File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (67 lines) | stat: -rw-r--r-- 2,373 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 

title: "Configure OAuth clients so that tokens expire after a set period of inactivity"

description: |-
    <p>
    You can configure OAuth tokens to expire after a set period of
    inactivity. By default, no token inactivity timeout is set.
    </p>
    <p>
    The inactivity timeout can be either set in the OAuth server
    configuration or in any of the OAuth clients. The client settings
    override the OAuth server setting.
    </p>
    <p>
    To edit the OAuth client inactivity timeout, edit the OAuth client
    object: <tt>oc edit oauthclient $clientname</tt>
    and set the top-level <tt>accessTokenInactivityTimeoutSeconds</tt>
    attribute.
    <pre>
    apiVersion: oauth.openshift.io/v1
    grantMethod: auto
    kind: OAuthClient
    metadata:
    ...
    accessTokenInactivityTimeoutSeconds: 600 
    </pre>
    For more information on configuring the OAuth clients, consult the
    OpenShift documentation:
    {{{ weblink(link="https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth") }}}
    </p>



rationale: |-
    Terminating an idle session within a short time period reduces the window
    of opportunity for unauthorized personnel to take control of a session
    that has been left unattended.

references:
  nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
  nist: AC-2(5),SC-10

identifiers:
    cce@ocp4: CCE-84178-3

ocil_clause: 'OAuth client inactivity timeout is not configured'

ocil: |-
  To check if the OAuth client timeout is configured, run the following command:
  <pre>oc get oauthclients -ojson | jq -r '.items[] | { accessTokenInactivityTimeoutSeconds: .accessTokenInactivityTimeoutSeconds}'</pre>
  the output should return a timeout value per client.

severity: medium

warnings:
    - general: |-
        {{{ openshift_cluster_setting("/apis/oauth.openshift.io/v1/oauthclients") | indent(8) }}}

template:
    name: yamlfile_value
    vars:
        ocp_data: 'true'
        filepath: /apis/oauth.openshift.io/v1/oauthclients
        yamlpath: ".items[:].accessTokenInactivityTimeoutSeconds"
        check_existence: "all_exist"
        entity_check: "all"
        xccdf_variable: var_access_token_inactivity_timeout_seconds