ {{ .var_kubelet_tls_cipher_suites }} ]
     </pre>
   In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
   and var_kubelet_tls_cipher_suites have to be set
@@ -57,15 +49,7 @@ ocil: |-
     <pre>$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites'; done</pre>
     Verify that the set of ciphers contains only the following:
     <pre>
-    TLS_AES_128_GCM_SHA256,
-    TLS_AES_256_GCM_SHA384,
-    TLS_CHACHA20_POLY1305_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
-    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
-    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    {{ .var_kubelet_tls_cipher_suites }}
     </pre>
 
 template:

diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
 
-description: 'Cryptographic Ciphers Available for Kubelet, separated by comma'
+description: 'Cryptographic Ciphers Available for Kubelet comma separated string, used for Remediation and manual check text. They need to follow openSSL notation'
 
 type: string
 
@@ -11,4 +11,8 @@ operator: equals
 interactive: false
 
 options:
-  default: "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
+  default: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"'
+  mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"'
diff --git a/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var b/applications/openshift/kubelet/var_kubelet_tls_cipher_suites_regex.var
@@ -1,8 +1,8 @@
 documentation_complete: true
 
-title: 'Configure Kubelet use of the Strong Cryptographic Ciphers'
+title: 'Configure Kubelet use of the Strong Cryptographic Ciphers Regex'
 
-description: 'Cryptographic Ciphers Available for Kubelet'
+description: 'Cryptographic Ciphers Available for Kubelet Regex, following IANA Notation, used for automatic check'
 
 type: string
 
@@ -11,4 +11,9 @@ operator: equals
 interactive: false
 
 options:
-  default: "^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$"
+  default: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)$"
+  mozilla_intermediate: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_CHACHA20_POLY1305)$"
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # while we do not add the DHE Ciphers to the config, they are still valid regarding BSI, so they are accepted
+  2024-01-BSI-TR-02102-2: "^(TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)$"
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
@@ -8,15 +8,6 @@ metadata:
 spec:
   tlsSecurityProfile:
     custom:
-      ciphers:
-      - ECDHE-ECDSA-AES128-GCM-SHA256
-      - ECDHE-RSA-AES128-GCM-SHA256
-      - ECDHE-ECDSA-CHACHA20-POLY1305
-      - ECDHE-RSA-AES256-GCM-SHA384
-      - ECDHE-RSA-CHACHA20-POLY1305
-      - ECDHE-ECDSA-AES256-GCM-SHA384
-      - TLS_AES_128_GCM_SHA256
-      - TLS_AES_256_GCM_SHA384
-      - TLS_CHACHA20_POLY1305_SHA256
+      ciphers: [ {{ .var_ingresscontroller_tls_cipher_suites }} ]
       minTLSVersion: VersionTLS12
     type: Custom
diff --git a/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
@@ -23,33 +23,22 @@ references:
 ocil_clause: "Ingress controller TLS cipher suite configuration is incomplete or possibly insecure"
 
 ocil: |-
-  Run the following command on the kubelet nodes(s):
+  Run the following command:
   <pre>oc get ingresscontrollers/default -n openshift-ingress-operator -o=jsonpath='{.status.tlsProfile.ciphers[:]}'</pre>
-  The output should only include relevant and modern TLS ciphers you deem
-  acceptable for your cluster.
+  Verify that the set of ciphers contains only the following:
+  <pre>
+  {{ .var_ingresscontroller_tls_cipher_suites }}
+  </pre>
 
 warnings:
 - general: |-
     {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default") | indent(4) }}}
 
-# Recommended ciphers
-# ECDHE-ECDSA-AES128-GCM-SHA256
-# ECDHE-ECDSA-CHACHA20-POLY1305
-# ECDHE-ECDSA-AES256-GCM-SHA384
-# TLS_CHACHA20_POLY1305_SHA256
-# TLS_AES_128_GCM_SHA256
-# TLS_AES_256_GCM_SHA384
-#
-# Secure ciphers
-# ECDHE-RSA-AES128-GCM-SHA256
-# ECDHE-RSA-AES256-GCM-SHA384
-# ECDHE-RSA-CHACHA20-POLY1305
 template:
   name: yamlfile_value
   vars:
     ocp_data: "true"
     filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
     yamlpath: ".status.tlsProfile.ciphers[:]"
-    values:
-    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256)$'
-      operation: 'pattern match'
+    xccdf_variable: var_ingresscontroller_tls_cipher_suites_regex
+    regex_data: true
diff --git a/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var b/applications/openshift/networking/var_ingresscontroller_tls_cipher_suites.var
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Configure Ingresscontroller use of the Strong Cryptographic Ciphers'
+
+description: 'Cryptographic Ciphers Available for Ingresscontroller comma separated string. Used for the Remediation and manual check'
+
+type: string
+
+operator: equals
+
+interactive: false
+
+options:
+  # default is identical to remediation
+  default: '"ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES256-GCM-SHA384","TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256"'
+  mozilla_intermediate: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","DHE-RSA-CHACHA20-POLY1305"'
+
+  # the BSI does not recommend CHACHA cipher in the 2024-01 Version of BSI-TR-02102-2
+  # we do not add the DH Ciphers, as they are only considered secure until 2029 and are not in the APIServer default Ciphers
+  2024-01-BSI-TR-02102-2: '"TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384"'