STIGQter STIGQter: STIG Summary: Database Security Requirements Guide Version: 2 Release: 9 Benchmark Date: 25 Oct 2019: The DBMS must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.

DISA Rule

SV-42474r3_rule

Vulnerability Number

V-32157

Group Title

SRG-APP-000001-DB-000031

Rule Version

SRG-APP-000001-DB-000031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

If the DBMS is capable of enforcing this restriction, but is not configured to do so, configure it to do so. (This may involve the development of one or more triggers.)

If it is not technically feasible for the DBMS to enforce this restriction, and the application(s) and supporting software are not configured to do so, configure them to do so.

If the value for any type of user account is not set, determine the correct value and set it.

If a value is set but is not equal to the value specified for the type of user, determine the correct value, set it, and update the documentation, as appropriate.

Check Contents

Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.

Review the concurrent-sessions settings in the DBMS and/or the applications using it, and/or the system software supporting it.

If the DBMS is capable of enforcing this restriction but is not configured to do so, this is a finding. This holds even if the restriction is enforced by applications or supporting software.

If it is not technically feasible for the DBMS to enforce this restriction, but the application(s) or supporting software are configured to do so, this is not a finding.

If it is not technically feasible for the DBMS to enforce this restriction, and applications and supporting software are not so configured, this is a finding.

If the value for any type of user account is not set, this is a finding.

If a value is set but is not equal to the value specified in the documentation (or the default value defined in this check) for the type of user, this is a finding.

Vulnerability Number

V-32157

Documentable

False

Rule Version

SRG-APP-000001-DB-000031

Severity Override Guidance

Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.

Review the concurrent-sessions settings in the DBMS and/or the applications using it, and/or the system software supporting it.

If the DBMS is capable of enforcing this restriction but is not configured to do so, this is a finding. This holds even if the restriction is enforced by applications or supporting software.

If it is not technically feasible for the DBMS to enforce this restriction, but the application(s) or supporting software are configured to do so, this is not a finding.

If it is not technically feasible for the DBMS to enforce this restriction, and applications and supporting software are not so configured, this is a finding.

If the value for any type of user account is not set, this is a finding.

If a value is set but is not equal to the value specified in the documentation (or the default value defined in this check) for the type of user, this is a finding.

Check Content Reference

M

Target Key

2219

Comments