UCF STIG Viewer Logo

The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-OS-99999-ESXI5-000153 SRG-OS-99999-ESXI5-000153 SRG-OS-99999-ESXI5-000153_rule Low
Description
If ESXi Shell is enabled on the host and a user forgets to logout of their SSH session the idle connection will remain indefinitely increasing the potential for someone to gain privileged access to the host
STIG Date
VMware ESXi v5 Security Technical Implementation Guide 2013-01-15

Details

Check Text ( C-SRG-OS-99999-ESXI5-000153_chk )

From the vSphere client select the host and click "Configuration >> Advanced Settings". Select "UserVars.ESXiShellTimeOut" parameter and verify it is set to a value not to exceed 15 minutes. A value of 0 disables the ESXi Shell timeout.

If the "UserVars.ESXiShellTimeOut" parameter is set to a value less than 1 or greater than 15, this is a finding.

Fix Text (F-SRG-OS-99999-ESXI5-000153_fix)
From the vSphere client select the host and click "Configuration >> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and configure it to a value not to exceed 15 minutes. A value of 0 disables the ESXi Shell timeout.