The F5 BIG-IP appliance must be configured to set a "Maximum Session Timeout" value of 8 hours or less.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-259330 | F5BI-AP-000230 | SV-259330r947412_rule | Medium |
| Description |
|---|
| The Maximum Session Timeout setting configures a limit on the maximum amount of time a user's session is active without needing to reauthenticate. If the value is set to 0 (zero), the user's session is active until either the user terminates the session or the Inactivity Timeout value is reached (the default value is set to 604,800 seconds). When determining how long the maximum user session can last, it may be useful to review the access policy. For example, if the access policy requires that the user's antivirus signatures cannot be older than 8 hours, the Maximum Session Timeout should not exceed that time limit. |
| STIG | Date |
|---|---|
| F5 BIG-IP Access Policy Manager Security Technical Implementation Guide | 2024-01-26 |
Details
| Check Text ( C-63069r947410_chk ) |
|---|
| If the BIG-IP APM module does not provide user authentication intermediary services, this is not applicable. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Access profile name. 5. In the "Settings" section, verify the value for "Maximum Session Timeout" is set to 28800 seconds (8 hours) or less. If the F5 BIG-IP APM access policy is not configured for a "Maximum Session Timeout" value of 28,800 seconds (8 hours) or less, this is a finding. |
| Fix Text (F-62978r947411_fix) |
|---|
| From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Access profile name. 5. In the "Settings" section, set the value for "Maximum Session Timeout" to 28800 seconds (8 hours) or less. Note: If the setting is grayed out, check the box to the right of the setting and then update it. 6. Click "Update". 7. Click "Apply Access Policy". |