Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-68119 | SRG-APP-000296-MFP-000007 | SV-82609r1_rule | Medium |
Description |
---|
If a user cannot explicitly end an application session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Information resources to which users gain access via authentication include, for example, local workstations, databases, and password-protected websites/web-based services. However, for some types of interactive sessions including, for example, file transfer protocol (FTP) sessions, information systems typically send logoff messages as final messages prior to terminating sessions. |
STIG | Date |
---|---|
Mainframe Product Security Requirements Guide | 2019-10-08 |
Check Text ( C-68677r1_chk ) |
---|
If the Mainframe Product has no logon capability, this requirement is not applicable. If the Mainframe Product does not provide a logout capability for user initiated communication sessions, this is a finding. Examine the Mainframe Product configuration settings to determine whether a user can logoff. If the configurations are not properly set, this is a finding. |
Fix Text (F-74235r1_fix) |
---|
Configure the Mainframe Product settings to provide capability of user-initiated logoff. |