Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-251657	SPLK-CL-000010	SV-251657r879673_rule		Medium

Description
Automatic session termination after a period of inactivity addresses the potential for a malicious actor to exploit the unattended session. Closing any unattended sessions reduces the attack surface to the application. Satisfies: SRG-APP-000295-AU-000190, SRG-APP-000389-AU-000180

STIG	Date
Splunk Enterprise 8.x for Linux Security Technical Implementation Guide	2023-06-09

Details

Check Text ( C-55095r819077_chk )
This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in N/A. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file. If the web.conf file does not exist, this is a finding. If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.

Check Text ( C-55095r819077_chk )

This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment.

If the instance being reviewed is not used as a search head, this check in N/A.

Examine the configuration.

Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file.

If the web.conf file does not exist, this is a finding.

If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.

Fix Text (F-55049r819078_fix)
This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the web.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify/Add the following lines in the web.conf file: tools.session.timeout = 15