STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must automatically terminate the non-privileged user session and log off non-privileged users after a 15 minute idle time period has elapsed.

DISA Rule

SV-222389r508029_rule

Vulnerability Number

V-222389

Group Title

SRG-APP-000295

Rule Version

APSC-DV-000070

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Design and configure the application to terminate the non-privileged users session after 15 minutes of inactivity.

Check Contents

Ask the application representative to demonstrate the configuration setting where the idle time out value is defined.

Alternatively, logon with a regular application user account and let the session sit idle for 15 minutes.

Attempt to access the application after 15 minutes of inactivity.

If the configuration setting is not set to time out user sessions after 15 minutes of inactivity, or if the regular user session used for testing does not time out after 15 minutes of inactivity, this is a finding.

Vulnerability Number

V-222389

Documentable

False

Rule Version

APSC-DV-000070

Severity Override Guidance

Ask the application representative to demonstrate the configuration setting where the idle time out value is defined.

Alternatively, logon with a regular application user account and let the session sit idle for 15 minutes.

Attempt to access the application after 15 minutes of inactivity.

If the configuration setting is not set to time out user sessions after 15 minutes of inactivity, or if the regular user session used for testing does not time out after 15 minutes of inactivity, this is a finding.

Check Content Reference

M

Target Key

4093

Comments