1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout

Information

Verify device is configured to automatically disconnect sessions after a fixed idle time.

Rationale:

This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator leaves for the day and leaves a computer open with an enabled login session accessible. There is a trade-off here between security (shorter timeouts) and usability (longer timeouts). Review your local policies and operational needs to determine the best timeout value. In most cases, this should be no more than 10 minutes.

Impact:

Not having a timeout on idle sessions has several impacts:

Unattended sessions on an unlocked administrative workstation are susceptible to passers-by entering commands

If multiple sessions are exited by closing the session rather than logging out, the virtual sessions will remain active forever. When the maximum number of sessions is reached, additional administrative sessions will be denied.

If a console session is left open by simply disconnecting the console or USB cable, that session will remain available and logged in, in the state it was abandoned in for the next person who connects.

While a short timeout is typically desired, this can be changed temporarily during long-running operations (scheduled NX-OS updates for instance).

Solution

Configure ssh and console timeouts to 120 seconds (2 minutes) to disconnect sessions after a fixed idle time.

switch(config)# ssh idle-timeout 120

switch(config) line console
switch(config-line)# exec-timeout 120

Default Value:

The default value for 'exec-timeout' is 0 (disabled) for both the vty and console lines

See Also

https://workbench.cisecurity.org/files/3102

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CSCv6|16.5

Plugin: Cisco

Control ID: 53d9e032758a065010274488022e31db0c6bc26d57cd9766bfd9fddd866cc3cf