The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity.
From CA API Gateway ALG Security Technical Implementation Guide
Part of SRG-NET-000213-ALG-000107
Associated with:
CCI-001133
SV-85989r1_rule
The CA API Gateway must terminate all network connections associated with a Policy Manager session at the end of the session or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity within the Policy Manager, and for user sessions simply viewing the contents of Policy Manager or viewing Audit Logs for tracking purposes (non-privileged session), the session must be terminated after 15 minutes of inactivity.
Vulnerability discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.Terminating network connections associated with Policy Manager sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection.The CA API Gateway must be configured to terminate any management session after an inactivity time via the Policy Manager. The default value for the Policy Manager is 30 minutes and must be configured for 10 minutes for administration sessions and 15 minutes for all other sessions, such as users viewing logs.
Check content
Open the CA API Gateway - Policy Manager and select "Preferences" from the main menu.
Verify the inactivity timeout is set in accordance with organizational requirements.
If it is not, this is a finding.
Fix text
Open the CA API Gateway - Policy Manager and select "Preferences" from the main menu.
Update the inactivity timeout in accordance with organizational requirements.
Pro Tips
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer