Title

Ax-OS must automatically terminate a graphical user interface (GUI) user session after 15 minutes. (Cat II impact)

Discussion

An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination ends all processes associated with a user's logical session except those specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. Satisfies: SRG-APP-000003, SRG-APP-000190, SRG-APP-000295

Check Content

Select the gear icon (System Settings) >> Privacy and Security >> Session. Under the Session Menu, verify the "Enable session timeout" slide bar is enabled. Verify "Session idle timeout (minutes)" is set to "15". If "Session idle timeout (minutes)" is not set to 15 minutes or less, this is a finding.

Fix Text

Select the gear icon (System Settings) >> Privacy and Security >> Session. Under the Session Menu, enable the "Enable session timeout" slide bar. Set "Session idle timeout (minutes)" to "15". Click "Save".

Additional Identifiers

Rule ID: SV-276002r1122656_rule

Vulnerability ID: V-276002

Group Title: SRG-APP-000003

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.