40 lines
1.1 KiB
YAML
40 lines
1.1 KiB
YAML
id: configure-session-timeout
|
|
|
|
info:
|
|
name: PfSence Configure Sessions Timeout Not Set - Detect
|
|
author: pussycat0x
|
|
severity: info
|
|
description: |
|
|
Configure sessions timeout is recommended to be enabled. An indefinite or even long session timeout window can increase the risk of an attacker abusing abandoned sessions and potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations.
|
|
reference: |
|
|
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
|
|
cvss-score: 0.0
|
|
cwe-id: CWE-200
|
|
metadata:
|
|
verified: true
|
|
tags: firewall,config,audit,pfsense,file
|
|
|
|
file:
|
|
- extensions:
|
|
- xml
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "<session_timeout>"
|
|
- "<session_timeout>0</session_timeout>"
|
|
condition: or
|
|
negative: true
|
|
|
|
- type: word
|
|
words:
|
|
- "<pfsense>"
|
|
- "<webgui>"
|
|
- "<system>"
|
|
condition: and
|
|
|
|
# Enhanced by md on 2023/05/04
|