STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide a capability to limit the number of logon sessions per user.

DISA Rule

SV-222387r508029_rule

Vulnerability Number

V-222387

Group Title

SRG-APP-000001

Rule Version

APSC-DV-000010

Severity

CAT II

CCI(s)

CCI-000054 - The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions.

Weight

Fix Recommendation

Design and configure the application to specify the number of logon sessions that are allowed per user.

Check Contents

For production environments; Review the system documentation, identify the number of application user logon sessions allowed per user, identify the methods utilized for user session management or have application administrator describe how the application implements user session management.

Utilize the management interface that is used to set the user session values, or examine configuration files in order to review user session configuration settings.

Ensure the number of sessions allowed per user is specified in accordance with the organizational requirements.

For development environments; have the developer provide design documentation or demonstrate how the application is designed to limit the number of simultaneous user logon sessions.

If the application is not configured to limit the number of logon sessions per user as defined by the organization, this is a finding.

The application must provide a capability to limit the number of logon sessions per user.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments