STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Applications used for non-local maintenance sessions must verify remote disconnection at the termination of non-local maintenance and diagnostic sessions.

DISA Rule

SV-222564r508029_rule

Vulnerability Number

V-222564

Group Title

SRG-APP-000413

Rule Version

APSC-DV-001960

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the application to verify termination of remote maintenance sessions.

Check Contents

Review the application documentation and interview the application administrator to identify application maintenance functions.

If the application does not provide non-local maintenance and diagnostic capability, this requirement is not applicable.

Identify the maintenance functions/capabilities that are provided by the application, performed by an individual/admin and which can be performed remotely.

Examples include but are not limited to:

The application may provide the ability to clean up a folder of temporary files, add users, remove users, restart processes, backup certain files, manage logs, or execute diagnostic sessions.

Identify the IP address of the source system used to originate testing traffic. The IP address will be used to identify sessions on the application host so verify traffic is not traversing a proxy connection in order to reach the application host.

Access the operating system of the application host and execute the relevant OS commands to identify active TCP/IP sessions on the application host.

For example, the "netstat -a" command will provide a status of all TCP/IP connections on both Windows and UNIX systems.

Netstat output can be redirected to a file or the grep command can be used on UNIX systems to identify the specific application processes and network connections.

netstat -a |grep -i "application process name" > filename
or
netstat -a |grep -i source IP address > filename

Utilizing the application, access using the appropriate role needed to execute maintenance tasks.

Execute a maintenance task or tasks from within the application.

Re-execute the netstat commands and identify what network connections and process IDs were created to handle the new application session.

Terminate the application session via the application interface and then execute the netstat commands a third time. The network connections should terminate or change to a state that indicates the connections are closed or are in the process of closing. Continue to execute netstat command until it is verified that the application has terminated the process sessions and closed the network connections.

Review the application logs to ensure the application has logged the disconnection event thereby verifying the disconnection.

If the application provides remote access to maintenance functions and capabilities and the remote access connections are not terminated and then verified, this is a finding.

Vulnerability Number

V-222564

Documentable

False

Rule Version

APSC-DV-001960

Severity Override Guidance

Review the application documentation and interview the application administrator to identify application maintenance functions.

If the application does not provide non-local maintenance and diagnostic capability, this requirement is not applicable.

Identify the maintenance functions/capabilities that are provided by the application, performed by an individual/admin and which can be performed remotely.

Examples include but are not limited to:

The application may provide the ability to clean up a folder of temporary files, add users, remove users, restart processes, backup certain files, manage logs, or execute diagnostic sessions.

Identify the IP address of the source system used to originate testing traffic. The IP address will be used to identify sessions on the application host so verify traffic is not traversing a proxy connection in order to reach the application host.

Access the operating system of the application host and execute the relevant OS commands to identify active TCP/IP sessions on the application host.

For example, the "netstat -a" command will provide a status of all TCP/IP connections on both Windows and UNIX systems.

Netstat output can be redirected to a file or the grep command can be used on UNIX systems to identify the specific application processes and network connections.

netstat -a |grep -i "application process name" > filename
or
netstat -a |grep -i source IP address > filename

Utilizing the application, access using the appropriate role needed to execute maintenance tasks.

Execute a maintenance task or tasks from within the application.

Re-execute the netstat commands and identify what network connections and process IDs were created to handle the new application session.

Terminate the application session via the application interface and then execute the netstat commands a third time. The network connections should terminate or change to a state that indicates the connections are closed or are in the process of closing. Continue to execute netstat command until it is verified that the application has terminated the process sessions and closed the network connections.

Review the application logs to ensure the application has logged the disconnection event thereby verifying the disconnection.

If the application provides remote access to maintenance functions and capabilities and the remote access connections are not terminated and then verified, this is a finding.

Check Content Reference

M

Target Key

4093

Comments