STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must provide audit record generation capability for session timeouts.

DISA Rule

SV-222445r508029_rule

Vulnerability Number

V-222445

Group Title

SRG-APP-000089

Rule Version

APSC-DV-000660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to record session timeout events in the logs.

Check Contents

Review the application documentation and interview the application administrator to identify log locations for application session activity.

Open the log file that tracks user session activity.

Access the application as a regular user and identify the user session within the log files.

Identify the session timeout threshold defined by the application.

Perform no action within the application in order to allow the session to timeout.

Once the session timeout threshold has been exceeded, verify the session has been terminated due to the timeout event and review the logs again to ensure the session timeout event was recorded in the logs.

If a web-based application delegates session timeout auditing to an application server, this is not a finding.

If the session timeout event is not recorded in the logs, this is a finding.

Vulnerability Number

V-222445

Documentable

False

Rule Version

APSC-DV-000660

Severity Override Guidance

Review the application documentation and interview the application administrator to identify log locations for application session activity.

Open the log file that tracks user session activity.

Access the application as a regular user and identify the user session within the log files.

Identify the session timeout threshold defined by the application.

Perform no action within the application in order to allow the session to timeout.

Once the session timeout threshold has been exceeded, verify the session has been terminated due to the timeout event and review the logs again to ensure the session timeout event was recorded in the logs.

If a web-based application delegates session timeout auditing to an application server, this is not a finding.

If the session timeout event is not recorded in the logs, this is a finding.

Check Content Reference

M

Target Key

4093

Comments