The HPE Alletra Storage ArcusOS device must set an inactive timeout for sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-283037 | ASMP-WS-000730 | SV-283037r1193801_rule | CCI-002361 | medium |
| Description | ||||
| Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain those sessions not closed through the user logging out of an application are eventually closed. Acceptable values are 5 minutes for high-value applications, 10 minutes for medium-value applications, and 20 minutes for low-value applications. | ||||
| STIG | Date | |||
| HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide | 2026-03-03 | |||
Details
Check Text (C-283037r1193801_chk)
Verify the WSAPI Session Timeout value is set with the following command:
%cli showwsapi -d
-------------------------------WSAPI Server Configuration--------------------------------
service State: Enabled
HPE GreenLake for Block Storage UI State: Active
server State: Active
HTTPS Port: 443
Number of Sessions Created: 0
System Resource Usage: 96
Number of Sessions Active: 0
Version: 1.14.0
Event Stream State: Enabled
Max Number of SSE Sessions Allowed: 5
Number of SSE Sessions Created: 0
Number of SSE Sessions Active: 0
Session Timeout: 10 Minutes
Policy : per_user_limit
API URL: https://s2475-cluster.lr4-storage.net/api/v1
If "Session Timeout" is set to a value greater than "10 minutes", this is a finding.
Fix Text (F-87505r1193800_fix)
Configure the WSAPI Session Timeout to a value less than or equal to 10 minutes:
cli% setwsapi -timeout 10