Configure OAuth server so that tokens have a maximum age set
An XCCDF Rule
Description
You can configure OAuth tokens to have have a custom duration. By default, the tokens are valid for 24 hours (86400 seconds).
The maximum age can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.
To set the OAuth server token max age, edit the OAuth server
object: oc edit oauth cluster
and set the .spec.tokenConfig.accessTokenMaxAgeSeconds
parameter to the desired value:
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
...
spec:
tokenConfig:
accessTokenMaxAgeSeconds: 28800
For more information on configuring the OAuth server, consult the
OpenShift documentation:
https://docs.openshift.com/container-platform/4.7/authentication/configuring-internal-oauth.html
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/oauths/cluster{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}.spec.configuration.oauth{{else}}.spec{{end}}and persist it to the local
Rationale
Setting a token maximum age to a shorter time period reduces the window of opportunity for unauthorized personnel to take control of the session.
- ID
- xccdf_org.ssgproject.content_rule_oauth_token_maxage
- Severity
- Medium
- References
- Updated