Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-251657	SRG-APP-000295-AU-000190	SPLK-CL-000010	SV-251657r1043182_rule	2025-03-05	2

Description
Automatic session termination after a period of inactivity addresses the potential for a malicious actor to exploit the unattended session. Closing any unattended sessions reduces the attack surface to the application. Satisfies: SRG-APP-000295-AU-000190, SRG-APP-000389-AU-000180

ℹ️ Check
This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in Not Applicable. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file. If the web.conf file does not exist, this is a finding. If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.

ℹ️ Check

This check is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the instance being reviewed is not used as a search head, this check in Not Applicable. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the web.conf file. If the web.conf file does not exist, this is a finding. If the "tools.sessions.timeout" is missing or is configured to 16 or more, this is a finding.

✔️ Fix
This configuration is performed on the machine used as a search head, which may be a separate machine in a distributed environment. If the web.conf file does not exist, copy the file from $SPLUNK_HOME/etc/system/default to the $SPLUNK_HOME/etc/system/local directory. Modify/Add the following lines in the web.conf file: tools.session.timeout = 15