File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (84 lines) | stat: -rw-r--r-- 3,246 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 

title: "Configure OAuth tokens to expire after a set period of inactivity"

description: |-
    <p>
    You can configure OAuth tokens to expire after a set period of
    inactivity. By default, no token inactivity timeout is set.
    </p>
    <p>
    The inactivity timeout can be either set in the OAuth server
    configuration or in any of the OAuth clients. The client settings
    override the OAuth server setting.
    </p>
    <p>
    To set the OAuth server inactivity timeout, edit the OAuth server
    object: <tt>oc edit oauth cluster</tt>
    and set the <tt>.spec.tokenConfig.accessTokenInactivityTimeout</tt>
    parameter to the desired value:
    <pre>
    apiVersion: config.openshift.io/v1
    kind: OAuth
    metadata:
    ...
    spec:
       tokenConfig:
         accessTokenInactivityTimeout: 10m0s 
    <pre>
    Please note that the OAuth server converts the value internally to a human-readable format,
    so that e.g. setting accessTokenInactivityTimeout=600s would be converted by the OAuth
    server to accessTokenInactivityTimeout=10m0s.
    </pre>
    </pre>
    For more information on configuring the OAuth server, consult the
    OpenShift documentation:
    {{{ weblink(link="https://docs.openshift.com/container-platform/4.7/authentication/configuring-oauth-clients.html") }}}
    </p>
    <p>
    To edit the OAuth client inactivity timeout, edit the OAuth client
    object: <tt>oc edit oauthclient $clientname</tt>
    and set the top-level <tt>accessTokenInactivityTimeoutSeconds</tt>
    attribute.
    <pre>
    apiVersion: oauth.openshift.io/v1
    grantMethod: auto
    kind: OAuthClient
    metadata:
    ...
    accessTokenInactivityTimeoutSeconds: 600 
    </pre>
    For more information on configuring the OAuth clients, consult the
    OpenShift documentation:
    {{{ weblink(link="https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth") }}}
    </p>


rationale: |-
    Terminating an idle session within a short time period reduces the window
    of opportunity for unauthorized personnel to take control of a session
    that has been left unattended.

references:
  nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
  nist: AC-2(5),IA-5(13),SC-10
  srg: SRG-APP-000190-CTR-000500

identifiers:
    cce@ocp4: CCE-83702-1

ocil_clause: 'OAuth server or client inactivity timeout is not configured'

ocil: |-
  To check if the OAuth server timeout is configured, run the following command:
  <pre>oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenInactivityTimeout}'</pre>
  the output should return a timeout value.

  To check if the OAuth client timeout is configured, run the following command:
  <pre>oc get oauthclients -ojson | jq -r '.items[] | { accessTokenInactivityTimeoutSeconds: .accessTokenInactivityTimeoutSeconds}'</pre>
  the output should return a timeout value per client.

severity: medium

warnings:
    - general: |-
        {{{ openshift_cluster_setting(["/apis/oauth.openshift.io/v1/oauthclients", "/apis/config.openshift.io/v1/oauths/cluster"]) | indent(8) }}}