From 18844e6c4bd972cef7838b5432baf79ac0d8b820 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 23 Apr 2024 12:50:02 +0200
Subject: [PATCH] OCPBUGS-32551: swap token inactivity timeout rule

Let's use oauth_or_oauthclient_inactivity_timeout instead of
oautclient_inactivity_timeout.
The former rule checks for server and client token timeout
configuration is multiple places and remediates the server
OAuth config.
The latter only checks for the client token timeout and doesn't have a
remediation.
---
 .../authentication/oauth_inactivity_timeout/rule.yml          | 1 +
 .../authentication/oauthclient_inactivity_timeout/rule.yml    | 1 -
 controls/srg_ctr/SRG-APP-000190-CTR-000500.yml                | 2 +-
 controls/stig_ocp4.yml                                        | 4 ++--
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml b/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
index 0b22118ff94..faa9a2ce587 100644
--- a/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
+++ b/applications/openshift/authentication/oauth_inactivity_timeout/rule.yml
@@ -51,6 +51,7 @@ rationale: |-
 references:
   nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
   nist: AC-2(5),SC-10
+  srg: SRG-APP-000190-CTR-000500
 
 identifiers:
     cce@ocp4: CCE-83511-6
diff --git a/applications/openshift/authentication/oauthclient_inactivity_timeout/rule.yml b/applications/openshift/authentication/oauthclient_inactivity_timeout/rule.yml
index c773e58e30f..7c19d84445e 100644
--- a/applications/openshift/authentication/oauthclient_inactivity_timeout/rule.yml
+++ b/applications/openshift/authentication/oauthclient_inactivity_timeout/rule.yml
@@ -39,7 +39,6 @@ rationale: |-
 references:
   nerc-cip: CIP-004-6 R2.2.3,CIP-007-3 R5.1,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3
   nist: AC-2(5),SC-10
-  srg: SRG-APP-000190-CTR-000500
 
 identifiers:
     cce@ocp4: CCE-84178-3
diff --git a/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml b/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml
index a87292e153f..f9427e0af17 100644
--- a/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml
+++ b/controls/srg_ctr/SRG-APP-000190-CTR-000500.yml
@@ -9,4 +9,4 @@ controls:
   status: automated
   rules:
   - sshd_disable_root_login
-  - oauthclient_inactivity_timeout
+  - oauth_or_oauthclient_inactivity_timeout
diff --git a/controls/stig_ocp4.yml b/controls/stig_ocp4.yml
index 7ef338b1ff8..a57ae8c2631 100644
--- a/controls/stig_ocp4.yml
+++ b/controls/stig_ocp4.yml
@@ -457,7 +457,7 @@ controls:
   - high
   title: OpenShift must disable root and terminate network connections.
   rules:
-  - oauthclient_inactivity_timeout
+  - oauth_or_oauthclient_inactivity_timeout
   - sshd_disable_root_login
   status: automated
 
@@ -526,7 +526,7 @@ controls:
     session at the end of the session, or as follows: for in-band management sessions
     (privileged sessions), the session must be terminated after 10 minutes of inactivity.'
   rules:
-  - oauthclient_inactivity_timeout
+  - oauth_or_oauthclient_inactivity_timeout
   - sshd_disable_root_login
   status: automated