Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change applicability of rules configuring idle session timeouts #10127

Merged
merged 14 commits into from Jan 30, 2023
Merged

change applicability of rules configuring idle session timeouts #10127

merged 14 commits into from Jan 30, 2023

Conversation

vojtapolasek
Copy link
Collaborator

@vojtapolasek vojtapolasek commented Jan 26, 2023
edited

Description:

  • create new OVAL definition checking if installed OS is RHEL
  • create three new platforms checking if RHEL >= 8.7, if RHEL <=8.5 and RHEL == 9.0
  • use these platforms to limit applicability of logind_session_timeout and sshd_set_idle_timeout

Rationale:

The Systemd feature which can configure session idle timeout is not present in all RHEL releases, therefore the rule does not apply in some cases. To be exact, the feature works only in 9.1 and up and 8.7 and up.
Also the SSH configuration used by sshd_set_idle_timeout has effect only in some cases. It works only up to 8.5.

Testing hints:

  • build RHEL 8 and RHEL 9 content
  • test the following (you can artifically modify RHEL version by editing the ID within /etc/os-release):
  • logind_session_timeout should apply on 8.7 and higher with exception of 9.0
  • sshd_set_idle_timeout should be applicable on 8.5 and lower.
  • consequently, none of these rules would be applicable on 8.6.

@vojtapolasek vojtapolasek added RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates. RHEL8 Red Hat Enterprise Linux 8 product related. labels Jan 26, 2023
@vojtapolasek vojtapolasek added this to the 0.1.66 milestone Jan 26, 2023
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@vojtapolasek vojtapolasek force-pushed the idle_session_timeout_stabilization branch from 8d39c90 to 5fd0181 Compare January 26, 2023 13:13
@vojtapolasek vojtapolasek requested a review from a team as a code owner January 26, 2023 13:50
@vojtapolasek vojtapolasek force-pushed the idle_session_timeout_stabilization branch from 9334166 to 40dd7cd Compare January 26, 2023 15:22
Mab879
Mab879 reviewed Jan 26, 2023
View reviewed changes
linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml Outdated
ospp: FMT_SMF_EXT.1.1
pcidss: Req-8.1.8
srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109,SRG-OS-000395-GPOS-00175
stigid@rhel8: RHEL-08-010201
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this covers the spirit of RHEL-08-010201 it not the letter of RHEL-08-010201, so I don't know if we want to add this stigid yet.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. I removed also CIS references because I think the reason is the same. What do you think @marcusburghardt ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After a review of the CIS benchmarks, I would agree with pulling the CIS references.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also agree to not include CIS reference here.

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml Outdated Show resolved Hide resolved
@vojtapolasek vojtapolasek force-pushed the idle_session_timeout_stabilization branch from 9b14930 to 219a652 Compare January 27, 2023 10:35
@vojtapolasek
Copy link
Collaborator Author

@Mab879 @marcusburghardt @yuumasato @matejak could you please review and eventually merge this? I would like to get it into the release, plus there will be one more small PR which depends on this one.

@Mab879 Mab879 self-assigned this Jan 30, 2023
@Mab879 Mab879 merged commit 50de634 into ComplianceAsCode:stabilization-v0.1.66 Jan 30, 2023
@vojtapolasek vojtapolasek mentioned this pull request Jan 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusburghardt marcusburghardt marcusburghardt left review comments

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels
RHEL8 Red Hat Enterprise Linux 8 product related. RHEL9 Red Hat Enterprise Linux 9 product related. Update Rule Issues or pull requests related to Rules updates.
Projects
None yet
Milestone
0.1.66
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@vojtapolasek @Mab879 @marcusburghardt