1. Proposed title of this feature request - [RFE] Add option to configure session timeout for Satelite server. 2. What is the nature and description of the request? - Need an option to set a session timeout on the Satellite server. The session should get terminated after a configured time even if the user is actively working on Satellite WebUI. The satellite server has option to set "idle timeout" which performs the logout if user is inactive for the configured time. Similarly, need an option to set session timeout even when the user is active. 3. Why does the customer need this? (List the business requirements here) - Due to internal security assessment cu need to force the session termination after a particular time. 4. How would the customer like to achieve this? (List the functional requirements here) - By configuring the session timeout value in the configuration file. 5. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. 6. Is there already an existing RFE upstream or in Red Hat Bugzilla? No 7. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)? 8. Is the sales team involved in this request and do they have any additional input? - No 9. Would the customer be able to assist in testing this functionality if implemented? - Yes
(In reply to Krutika Kinge from comment #0) > 3. Why does the customer need this? (List the business requirements here) > > - Due to internal security assessment cu need to force the session > termination after a particular time. > What value in terms of security does this feature provides? Terminate a idle-session is out of question and totally make sense, but terminate sessions after a specific point in time, will frustrate users and is completely against all common UX-patterns. I doubt such an implementation will increase the security and if combined with password-login, it will only make customers store passwords (and if password managers used, there is no problem) From a business value point of view, I expect a higher cost in management due to the fact the user in worst case will spend double time on activity, because the work is lost. Imagine following scenario: Reducing possibility of car theft To avoid the thief can drive the car far away, the default driving time is 30 minutes. After that, you will need to go out of the car, lock it, open it again, go into the car and start again. Now you can drive another 30 minutes. As you can see, there will be no increase in the security, as the car will still be stolen. But in most of the time, the owner of the car is unable to reach his workplace in a single ride, as the standard travel time is 45 minutes. Now I'm asking, how much benefit you expect to get from such a feature? I suppose nothing and I vote for decline of such a RFE. /Steffen
CU referenced this requirement is based on NIST SP 800-53, control IA-11: --- Control name: Re-authentication Control text: Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. Discussion: In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically. --- As a starting point, it would make sense to me to analyze if Satellite actually requires a user to re-authenticate for the described circumstances / situations from the control IA-11 or if this already applies when a logged-in user e.g. refreshes a page on the WebUI / commandline / API. In case Satellite does not require re-authentication, implementing the periodically fixed session logout does not add any value from a security perspective. In case any of the mentioned changes requires re-authentication, implementing the RFE to fulfill this control (IA-11) could add value on the costs of usability.
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you.