-
Notifications
You must be signed in to change notification settings - Fork 674
/
rule.yml
68 lines (56 loc) · 2.35 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
title: "Configure OAuth clients so that tokens expire after a set period of inactivity"
description: |-
<p>
You can configure OAuth tokens to expire after a set period of
inactivity. By default, no token inactivity timeout is set.
</p>
<p>
The inactivity timeout can be either set in the OAuth server
configuration or in any of the OAuth clients. The client settings
override the OAuth server setting.
</p>
<p>
To edit the OAuth client inactivity timeout, edit the OAuth client
object: <tt>oc edit oauthclient $clientname</tt>
and set the top-level <tt>accessTokenInactivityTimeoutSeconds</tt>
attribute.
<pre>
apiVersion: oauth.openshift.io/v1
grantMethod: auto
kind: OAuthClient
metadata:
...
accessTokenInactivityTimeoutSeconds: 600
</pre>
For more information on configuring the OAuth clients, consult the
OpenShift documentation:
{{{ weblink(link="https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth") }}}
</p>
rationale: |-
Terminating an idle session within a short time period reduces the window
of opportunity for unauthorized personnel to take control of a session
that has been left unattended.
references:
nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
nist: AC-2(5),SC-10
srg: SRG-APP-000190-CTR-000500
identifiers:
cce@ocp4: CCE-84178-3
ocil_clause: 'OAuth client inactivity timeout is not configured'
ocil: |-
To check if the OAuth client timeout is configured, run the following command:
<pre>oc get oauthclients -ojson | jq -r '.items[] | { accessTokenInactivityTimeoutSeconds: .accessTokenInactivityTimeoutSeconds}'</pre>
the output should return a timeout value per client.
severity: medium
warnings:
- general: |-
{{{ openshift_cluster_setting("/apis/oauth.openshift.io/v1/oauthclients") | indent(8) }}}
template:
name: yamlfile_value
vars:
ocp_data: 'true'
filepath: /apis/oauth.openshift.io/v1/oauthclients
yamlpath: ".items[:].accessTokenInactivityTimeoutSeconds"
check_existence: "all_exist"
entity_check: "all"
xccdf_variable: var_access_token_inactivity_timeout_seconds