Details
If a user forgets to log out of their local or remote ESXi Shell session, the idle connection will remain open indefinitely and increase the likelihood of inappropriate host access via session hijacking. The ‘ESXiShellInteractiveTimeOut’ allows the automatic termination of idle shell sessions.
Satisfies: SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010
Solution
From the vSphere Client, select the ESXi Host and go to Configure >> System >> Advanced System Settings.
Click ‘Edit’, select the ‘UserVars.ESXiShellInteractiveTimeOut’ value, and configure it to ‘120’.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following commands:
Get-VMHost | Get-AdvancedSetting -Name UserVars.ESXiShellInteractiveTimeOut | Set-AdvancedSetting -Value 120
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control, System and Communications Protection.This control applies to the following type of system VMware.
References
- 800-53|AC-12
- 800-53|SC-10
- CAT|II
- CCI|CCI-001133
- CCI|CCI-002361
- Rule-ID|SV-239296r674817_rule
- STIG-ID|ESXI-67-000041
- STIG-Legacy|SV-104115
- STIG-Legacy|V-94029
- Vuln-ID|V-239296