The F5 BIG-IP appliance must set the idle time before automatic logout to five minutes of inactivity except to fulfill documented and validated mission requirements.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-266095	SRG-APP-000190-NDM-000267	F5BI-DM-300057	SV-266095r1024904_rule	2024-09-20	1

Description
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-APP-000190-NDM-000267, SRG-APP-000003-NDM-000202

Description

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level, or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-APP-000190-NDM-000267, SRG-APP-000003-NDM-000202

ℹ️ Check
If a documented and validated reason for not implementing the five-minute idle timeout exists, this is not a finding. From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings, verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh list sys httpd auth-pam-idle-timeout Note: This must return a value of 300 or less. tmsh list sys httpd auth-pam-dashboard-timeout Note: This must return a value of "on". tmsh list sys global-settings console-inactivity-timeout Note: This must return a value of 300 or less. tmsh list cli global-settings idle-timeout Note: This must return a value of 5. SSHD: tmsh list sys sshd inactivity-timeout Note: This must return a value of 300 or less. If the BIG-IP appliance is not configured to terminate inactive sessions after five minutes of inactivity, this is a finding.

ℹ️ Check

If a documented and validated reason for not implementing the five-minute idle timeout exists, this is not a finding. From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings, verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh list sys httpd auth-pam-idle-timeout Note: This must return a value of 300 or less. tmsh list sys httpd auth-pam-dashboard-timeout Note: This must return a value of "on". tmsh list sys global-settings console-inactivity-timeout Note: This must return a value of 300 or less. tmsh list cli global-settings idle-timeout Note: This must return a value of 5. SSHD: tmsh list sys sshd inactivity-timeout Note: This must return a value of 300 or less. If the BIG-IP appliance is not configured to terminate inactive sessions after five minutes of inactivity, this is a finding.

✔️ Fix
From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings configure "Idle Time Before Automatic Logout" to 300 seconds. 4. Click "Update". SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Configure "Idle Time Before Automatic Logout" to 300 seconds. 6. Click "Update". From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh modify sys httpd auth-pam-idle-timeout 300 tmsh modify sys httpd auth-pam-dashboard-timeout on tmsh modify sys global-settings console-inactivity-timeout 300 tmsh modify cli global-settings idle-timeout 5 SSHD: tmsh modify sys sshd inactivity-timeout 300 tmsh save sys config

✔️ Fix

From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings configure "Idle Time Before Automatic Logout" to 300 seconds. 4. Click "Update". SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Configure "Idle Time Before Automatic Logout" to 300 seconds. 6. Click "Update". From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh modify sys httpd auth-pam-idle-timeout 300 tmsh modify sys httpd auth-pam-dashboard-timeout on tmsh modify sys global-settings console-inactivity-timeout 300 tmsh modify cli global-settings idle-timeout 5 SSHD: tmsh modify sys sshd inactivity-timeout 300 tmsh save sys config