The vCenter STS service must set an inactive timeout for sessions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258983	SRG-APP-000295-AS-000263	VCST-80-000070	SV-258983r1003673_rule	2024-07-11	2

Description
Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253

Description

Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By closing sessions after a set period of inactivity, the web server can make certain that those sessions that are not closed through the user logging out of an application are eventually closed. Satisfies: SRG-APP-000295-AS-000263, SRG-APP-000389-AS-000253

ℹ️ Check
At the command prompt, run the following command: # xmllint --format /usr/lib/vmware-sso/vmware-sts/conf/web.xml \| sed 's/xmlns=".*"//g' \| xmllint --xpath '/web-app/session-config/session-timeout' - Example result: <session-timeout>30</session-timeout> If the value of "session-timeout" is not "30" or less, or is missing, this is a finding.

✔️ Fix
Navigate to and open: /usr/lib/vmware-sso/vmware-sts/conf/web.xml Navigate to the <session-config> node and configure the <session-timeout> as follows: <session-config> <session-timeout>30</session-timeout> <cookie-config> <http-only>true</http-only> <secure>true</secure> </cookie-config> </session-config> Restart the service with the following command: # vmon-cli --restart sts