Skip to content
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions metrics/TransportEncryption/BlockCipher/BlockCipher.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# ====== Metadata ======
id: BlockCipher
description: This rule assesses whether a [Resource] has all its [TransportEncryption] [p1:cipherSuites] configured so that each cipher suite’s sessionCipher is correctly set to the AES block cipher family.
category: Cryptography
version: "1.0"
comments: Aligned with BSI TR-02102-2, which recommends AES-based suites."

# ====== Configuration ======
configuration:
p1:
operator: "regex.match"
targetValue: "^AES([_-]|$)"
4 changes: 4 additions & 0 deletions metrics/TransportEncryption/BlockCipher/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "regex.match",
"target_value": "^AES([_-]|$)"
}
22 changes: 22 additions & 0 deletions metrics/TransportEncryption/BlockCipher/metric.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
package cch.metrics.block_cipher

import rego.v1
import input as document

default applicable := false

default compliant := false

applicable if {
document.TransportEncryption
document.TransportEncryption.cipherSuites
count(document.TransportEncryption.cipherSuites) > 0
}

compliant if {
applicable
every cs in document.TransportEncryption.cipherSuites {
cs.sessionCipher
regex.match(data.target_value, cs.sessionCipher)
}
}
12 changes: 12 additions & 0 deletions metrics/TransportEncryption/BlockCipherMode/BlockCipherMode.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# ====== Metadata ======
id: BlockCipherMode
description: This rule assesses whether a [Resource] has all its [TransportEncryption] [p1:cipherSuites] configured so that each cipher suite’s sessionCipher mode is correctly configured.
category: Cryptography
version: "1.0"
comments: Aligned with BSI TR-02102-2, which recommends using either CCM mode, or GCM mode, or CBC mode.

# ====== Configuration ======
configuration:
p1:
operator: "regex.match"
targetValue: "(?:^|[_-])(GCM|CCM|CBC)$"
4 changes: 4 additions & 0 deletions metrics/TransportEncryption/BlockCipherMode/data.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"operator": "regex.match",
"target_value": "(?:^|[_-])(GCM|CCM|CBC)$"
}
21 changes: 21 additions & 0 deletions metrics/TransportEncryption/BlockCipherMode/metric.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package cch.metrics.block_cipher_mode

import rego.v1
import input as document

default applicable := false
default compliant := false

applicable if {
document.TransportEncryption
document.TransportEncryption.cipherSuites
count(document.TransportEncryption.cipherSuites) > 0
}

compliant if {
applicable
every cs in document.TransportEncryption.cipherSuites {
cs.sessionCipher
regex.match(data.target_value, cs.sessionCipher)
}
}
Loading