STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide

V-283037

CAT II (Medium)

The HPE Alletra Storage ArcusOS device must set an inactive timeout for sessions.

Rule ID

SV-283037r1193801_rule

STIG

HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002361

Discussion

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain those sessions not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications.

Check Content

Verify the WSAPI Session Timeout value is set with the following command:

%cli showwsapi -d

-------------------------------WSAPI Server Configuration--------------------------------
service State:                                        Enabled
HPE GreenLake for Block Storage UI State:                                        Active
server State:                                                                    Active
HTTPS Port:                                                                       443
Number of Sessions Created:                                                         0
System Resource Usage:                                                         96
Number of Sessions Active:                                                          0
Version:                                                     1.14.0
Event Stream State:                                                                    Enabled
Max Number of SSE Sessions Allowed:                                               5
Number of SSE Sessions Created:                                                         0
Number of SSE Sessions Active:                                                             0
Session Timeout:                                                10 Minutes
Policy :                                            per_user_limit
API URL:               https://s2475-cluster.lr4-storage.net/api/v1

If "Session Timeout" is set to a value greater than "10 minutes", this is a finding.

Fix Text

Configure the WSAPI Session Timeout to a value less than or equal to 10 minutes:

cli% setwsapi -timeout 10