6.11.5 Ensure Log-out-on-disconnect is Set for Console

Information

Console sessions should be logged out as soon as the console cable is unplugged from the routers console port.

Rationale:

Administrators often use a console port to configure JUNOS Devices when they have physical access to the device.

When the administrator unplugs the cable from the console port, their session may be left logged in; allowing the next person who connects to the console port to access the router with the privileges and audit trail of the original administrator.

To prevent this, the JUNOS Devices should be configured to automatically log out console port sessions as soon as the cable is disconnected.

Solution

To log console sessions out when the console cable is unplugged, issue the following command from the [edit system ports console] hierarchy;

[edit system ports console]
user@host#set log-out-on-disconnect

Default Value:

By default, console sessions continue after the console cable is unplugged.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2, CSCv7|4

Plugin: Juniper

Control ID: c7d1534ae3864c0185f485c322968165bb561f0d22813747d86dc16fa0207036