Incorporate IDP password STIG rules to uds-core baseline

bm54cloud commented 2 months ago

Is your feature request related to a problem? Please describe.

UDS-core incorporates Keycloak as the default IdP. The HNCD team has obtained an Elastic STIG directly from Elastic (not yet available on DoD website) that includes several rules relating to IdP settings, which in our case and UDS-core's case is Keycloak. Of the 66 rules related to Keycloak, we have identified 8 that can be easily incorporated into the UDS-core baseline. The proactive approach of incorporating these rules into the UDS-core baseline ensures the baseline is more secure and STIG compliant. This also decreases the amount of STIG remediation scripts that have to be run after deployment to make our mission deployments STIG compliant.

Describe the solution you'd like

In uds-identity-config/src/realm.json we propose the following changes (see attached PR):

Change forceExpiredPasswordChange(90) to forceExpiredPasswordChange(60), which satisfies rule V-222545
Change "ssoSessionIdleTimeout": 1800 to "ssoSessionIdleTimeout": 600, which satisfies rule V-222390 and V-22289. The caveat with this one is the STIG requires a minimum timeout of 10 minutes for admin and 15 minutes for user, but Keycloak does not allow delineation of admin and user timeouts, so we recommend setting the idle timeout to the more conservative, and this would meet both requirements
Change the "passwordPolicy" to include digits(1), lowerCase(1), and upperCase(1). Change length(12) to length(15). This satisfies rules V-222539, V-222538, V-222537, and V-222536
Change "failureFactor":5 to "failureFactor":3, which satisfies rule V-222432
PR here https://github.com/defenseunicorns/uds-identity-config/pull/139

Describe alternatives you've considered

An alternative would be to leave these as is, and the HNCD will incorporate these changes into a post-deployment STIG remediation script. This is our current workflow for making our Ubuntu OS STIG compliant, however, we have found that it adds significant additional startup time and can lead to race conditions.

Additional context

Please see attached files for the STIG acquired directly from Elastic. The .cklb STIG checklist is not able to be attached here due to GitHub file type restrictions, but it can be emailed and then viewed in STIG Viewer 3.

Elasticsearch 8.0 Hardening Guide Application Server SRG V3R1.pdf Elasticsearch 8.0 Hardening Guide Central Log Server SRG V2R1.pdf

UnicornChance commented 2 months ago

Merged into main, will close once incorporated into uds-core baseline.

mjnagel commented 2 months ago

Looks like the identity-config update is lumped into this keycloak renovate PR on core. Might make sense to split off the config image update and get that merged in for the next core release.

UnicornChance commented 1 month ago

Changes now in main, will be in next core release.

defenseunicorns / uds-identity-config