Rule ID
SV-279416r1191034_rule
Version
V1R1
CCIs
An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.
Validate the Prism WebUI Session Idle timeout and Timeout Override is set to 15 minutes and Deny Override. 1. Log in to Prism Element. 2. Click the gear icon in the upper-right corner. 3. Navigate to "UI Settings". 4. Verify the "Session Idle Timeout for current User" to 15 Minutes. 5. Verify the "Default Session Idle Timeout for Non-Admin Users" to 15 Minutes. 6. Verify the "Session Idle Override for Non-Admin Users" to "Deny Override". If the any of the idle timeout settings or override setting do not match the required settings, this is a finding.
Configure the Nutanix AOS Prism Element WebUI Session Idle timeout and Override settings. 1. Log in to Prism Element. 2. Click the gear icon in the upper-right corner. 3. Navigate to "UI Settings". 4. Set the "Session Idle Timeout for current User" to 15 Minutes. 5. Set the "Default Session Idle Timeout for Non-Admin Users" to 15 Minutes. 6. Set the "Session Idle Override for Non-Admin Users" to "Deny Override".