File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.79-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,704 kB
  • sloc: xml: 244,677; sh: 84,647; python: 33,203; makefile: 27
file content (66 lines) | stat: -rw-r--r-- 2,089 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 

title: "Configure OAuth clients so that tokens have a maximum age set"

description: |-
    <p>
    You can configure OAuth tokens to have have a custom duration.
    By default, the tokens are valid for 24 hours (86400 seconds).
    </p>
    <p>
    The maximum age can be either set in the OAuth server
    configuration or in any of the OAuth clients. The client settings
    override the OAuth server setting.
    </p>
    <p>
    To set the OAuth client token max age, edit the OAuth client
    object: <tt>oc edit oauthclient $clientname</tt>
    and set the top-level <tt>accessTokenMaxAgeSeconds</tt>
    attribute.
    <pre>
    apiVersion: oauth.openshift.io/v1
    grantMethod: auto
    kind: OAuthClient
    metadata:
    ...
    accessTokenMaxAgeSeconds: 28800
    </pre>
    For more information on configuring the OAuth clients, consult the
    OpenShift documentation:
      {{{ weblink(link="https://docs.openshift.com/container-platform/4.7/authentication/configuring-internal-oauth.html") }}}
    </p>



rationale: |-
    Setting a token maximum age to a shorter time period reduces the window
    of opportunity for unauthorized personnel to take control of the session.

references:
  nist: AC-12

identifiers:
    cce@ocp4: CCE-84022-3

ocil_clause: 'OAuth client token max age is not configured'

ocil: |-
  To check if the OAuth client token max age is configured, run the following command:
  <pre>oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}'</pre>
  the output should return a timeout value per client.

severity: medium

warnings:
    - general: |-
        {{{ openshift_cluster_setting("/apis/oauth.openshift.io/v1/oauthclients") | indent(8) }}}

template:
    name: yamlfile_value
    vars:
        ocp_data: 'true'
        filepath: /apis/oauth.openshift.io/v1/oauthclients
        yamlpath: ".items[:].accessTokenMaxAgeSeconds"
        check_existence_yamlpath: ".items[:].grantMethod"
        check_existence: "all_exist"
        entity_check: "all"
        xccdf_variable: var_oauth_token_maxage