Cisco ACI SSH sessions must be terminated after five minutes of inactivity.
Overview
Finding ID | Version | Rule ID | IA Controls | Severity |
V-271969 | CACI-ND-000054 | SV-271969r1114305_rule | High |
Description |
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. Quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level or deallocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. |
STIG | Date |
Cisco ACI NDM Security Technical Implementation Guide | 2025-06-13 |
Details
Check Text (C-76019r1114220_chk) |
Verify the maximum GUI idle duration before requiring login refresh is set to 300 seconds or less: show runing-config crypto webtoken Note: If the output is empty, then the default values are used, this is a finding. If ui-idle-timeout-seconds and webtoken-timeout-seconds are not set to 300 seconds or less, this is a finding. |
Fix Text (F-75926r1064051_fix) |
Set the GUI idle timeout which affects SSH on both APIC and Switches: 1. Navigate to Admin >> AAA >> Security >> Management Settings. 2. In the Properties section, ensure "Web Token Timeout (s)" is set to 300 or less. |