The WebSphere Application Server admin console session timeout must be configured.

An XCCDF Rule

Description

<VulnDiscussion>An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-95909r1_rule
Severity: Medium
References: CCI-002361
Updated: about 1 year ago

Locate the deployment.xml file. The default file locations where deployment.xml is installed are provided below.  

UNIX:
/opt/IBM/WebSphere/Profiles/DefaultDmgr01/config/cells/<CELL NAME>/applications/isclite.ear/deployments/isclite/

Windows:C:\Program Files\IBM\WebSphere\Profiles\DefaultDmgr01\config\cells\<CELL NAME>\applications\isclite.ear\deployments\isclite\

Make a backup copy of the deployment.xml file.

Edit the deployment.xml file.

Modify the "invalidationtimeout=" value and set to "10".

Restart the DMGR and all the JVMs.

The WebSphere Application Server admin console session timeout must be configured.

Description

Remediation - Manual Procedure