content OCPBUGS-32551: swap token inactivity timeout rule

Description:

Let's use oauth_or_oauthclient_inactivity_timeout instead of oautclient_inactivity_timeout.

Rationale:

The former rule checks for server and client token timeout configuration is multiple places and remediates the server OAuth config. The latter only checks for the client token timeout and doesn't have a remediation.
Rule oauthclient_inactivity_timeout doesn't have remediation and stayed in FAIL result.

Review Hints:

Check that oauth_or_oauthclient_inactivity_timeout is passing on STIG profile after remediation.

Apr 23 '24 11:04 yuumasato

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

Apr 23 '24 11:04 github-actions[bot]

/test

Apr 23 '24 11:04 yuumasato

@yuumasato: The /test command needs one or more targets. The following commands are available to trigger required jobs:

/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-images
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-images
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Apr 23 '24 11:04 openshift-ci[bot]

/test 4.15-e2e-aws-ocp4-stig /test e2e-aws-ocp4-stig

Apr 23 '24 11:04 yuumasato

:robot: A k8s content image for this PR is available at: ghcr.io/complianceascode/k8scontent:11870 This image was built from commit: 18844e6c4bd972cef7838b5432baf79ac0d8b820

Click here to see how to deploy it

If you alread have Compliance Operator deployed: utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11870

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11870 make deploy-local

Apr 23 '24 11:04 github-actions[bot]

/jira refresh

Apr 23 '24 15:04 yuumasato

/hold for test

Apr 26 '24 09:04 xiaojiey

Pre-merge verification pass with 4.16.0-0.nightly-2024-04-23-032717 + ghcr.io/complianceascode/k8scontent:11870:

1. Check rule available in the ocp4-stig profile:
% oc get profile upstream-ocp4-stig -o yaml | grep oauth-or-oauthclient-inactivity-timeout

- upstream-ocp4-oauth-or-oauthclient-inactivity-timeout

2. Create a ssb with default-auto-apply ss:
% cat ssb_stig.yaml

apiVersion: compliance.openshift.io/v1alpha1

kind: ScanSettingBinding

metadata:

  name: ocp4-stig-compliance

  namespace: openshift-compliance

profiles:

  - name: upstream-ocp4-stig

    kind: Profile

    apiGroup: compliance.openshift.io/v1alpha1

settingsRef:

  name: default-auto-apply

  kind: ScanSetting

  apiGroup: compliance.openshift.io/v1alpha1


% oc apply -f ssb_stig.yaml

scansettingbinding.compliance.openshift.io/ocp4-stig-compliance created

% oc get suite

NAME                   PHASE   RESULT

ocp4-stig-compliance   DONE    NON-COMPLIANT

% oc get cr

NAME                                                              STATE

upstream-ocp4-stig-api-server-encryption-provider-cipher          Applied

upstream-ocp4-stig-audit-profile-set                              Applied

upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout        Applied

upstream-ocp4-stig-oauth-or-oauthclient-token-maxage              Applied

upstream-ocp4-stig-project-config-and-template-network-policy     Applied

upstream-ocp4-stig-project-config-and-template-network-policy-1   Applied

upstream-ocp4-stig-project-config-and-template-resource-quota     Applied

upstream-ocp4-stig-project-config-and-template-resource-quota-1   Applied

% oc get cr upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout -o=jsonpath={.spec} | jq -r

{

  "apply": true,

  "current": {

    "object": {

      "apiVersion": "config.openshift.io/v1",

      "kind": "OAuth",

      "metadata": {

        "name": "cluster"

      },

      "spec": {

        "tokenConfig": {

          "accessTokenInactivityTimeout": "10m0s"

        }

      }

    }

  },

  "outdated": {},

  "type": "Configuration"

}

% oc get suite

NAME                   PHASE   RESULT

ocp4-stig-compliance   DONE    NON-COMPLIANT

3. Trigger rescan

% oc annotate compliancescan/upstream-ocp4-stig compliance.openshift.io/rescan=

compliancescan.compliance.openshift.io/upstream-ocp4-stig annotated

% oc get scan -w

NAME                 PHASE     RESULT

upstream-ocp4-stig   RUNNING   NOT-AVAILABLE

upstream-ocp4-stig   AGGREGATING   NOT-AVAILABLE

upstream-ocp4-stig   DONE          NON-COMPLIANT

% oc get ccr | grep oauth-or-oauthclient-inactivity-timeout

upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout                   PASS     medium

Apr 26 '24 11:04 xiaojiey

/unhold

Apr 26 '24 11:04 xiaojiey

/lgtm

Apr 26 '24 11:04 xiaojiey

Code Climate has analyzed commit 18844e6c and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

Jun 24 '24 11:06 codeclimate[bot]

Just rebased on top of latest master

Jun 24 '24 14:06 yuumasato

Merging based on Dev and QE approvals.

Jun 27 '24 14:06 yuumasato

content content copied to clipboard

OCPBUGS-32551: swap token inactivity timeout rule

Description:

Rationale:

Review Hints:

content
content copied to clipboard