The DBMS must provide a logout functionality to allow the user to manually terminate the session.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-32524 | SRG-APP-000221-DB-000150 | SV-42861r1_rule | Medium |
| Description |
|---|
| Manually terminating an application session allows users to immediately depart the physical vicinity of the system they are logged into without the risk of subsequent system users reactivating or continuing their application session. User's who log into applications must have the ability to manually terminate their application session. Without an observable manual logout capability provided by the application, the user will have no means of manually terminating their application session. Their session could remain active until which time the inactivity period expires and the application automatically logs the user out. This increases the likelihood that the next subsequent user of the system could pick up on the previous user's session and continue utilizing the application as the previous user. |
| STIG | Date |
|---|---|
| Database Security Requirements Guide | 2012-07-02 |
Details
| Check Text ( C-40962r2_chk ) |
|---|
| Review DBMS settings and vendor documentation to verify users have the capability to log out of the system manually. If the DBMS does not provide functionality for the user to manually log out of the system, this is a finding. If the DBMS does provide the functionality for the user to manually log out of the system but the functionality is not enabled, this is a finding. |
| Fix Text (F-36439r2_fix) |
|---|
| Utilize a DBMS product that allows users to manually log out of the system. Configure DBMS settings to allow users to manually log out of the system. |