6.10.2.4 Ensure Idle Timeout is Set for Web-Management

Information

Idle JWeb sessions should be timed out after 15 minutes.

Rationale:

If JWeb Management sessions are left unattended it may be possible for an attacker to use the session to take control of the JUNOS device.

To prevent this, or at least limit the scope of such an attack, an idle timeout should be set to end sessions where no activity has occurred for a defined period of time.

The Payment Card Industry Data Security Standard (PCI DSS) recommends that administrative sessions should be timed out if left idle for 15 minutes.

NOTE: The JWeb service does not appear to be configured on the target. This check is not applicable.

Solution

To enable Idle Timeouts for JWeb issue the following command from the [edit system services web-management] hierarchy:

[edit system services web-management]
[email protected]#set session idle-timeout <Time in Minutes>

Default Value:

Depends on platform, JWEB is installed on J-Series by default and optional on all other platforms. No idle timeout is set by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: d09137ebad66b7d14e225b894cc592719fd09b28d29d6b9a4480b1ccbaf5621b