The ESXi host must configure a session timeout for the vSphere API.
An XCCDF Rule
Description
<VulnDiscussion>The vSphere API (VIM) allows for remote, programmatic administration of the ESXi host. Authenticated API sessions are no different from a risk perspective than authenticated UI sessions and they need similar protections. One of these protections is a basic inactivity timeout, after which the session will be invalidated and reauthentication will be required by the application accessing the API. This is set to 30 seconds by default but can be disabled, thus leaving API sessions open indefinitely. The 30 second default must be verified and maintained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-256440r886101_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
From the vSphere Client go to Hosts and Clusters.
Select the ESXi Host >> Configure >> System >> Advanced System Settings.
Select the "Config.HostAgent.vmacore.soap.sessionTimeout" value and set it to "30".