STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must automatically terminate the admin user session and log off admin users after a 10 minute idle time period is exceeded.

DISA Rule

SV-222390r508029_rule

Vulnerability Number

V-222390

Group Title

SRG-APP-000295

Rule Version

APSC-DV-000080

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Design and configure the application to terminate the admin users session after 10 minutes of inactivity.

Check Contents

Ask the application representative to demonstrate the application configuration setting where the idle time out value is defined for admin users.

Alternatively, logon with an admin user account and let the session sit idle for 10 minutes.

Attempt to access the application after 10 minutes of inactivity.

If the configuration setting is not set to time out admin user sessions after 10 minutes of inactivity, or if the session used for testing does not time out after 10 minutes of inactivity, this is a finding.

Vulnerability Number

V-222390

Documentable

False

Rule Version

APSC-DV-000080

Severity Override Guidance

Ask the application representative to demonstrate the application configuration setting where the idle time out value is defined for admin users.

Alternatively, logon with an admin user account and let the session sit idle for 10 minutes.

Attempt to access the application after 10 minutes of inactivity.

If the configuration setting is not set to time out admin user sessions after 10 minutes of inactivity, or if the session used for testing does not time out after 10 minutes of inactivity, this is a finding.

Check Content Reference

M

Target Key

4093

Comments