UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OpenShift must display an explicit logout message indicating the reliable termination of authenticated communication sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-257556 CNTR-OS-000650 SV-257556r961227_rule Low
Description
The OpenShift CLI tool includes an explicit logout option. The web console's default logout will invalidate the user's session token and redirect back to the console page, which will redirect the user to the authentication page. There is no explicit logout message. And in addition, if the IdP provider type is OIDC, the session token from the SSO provider will remain valid, which would effectively keep the user logged in. To correct this, the web console needs to be configured to redirect the user to a logout page. If using an OIDC provider, this would be the logout page for that provider.
STIG Date
Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide 2024-06-10

Details

Check Text ( C-61291r921609_chk )
Verify the logout redirect setting in web console configuration is set by executing the following:

oc get console.config.openshift.io cluster -o jsonpath='{.spec.authentication.logoutRedirect}{"\n"}'

If nothing is returned, this is a finding.
Fix Text (F-61215r921610_fix)
Configure the web console's logout redirect to direct to an appropriate logout page. If OpenShift is configured to use an OIDC provider, then the redirect needs to first go to the OIDC provider's logout page, and then it can be redirected to another logout page as needed.

Run the following command to update the console:

oc patch console.config.openshift.io cluster --type merge -p '{"spec":{"authentication":{"logoutRedirect":""}}}'

where LOGOUT_URL is set to the logout page.