OCPBUGS-32551: swap token inactivity timeout rule

[yuumasato]

Description:

• Let's use oauth_or_oauthclient_inactivity_timeout instead of oautclient_inactivity_timeout.

Rationale:

• The former rule checks for server and client token timeout configuration is multiple places and remediates the server OAuth config.
  The latter only checks for the client token timeout and doesn't have a remediation.
• Rule oauthclient_inactivity_timeout doesn't have remediation and stayed in FAIL result.

Review Hints:

• Check that oauth_or_oauthclient_inactivity_timeout is passing on STIG profile after remediation.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[yuumasato]

/test

[openshift-ci]

@yuumasato: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test 4.13-e2e-aws-ocp4-cis
• /test 4.13-e2e-aws-ocp4-cis-node
• /test 4.13-e2e-aws-ocp4-e8
• /test 4.13-e2e-aws-ocp4-high
• /test 4.13-e2e-aws-ocp4-high-node
• /test 4.13-e2e-aws-ocp4-moderate
• /test 4.13-e2e-aws-ocp4-moderate-node
• /test 4.13-e2e-aws-ocp4-pci-dss
• /test 4.13-e2e-aws-ocp4-pci-dss-node
• /test 4.13-e2e-aws-ocp4-stig
• /test 4.13-e2e-aws-ocp4-stig-node
• /test 4.13-e2e-aws-rhcos4-e8
• /test 4.13-e2e-aws-rhcos4-high
• /test 4.13-e2e-aws-rhcos4-moderate
• /test 4.13-e2e-aws-rhcos4-stig
• /test 4.13-images
• /test 4.14-images
• /test 4.15-e2e-aws-ocp4-cis
• /test 4.15-e2e-aws-ocp4-cis-node
• /test 4.15-e2e-aws-ocp4-e8
• /test 4.15-e2e-aws-ocp4-high
• /test 4.15-e2e-aws-ocp4-high-node
• /test 4.15-e2e-aws-ocp4-moderate
• /test 4.15-e2e-aws-ocp4-moderate-node
• /test 4.15-e2e-aws-ocp4-pci-dss
• /test 4.15-e2e-aws-ocp4-pci-dss-node
• /test 4.15-e2e-aws-ocp4-stig
• /test 4.15-e2e-aws-ocp4-stig-node
• /test 4.15-e2e-aws-rhcos4-e8
• /test 4.15-e2e-aws-rhcos4-high
• /test 4.15-e2e-aws-rhcos4-moderate
• /test 4.15-e2e-aws-rhcos4-stig
• /test 4.15-images
• /test 4.16-e2e-aws-ocp4-cis
• /test 4.16-e2e-aws-ocp4-cis-node
• /test 4.16-e2e-aws-ocp4-e8
• /test 4.16-e2e-aws-ocp4-high
• /test 4.16-e2e-aws-ocp4-high-node
• /test 4.16-e2e-aws-ocp4-moderate
• /test 4.16-e2e-aws-ocp4-moderate-node
• /test 4.16-e2e-aws-ocp4-pci-dss
• /test 4.16-e2e-aws-ocp4-pci-dss-node
• /test 4.16-e2e-aws-ocp4-stig
• /test 4.16-e2e-aws-ocp4-stig-node
• /test 4.16-e2e-aws-rhcos4-e8
• /test 4.16-e2e-aws-rhcos4-high
• /test 4.16-e2e-aws-rhcos4-moderate
• /test 4.16-e2e-aws-rhcos4-stig
• /test 4.16-images
• /test e2e-aws-ocp4-cis
• /test e2e-aws-ocp4-cis-node
• /test e2e-aws-ocp4-e8
• /test e2e-aws-ocp4-high
• /test e2e-aws-ocp4-high-node
• /test e2e-aws-ocp4-moderate
• /test e2e-aws-ocp4-moderate-node
• /test e2e-aws-ocp4-pci-dss
• /test e2e-aws-ocp4-pci-dss-node
• /test e2e-aws-ocp4-stig
• /test e2e-aws-ocp4-stig-node
• /test e2e-aws-rhcos4-e8
• /test e2e-aws-rhcos4-high
• /test e2e-aws-rhcos4-moderate
• /test e2e-aws-rhcos4-stig
• /test images

