1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
title: "Configure OAuth server so that tokens expire after a set period of inactivity"
{{% set default_jqfilter = '.spec' %}}
{{% set default_api_path = '/apis/config.openshift.io/v1/oauths/cluster' %}}
{{% set hypershift_path = '/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}' %}}
{{% set hypershift_jqfilter = '.spec.configuration.oauth' %}}
{{% set custom_api_path = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_path ~ '{{else}}' ~ default_api_path ~ '{{end}}' %}}
{{% set custom_jqfilter = '{{if ne .hypershift_cluster "None"}}' ~ hypershift_jqfilter ~ '{{else}}' ~ default_jqfilter ~ '{{end}}' %}}
{{% set dump_path = default_api_path ~ ',' ~ default_jqfilter ~ ',' ~ custom_jqfilter %}}
description: |-
<p>
You can configure OAuth tokens to expire after a set period of
inactivity. By default, no token inactivity timeout is set.
</p>
<p>
The inactivity timeout can be either set in the OAuth server
configuration or in any of the OAuth clients. The client settings
override the OAuth server setting.
</p>
<p>
To set the OAuth server inactivity timeout, edit the OAuth server
object: <tt>oc edit oauth cluster</tt>
and set the <tt>.spec.tokenConfig.accessTokenInactivityTimeout</tt>
parameter to the desired value:
<pre>
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
tokenConfig:
accessTokenInactivityTimeout: {{{ xccdf_value("var_oauth_inactivity_timeout") }}}
</pre>
<pre>
Please note that the OAuth server converts the value internally to a human-readable format,
so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth
server to accessTokenInactivityTimeout=10m0s.
</pre>
For more information on configuring the OAuth server, consult the
OpenShift documentation:
{{{ weblink(link="https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html") }}}
</p>
rationale: |-
Terminating an idle session within a short time period reduces the window
of opportunity for unauthorized personnel to take control of a session
that has been left unattended.
references:
nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
nist: AC-2(5),SC-10
srg: SRG-APP-000190-CTR-000500
identifiers:
cce@ocp4: CCE-83511-6
ocil_clause: 'OAuth server inactivity timeout is not configured'
ocil: |-
To check if the OAuth server timeout is configured, run the following command:
<pre>oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'</pre>
the output should return <pre>{{ .var_oauth_inactivity_timeout }}</pre>.
severity: medium
warnings:
- general: |-
{{{ openshift_filtered_cluster_setting({custom_api_path: dump_path}) | indent(4) }}}
template:
name: yamlfile_value
vars:
ocp_data: 'true'
filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}}
yamlpath: ".tokenConfig.accessTokenInactivityTimeout"
check_existence: "only_one_exists"
xccdf_variable: var_oauth_inactivity_timeout
|
