STIGQter: STIG Summary: Web Server Security Requirements Guide Version: 2 Release: 3 Benchmark Date: 26 Apr 2019:

The web server must set an inactive timeout for sessions.

DISA Rule

SV-70203r2_rule

Vulnerability Number

V-55949

Group Title

SRG-APP-000295-WSR-000134

Rule Version

SRG-APP-000295-WSR-000134

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Configure the web server to close inactive sessions after 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications.

Check Contents

Review the hosted applications, web server documentation and deployed configuration to verify that the web server will close an open session after a configurable time of inactivity.

If the web server does not close sessions after a configurable time of inactivity or the amount of time is configured higher than 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications, this is a finding.

Vulnerability Number

V-55949

Documentable

False

Rule Version

SRG-APP-000295-WSR-000134

Severity Override Guidance

Review the hosted applications, web server documentation and deployed configuration to verify that the web server will close an open session after a configurable time of inactivity.

If the web server does not close sessions after a configurable time of inactivity or the amount of time is configured higher than 5 minutes for high-risk applications, 10 minutes for medium-risk applications, or 20 minutes for low-risk applications, this is a finding.

Check Content Reference

M

Target Key

2557

Comments