UCF STIG Viewer Logo

The network element must time out access to the console port after 10 minutes or less of inactivity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3967 NET1624 SV-15445r2_rule Medium
Description
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition quickly terminating an idle session will also free up resources committed by the managed network element. Setting the timeout of the session to 10 minutes or less increases the level of protection afforded critical network components.
STIG Date
Infrastructure Router - Juniper Security Technical Implementation Guide 2017-09-28

Details

Check Text ( C-12910r2_chk )
With the exception of root, all user access privileges to a Juniper router are defined in a class. All users who log in to the router must be in a login class. Hence, user access to the router is via login class. The properties defined in a login class include user access privileges and the idle time permitted for a user login session. As shown in the example below, the idle time is specified with the idle-timeout specifying in minutes as to how long a session can be idle before it times out and the user is logged off. Check the classes that have been defined and examine the idle-timeout parameter. Following is an example:

[edit system login]
class superuser-local {
idle-timeout 10;
permissions all;
}

Notes:
1. There is no default idle-timeout. Without a timeout specified, a login session remains established until a user logs out of the router, even if that session is idle. Unlike IOS, to close idle sessions automatically, you must configure a time limit for each login class.
2. Since the root account does not belong to a class and you can access root via console, disable the ability to login using the root account by making the console insecure as follows:

[edit system]
console {
insecure;
}

Fix Text (F-3900r4_fix)
Configure the timeout for idle console connection to 10 minutes or less.