Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must set a timeout for the ESXi Shell to automatically disable idle sessions after a predetermined period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| SRG-OS-99999-ESXI5-000153 | SRG-OS-99999-ESXI5-000153 | SRG-OS-99999-ESXI5-000153_rule | Low |
| Description |
|---|
| If ESXi Shell is enabled on the host and a user forgets to logout of their SSH session the idle connection will remain indefinitely increasing the potential for someone to gain privileged access to the host |
| STIG | Date |
|---|---|
| VMware ESXi v5 Security Technical Implementation Guide | 2013-01-15 |
Details
| Check Text ( C-SRG-OS-99999-ESXI5-000153_chk ) |
|---|
| From the vSphere client select the host and click "Configuration >> Advanced Settings". Select "UserVars.ESXiShellTimeOut" parameter and verify it is set to a value not to exceed 15 minutes. A value of 0 disables the ESXi Shell timeout. If the "UserVars.ESXiShellTimeOut" parameter is set to a value less than 1 or greater than 15, this is a finding. |
| Fix Text (F-SRG-OS-99999-ESXI5-000153_fix) |
|---|
| From the vSphere client select the host and click "Configuration >> Advanced Settings". Select UserVars.ESXiShellTimeOut parameter and configure it to a value not to exceed 15 minutes. A value of 0 disables the ESXi Shell timeout. |