UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter Lookup service must set an inactive timeout for sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259049 VCLU-80-000070 SV-259049r1003620_rule Medium
Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
STIG Date
VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62789r934803_chk )
At the command prompt, run the following command:

# xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' -

Example result:

30

If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Fix Text (F-62698r934804_fix)
Navigate to and open:

/usr/lib/vmware-lookupsvc/conf/web.xml

Navigate to the node and configure the as follows:


30

true
true



Restart the service with the following command:

# vmon-cli --restart lookupsvc