OpenShift must set server token max age no greater than eight hours.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257562	CNTR-OS-000760	SV-257562r921629_rule		Medium

Description
The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens serve as a form of authentication and authorization in OAuth-based systems. By setting a maximum age for these tokens, OpenShift helps mitigate security risks associated with long-lived tokens. If a token is compromised, its impact is limited to the maximum age duration, as the token will expire and become invalid after that period. It reduces the window of opportunity for unauthorized access and enhances the security of the system. By setting a maximum age for access tokens, OpenShift encourages the use of token refresh rather than relying on the same token for an extended period. Regular token refresh helps maintain a higher level of security by ensuring that tokens are periodically revalidated and rotated.

Description

The setting for OAuth server token max age is used to control the maximum duration for which an issued OAuth access token remains valid. Access tokens serve as a form of authentication and authorization in OAuth-based systems. By setting a maximum age for these tokens, OpenShift helps mitigate security risks associated with long-lived tokens. If a token is compromised, its impact is limited to the maximum age duration, as the token will expire and become invalid after that period. It reduces the window of opportunity for unauthorized access and enhances the security of the system. By setting a maximum age for access tokens, OpenShift encourages the use of token refresh rather than relying on the same token for an extended period. Regular token refresh helps maintain a higher level of security by ensuring that tokens are periodically revalidated and rotated.

STIG	Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide	2023-08-28

Details

Check Text ( C-61297r921627_chk )
To check if the OAuth server token max age is configured, execute the following: oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenMaxAgeSeconds}' If the output timeout value on the OAuth server is >"28800" or missing, this is a finding. Check the OAuth client token value (this can be set on each client also). Check all clients OAuth client token max age configuration by execute the following: oc get oauthclients -ojson \| jq -r '.items[] \| { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}' If the output returns a timeout value of >"28800" for any client, this is a finding.

Check Text ( C-61297r921627_chk )

To check if the OAuth server token max age is configured, execute the following:

oc get oauth cluster -ojsonpath='{.spec.tokenConfig.accessTokenMaxAgeSeconds}'

If the output timeout value on the OAuth server is >"28800" or missing, this is a finding.

Check the OAuth client token value (this can be set on each client also).

Check all clients OAuth client token max age configuration by execute the following:

oc get oauthclients -ojson | jq -r '.items[] | { accessTokenMaxAgeSeconds: .accessTokenMaxAgeSeconds}'

If the output returns a timeout value of >"28800" for any client, this is a finding.

Fix Text (F-61221r921628_fix)
To set the OAuth server token max age, edit the OAuth server object by executing the following: oc patch oauth cluster --type merge -p '{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds": 28800}}}' To set the OAuth client token max age, edit the OAuth client object by executing the following: cli in $(oc get oauthclient -oname); do oc patch oauthclient $cli --type=merge -p '{"accessTokenMaxAgeSeconds": 28800}'; done

Fix Text (F-61221r921628_fix)

To set the OAuth server token max age, edit the OAuth server object by executing the following:

oc patch oauth cluster --type merge -p '{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds": 28800}}}'

To set the OAuth client token max age, edit the OAuth client object by executing the following:

cli in $(oc get oauthclient -oname); do oc patch oauthclient $cli --type=merge -p '{"accessTokenMaxAgeSeconds": 28800}'; done