STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide audit record generation capability for session timeouts.

DISA Rule

SV-222445r508029_rule

Vulnerability Number

V-222445

Group Title

SRG-APP-000089

Rule Version

APSC-DV-000660

Severity

CAT II

CCI(s)

CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.

Weight

Fix Recommendation

Configure the application to record session timeout events in the logs.

Check Contents

Review the application documentation and interview the application administrator to identify log locations for application session activity.

Open the log file that tracks user session activity.

Access the application as a regular user and identify the user session within the log files.

Identify the session timeout threshold defined by the application.

Perform no action within the application in order to allow the session to timeout.

Once the session timeout threshold has been exceeded, verify the session has been terminated due to the timeout event and review the logs again to ensure the session timeout event was recorded in the logs.

If a web-based application delegates session timeout auditing to an application server, this is not a finding.

If the session timeout event is not recorded in the logs, this is a finding.

The application must provide audit record generation capability for session timeouts.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments