2023-03-16 17:34:50 +00:00
id : configure-session-timeout
info :
2023-07-06 06:27:03 +00:00
name : PfSence Configure Sessions Timeout Not Set - Detect
2023-03-16 17:34:50 +00:00
author : pussycat0x
severity : info
description : |
2023-07-06 06:27:03 +00:00
Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
2023-03-16 17:34:50 +00:00
reference : |
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
2023-05-04 15:11:51 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cvss-score : 0.0
cwe-id : CWE-200
2023-03-22 19:14:02 +00:00
metadata :
verified : true
2023-03-16 17:34:50 +00:00
tags : firewall,config,audit,pfsense,file
file :
- extensions :
- xml
matchers-condition : and
matchers :
- type : word
words :
- "<session_timeout>"
- "<session_timeout>0</session_timeout>"
condition : or
negative : true
- type : word
words :
2023-03-22 19:01:22 +00:00
- "<pfsense>"
2023-03-16 17:34:50 +00:00
- "<webgui>"
2023-03-22 19:14:02 +00:00
- "<system>"
condition : and
2023-05-04 15:11:51 +00:00
# Enhanced by md on 2023/05/04