Skip to content

The F5 BIG-IP appliance must be configured to set a Maximum Session Timeout value of eight hours or less.

An XCCDF Rule

Description

<VulnDiscussion>The Maximum Session Timeout setting configures a limit on the maximum amount of time a user's session is active without needing to reauthenticate. If the value is set to zero, the user's session is active until either the user terminates the session or the Inactivity Timeout value is reached (the default value is set to 604,800 seconds). When determining how long the maximum user session can last, it may be useful to review the access policy. For example, if the access policy requires that the user's antivirus signatures cannot be older than eight hours, the Maximum Session Timeout must not exceed that time limit. This is an APM Policy setting, which applies to APM authentication profiles for Virtual Servers and SSL VPN.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-266169r1024401_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the access profile name.
5. In the "Settings" section, set the value for "Maximum Session Timeout" to 28800 seconds (eight hours) or less.