The vCenter Lookup service must set an inactive timeout for sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259049 | VCLU-80-000070 | SV-259049r934805_rule | CCI-002038 | medium |
| Description | ||||
| Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253 | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-259049r934805_chk)
At the command prompt, run the following command:
# xmllint --format /usr/lib/vmware-lookupsvc/conf/web.xml | sed 's/xmlns=".*"//g' | xmllint --xpath '/web-app/session-config/session-timeout' -
Example result:
<session-timeout>30</session-timeout>
If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.
Fix Text (F-62698r934804_fix)
Navigate to and open:
/usr/lib/vmware-lookupsvc/conf/web.xml
Navigate to the <session-config> node and configure the <session-timeout> as follows:
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
</session-config>
Restart the service with the following command:
# vmon-cli --restart lookupsvc