1.2.4 Ensure Exec Timeout for Console Sessions is set

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Verify device is configured to automatically disconnect console sessions after a defined maximum session time, set in minutes.

Rationale:

This prevents unauthorized users from misusing abandoned sessions. For example, if the network administrator disconnects leaving a console session open, that session will remain open (in the same state and privilege level) for the next person who connects a console cable to the device.

A shorter timeout is usually desired, but this can be extended for longer-running operations such as debug sessions or NX-OS updates.

This is not an idle timer, it is the maximum length of a session. This is a key difference that should be taken into account when determining the best value for your organization and your work habits.

Solution

switch(config)# line console
switch(config)# exec-timeout 10

Default Value:

The default timeout value is 0 (ie the timeout is disabled).

See Also

https://workbench.cisecurity.org/benchmarks/6524