STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must terminate existing user sessions upon account deletion.

DISA Rule

SV-222549r508029_rule

Vulnerability Number

V-222549

Group Title

SRG-APP-000400

Rule Version

APSC-DV-001800

Severity

CAT II

CCI(s)

• CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.

Weight

10

Fix Recommendation

Configure the application to terminate existing sessions of users whose accounts are deleted.

Check Contents

Review the application documentation and interview the application administrator.

Identify the user management functions of the application and create a test user account.

Access the application and perform application functions as the test user.

Access the user management functions and delete the test account while the test user sessions are still active.

Verify the test user application sessions are terminated by attempting to perform additional application functions.

If the test user retains access after the test account has been deleted, this is a finding.

Vulnerability Number

V-222549

Documentable

False

Rule Version

APSC-DV-001800

Severity Override Guidance

Review the application documentation and interview the application administrator.

Identify the user management functions of the application and create a test user account.

Access the application and perform application functions as the test user.

Access the user management functions and delete the test account while the test user sessions are still active.

Verify the test user application sessions are terminated by attempting to perform additional application functions.

If the test user retains access after the test account has been deleted, this is a finding.

Check Content Reference

M

Target Key

4093

Comments