3.16 (L1) Host must configure a session timeout for the API

Information

A designated timeout ensures that sessions are not left open indefinitely, thereby reducing the exposure window for potential security threats. The parameter governing this behavior is Config.HostAgent.vmacore.soap.sessionTimeout with a recommended setting of 30 seconds.

A session timeout ensures that potential security threats from unauthorized users or malicious software exploiting open sessions are significantly reduced.

Solution

Impact:

There is no functional impact noted when configuring this security control, making it a low-risk enhancement towards securing the ESXi environment.

See Also

https://workbench.cisecurity.org/benchmarks/15784

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-2(5), 800-53|AC-11, 800-53|AC-11(1), 800-53|AC-12, 800-53|AC-18, 800-53|SC-23, CSCv7|1.7

Plugin: VMware

Control ID: cd51c8197e578a2e6469a8cbf12925623d52fa6e3c435d53cba9a177f9f7c93d