Configure OAuth clients so that tokens expire after a set period of inactivity

An XCCDF Rule

Description

You can configure OAuth tokens to expire after a set period of inactivity. By default, no token inactivity timeout is set.

The inactivity timeout can be either set in the OAuth server configuration or in any of the OAuth clients. The client settings override the OAuth server setting.

To edit the OAuth client inactivity timeout, edit the OAuth client object: oc edit oauthclient $clientname and set the top-level accessTokenInactivityTimeoutSeconds attribute.

apiVersion: oauth.openshift.io/v1
grantMethod: auto
kind: OAuthClient
metadata:
...
accessTokenInactivityTimeoutSeconds: 600

For more information on configuring the OAuth clients, consult the OpenShift documentation: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html-single/authentication_and_authorization/index#oauth-token-inactivity-timeout_configuring-internal-oauth

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/oauth.openshift.io/v1/oauthclients API endpoint to the local /apis/oauth.openshift.io/v1/oauthclients file.

Rationale

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a session that has been left unattended.

ID: xccdf_org.ssgproject.content_rule_oauthclient_inactivity_timeout
Severity: Medium
References: CIP-004-6 R2.2.3 CIP-007-3 R5.1 CIP-007-3 R5.2 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3

AC-2(5) SC-10

SRG-APP-000190-CTR-000500

CCE-84178-3
Updated: about 1 year ago