UCF STIG Viewer Logo

The vCenter ESX Agent Manager service must set an inactive timeout for sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259015 VCEM-80-000070 SV-259015r1003617_rule Medium
Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
STIG Date
VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62755r934701_chk )
At the command prompt, run the following command:

# xmllint --format /usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' -

Example result:

30

If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Fix Text (F-62664r934702_fix)
Navigate to and open:

/usr/lib/vmware-eam/web/webapps/eam/WEB-INF/web.xml

Navigate to the node and configure the as follows:


30

true
true



Restart the service with the following command:

# vmon-cli --restart eam