Title

The Cisco ISE must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after five minutes of inactivity except to fulfill documented and validated mission requirements. (Cat I impact)

Discussion

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.

Check Content

From the CLI EXEC mode, type show terminal. From the GUI, navigate to Administration >> System >> Admin Access >> Settings >> Session. View the session timeout setting. If the terminal and administration setting is not set to six minutes or less, this is a finding.

Fix Text

Configure Session Timeout for Administrators. 1. Choose Administration >> System >> Admin Access >> Settings >> Session >> Session Timeout. 2. Type "6". 3. Click "Save".

Additional Identifiers

Rule ID: SV-242657r944329_rule

Vulnerability ID: V-242657

Group Title: SRG-APP-000190-NDM-000267

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.