diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml
deleted file mode 100644
index 9e4baaee31e..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/kubernetes/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-# platform = multi_platform_ocp
-apiVersion: operator.openshift.io/v1
-kind: KubeAPIServer
-metadata:
- name: cluster
-spec:
- unsupportedConfigOverrides:
- servingInfo:
- cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml
deleted file mode 100644
index 4825a381724..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/rule.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-documentation_complete: true
-
-
-title: "Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers"
-
-description: |-
- Ensure that the Kubernetes API Server Operator is configured to only use strong cryptographic ciphers.
-
-rationale: |-
- TLS ciphers have had a number of known vulnerabilities and weaknesses,
- which can reduce the protection provided by them. By default Kubernetes
- supports a number of TLS ciphersuites including some that have security
- concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-# cce@ocp4:
-
-references:
- cis@ocp4: 4.2.13
-
-ocil_clause: "TLS cipher suite configuration is not configured"
-
-ocil: |-
- Run the following comman on the kubelete nodes(s):
- {{% raw %}}oc patch kubeapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"]} } } }'{{% endraw %}}
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/kubeapiservers/cluster") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/apis/operator.openshift.io/v1/kubeapiservers/cluster'
- yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]"
- values:
- - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'
- operation: 'pattern match'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml
deleted file mode 100644
index fd9b313e87b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_kubeapiserver_operator/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml
deleted file mode 100644
index 6d184aaef73..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/kubernetes/shared.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-# platform = multi_platform_ocp
-apiVersion: operator.openshift.io/v1kind: OpenShiftAPIServer
-metadata:
- name: cluster
-spec:
- unsupportedConfigOverrides:
- servingInfo:
- cipherSuites:
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_128_GCM_SHA256
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml
deleted file mode 100644
index 0b1423ac3ac..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/rule.yml
+++ /dev/null
@@ -1,41 +0,0 @@
-documentation_complete: true
-
-
-title: "Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers"
-
-description: |-
- Ensure that the OpenShift API Server Operator is configured to only use strong cryptographic ciphers.
-
-rationale: |-
- TLS ciphers have had a number of known vulnerabilities and weaknesses,
- which can reduce the protection provided by them. By default Kubernetes
- supports a number of TLS ciphersuites including some that have security
- concerns, weakening the protection provided.
-
-severity: medium
-
-#identifiers:
-# cce@ocp4:
-
-references:
- cis@ocp4: 4.2.13
-
-ocil_clause: "TLS cipher suite configuration is not configured"
-
-ocil: |-
- Run the following command on the kubelet node(s):
- {{% raw %}}oc patch openshiftapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"] } } } }'{{% endraw %}}
-
-warnings:
-- general: |-
- {{{ openshift_cluster_setting("/apis/operator.openshift.io/v1/openshiftapiservers/cluster") | indent(4) }}}
-
-template:
- name: yamlfile_value
- vars:
- ocp_data: "true"
- filepath: '/apis/operator.openshift.io/v1/openshiftapiservers/cluster'
- yamlpath: ".spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]"
- values:
- - value: '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'
- operation: 'pattern match'
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml
deleted file mode 100644
index fd9b313e87b..00000000000
--- a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_openshiftapiserver_operator/tests/ocp4/e2e.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-default_result: FAIL
-result_after_remediation: PASS
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
similarity index 100%
rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml
rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/kubernetes/shared.yml
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
similarity index 100%
rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml
rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/rule.yml
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/tests/ocp4/e2e.yml b/applications/openshift/networking/ingress_controller_tls_cipher_suites/tests/ocp4/e2e.yml
similarity index 100%
rename from applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/tests/ocp4/e2e.yml
rename to applications/openshift/networking/ingress_controller_tls_cipher_suites/tests/ocp4/e2e.yml
diff --git a/controls/cis_ocp_1_4_0/section-4.yml b/controls/cis_ocp_1_4_0/section-4.yml
index 9fa0e8f27a7..5fac05f8433 100644
--- a/controls/cis_ocp_1_4_0/section-4.yml
+++ b/controls/cis_ocp_1_4_0/section-4.yml
@@ -158,6 +158,6 @@ controls:
status: automated
rules:
- kubelet_configure_tls_cipher_suites
- - kubelet_configure_tls_cipher_suites_ingresscontroller
+ - ingress_controller_tls_cipher_suites
levels: [ level_1, ]
diff --git a/products/ocp4/profiles/default.profile b/products/ocp4/profiles/default.profile
index aa4a79e4196..384e50f423c 100644
--- a/products/ocp4/profiles/default.profile
+++ b/products/ocp4/profiles/default.profile
@@ -25,7 +25,6 @@ selections:
- file_permissions_var_lib_etcd
- file_owner_openvswitch
- file_permissions_openvswitch
- - kubelet_configure_tls_cipher_suites_openshiftapiserver_operator
- file_groupowner_ovs_conf_db_lock_not_s390x
- oauth_inactivity_timeout
- kubelet_eviction_thresholds_set_soft_nodefs_inodesfree
@@ -46,7 +45,7 @@ selections:
- api_server_api_priority_v1_flowschema_catch_all
- file_groupowner_openvswitch
- gcp_disk_encryption_enabled
- - kubelet_configure_tls_cipher_suites_ingresscontroller
+ - ingress_controller_tls_cipher_suites
- file_groupowner_ovs_conf_db_lock_s390x
- ebs_encryption_enabled_on_machinesets
- project_template_network_policy
@@ -56,7 +55,6 @@ selections:
- file_owner_pod_logs
- project_config_has_template
- kubelet_eviction_thresholds_set_soft_imagefs_available
- - kubelet_configure_tls_cipher_suites_kubeapiserver_operator
- file_groupowner_ovs_sys_id_conf_not_s390x
- ingress_controller_tls_security_profile_custom_min_tls_version
- kubelet_read_only_port_secured