UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The vCenter STS service must set an inactive timeout for sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-258983 VCST-80-000070 SV-258983r1003673_rule Medium
Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253
STIG Date
VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide 2024-07-11

Details

Check Text ( C-62723r934605_chk )
At the command prompt, run the following command:

# xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' -

Example result:

30

If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Fix Text (F-62632r934606_fix)
Navigate to and open:

/usr/lib/vmware-sso/vmware-sts/conf/web.xml

Navigate to the node and configure the as follows:


30

true
true



Restart the service with the following command:

# vmon-cli --restart sts