The DBMS must not interfere or be impacted by an OS level session lock.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32160	SRG-APP-000003-DB-000032	SV-42477r1_rule		Medium

Description
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead. The organization defines the period of inactivity that shall pass before a session lock is initiated, so this must be configurable. Session locks typically take place at the operating system level, however the DBMS must not interfere with the OS’s ability to implement and execute session locks. If the DBMS were to interfere with the ability of the OS to perform session locks, workstations could remain open and available to use when users believe they have locked their sessions.

Description

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead. The organization defines the period of inactivity that shall pass before a session lock is initiated, so this must be configurable. Session locks typically take place at the operating system level, however the DBMS must not interfere with the OS’s ability to implement and execute session locks. If the DBMS were to interfere with the ability of the OS to perform session locks, workstations could remain open and available to use when users believe they have locked their sessions.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40673r2_chk )
Verify the OS is able to execute a session lock while the database software is running on the system. If it is not, this is a finding. Verify long running database transactions are not abandoned when the OS executes a session lock. If long running database transactions are abandoned, this is a finding.

Fix Text (F-36083r1_fix)
Utilize a DBMS that supports the ability of the OS to initiate session locks or configure the existing DBMS to allow operating system session locks.