Ensure 'console session timeout' is set to organizational policy

Information

Sets the idle timeout for a console session before the security appliance terminates it.

Rationale:

Limiting session timeout prevents unauthorized users from using abandoned sessions to perform malicious activities.

Solution

From the Firepower Management Center:
Step 1 Choose Devices > Platform Settings and create or edit a Firepower policy.

Step 2 Click Shell Timeout
Step 3 You have the following choices:

To configure session timeout for the web interface, enter a number (of minutes) in the Browser Session Timeout (Minutes) field. The default value is 60; the maximum value is 1440 (24 hours). For information on how to exempt users from this session timeout, see User Account Login Options.
To configure session timeout for the command line interface, enter a number (of minutes) in the Shell Timeout (Minutes) field. The default value is 0; the maximum value is 1440 (24 hours).
To permanently disable the expert command in the auxiliary command line interface, check the Permanently Disable Expert Access check box.
Caution
After you deploy a policy with expert mode disabled to an appliance, you cannot restore the ability to access expert mode through the web interface or the auxiliary command line interface. You must contact Support to restore the expert mode capability.

Step 4 Click Save.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12

Plugin: Cisco_Firepower

Control ID: db1b353689e373ca888bb5520b1d7aa22524ccc332d18cfd6115ec30ba5838a4