Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-258983 | VCST-80-000070 | SV-258983r934607_rule | Medium |
Description |
---|
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253 |
STIG | Date |
---|---|
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide | 2023-10-29 |
Check Text ( C-62723r934605_chk ) |
---|
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' - Example result: If the value of "session-timeout" is not "30" or less, or is missing, this is a finding. |
Fix Text (F-62632r934606_fix) |
---|
Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the Restart the service with the following command: # vmon-cli --restart sts |