Use /test all to run the following jobs that were automatically triggered:

• pull-ci-ComplianceAsCode-content-master-4.13-images
• pull-ci-ComplianceAsCode-content-master-4.14-images
• pull-ci-ComplianceAsCode-content-master-4.15-images
• pull-ci-ComplianceAsCode-content-master-4.16-images
• pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[yuumasato]

/test 4.15-e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig

[github-actions]

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11870
This image was built from commit: 9160fed

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11870

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11870 make deploy-local

[codeclimate]

Code Climate has analyzed commit 9160fed and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.2% (0.0% change).

View more on Code Climate.

[yuumasato]

/jira refresh

[xiaojiey]

/hold for test

[xiaojiey]

Pre-merge verification pass with 4.16.0-0.nightly-2024-04-23-032717 + ghcr.io/complianceascode/k8scontent:11870:

1. Check rule available in the ocp4-stig profile:
% oc get profile upstream-ocp4-stig -o yaml | grep oauth-or-oauthclient-inactivity-timeout

- upstream-ocp4-oauth-or-oauthclient-inactivity-timeout

2. Create a ssb with default-auto-apply ss:
% cat ssb_stig.yaml

apiVersion: compliance.openshift.io/v1alpha1

kind: ScanSettingBinding

metadata:

  name: ocp4-stig-compliance

  namespace: openshift-compliance

profiles:

  - name: upstream-ocp4-stig

    kind: Profile

    apiGroup: compliance.openshift.io/v1alpha1

settingsRef:

  name: default-auto-apply

  kind: ScanSetting

  apiGroup: compliance.openshift.io/v1alpha1


% oc apply -f ssb_stig.yaml

scansettingbinding.compliance.openshift.io/ocp4-stig-compliance created

% oc get suite

NAME                   PHASE   RESULT

ocp4-stig-compliance   DONE    NON-COMPLIANT

% oc get cr

NAME                                                              STATE

upstream-ocp4-stig-api-server-encryption-provider-cipher          Applied

upstream-ocp4-stig-audit-profile-set                              Applied

upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout        Applied

upstream-ocp4-stig-oauth-or-oauthclient-token-maxage              Applied

upstream-ocp4-stig-project-config-and-template-network-policy     Applied

upstream-ocp4-stig-project-config-and-template-network-policy-1   Applied

upstream-ocp4-stig-project-config-and-template-resource-quota     Applied

upstream-ocp4-stig-project-config-and-template-resource-quota-1   Applied

% oc get cr upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout -o=jsonpath={.spec} | jq -r

{

  "apply": true,

  "current": {

    "object": {

      "apiVersion": "config.openshift.io/v1",

      "kind": "OAuth",

      "metadata": {

        "name": "cluster"

      },

      "spec": {

        "tokenConfig": {

          "accessTokenInactivityTimeout": "10m0s"

        }

      }

    }

  },

  "outdated": {},

  "type": "Configuration"

}

% oc get suite

NAME                   PHASE   RESULT

ocp4-stig-compliance   DONE    NON-COMPLIANT

3. Trigger rescan

% oc annotate compliancescan/upstream-ocp4-stig compliance.openshift.io/rescan=

compliancescan.compliance.openshift.io/upstream-ocp4-stig annotated

% oc get scan -w

NAME                 PHASE     RESULT

upstream-ocp4-stig   RUNNING   NOT-AVAILABLE

upstream-ocp4-stig   AGGREGATING   NOT-AVAILABLE

upstream-ocp4-stig   DONE          NON-COMPLIANT

% oc get ccr | grep oauth-or-oauthclient-inactivity-timeout

upstream-ocp4-stig-oauth-or-oauthclient-inactivity-timeout                   PASS     medium

[xiaojiey]

/unhold

[xiaojiey]

/lgtm