ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.22k stars 698 forks source link

logind_session_timeout is misaligned with DISA #12561

Open jan-cerny opened 3 weeks ago

jan-cerny commented 3 weeks ago

Description of problem:

The rule logind_session_timeout is misaligned with DISA. It passes with ComplianceAsCode but fails with DISA content.

The problem seems to be that the DISA's prose to set the timeout to 10 minutes, which means to set StopIdleSessionSec option to 600, and our content sets this to 600 but the DISA's OVAL checks that the StopIdleSessionSec option is set to 900.

We have discovered this problem in upstream productization.

Details:

This content is not aligned with content from DISA

The misalignment affects these profiles:

RHEL 8 STIG

The misalignment affects these rules:

logind_session_timeout

Outcome:

SCAP Security Guide Version:

current upstream master as of 2024-11-01 as of 3b297951091a656ee080edc21ebc0430ec645fd1

External Content's Version:

V2R1

Mab879 commented 2 weeks ago

Since we can't do anything should this have the "blocked" label?