Skip to content

Change default session timeout to 10 minutes for STIG compliance #685

Open
Open
Change default session timeout to 10 minutes for STIG compliance#685
@aaronlippold

Description

@aaronlippold
aaronlippold
opened on Aug 16, 2025

Description

The current default session timeout is 60 minutes, but STIG requires:

  • 10 minutes for administrative users
  • 15 minutes for non-privileged users

Current Implementation

  • Default timeout: 60 minutes (config/vulcan.default.yml:29)
  • Configured via: VULCAN_SESSION_TIMEOUT environment variable

Proposed Changes

  1. Change default timeout in config/vulcan.default.yml from 60 to 10 minutes
  2. Add comments about STIG compliance requirements
  3. Update documentation to reflect the change

Files to Update

  • config/vulcan.default.yml line 29
  • Documentation files referencing session timeout

Acceptance Criteria

  • Default timeout changed to 10 minutes
  • STIG compliance comment added
  • Tests pass with new default
  • Documentation updated

References

  • NIST SP 800-53 AC-12
  • Application Security & Development STIG V-222389, V-222390

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions