800-53|AC-11b.

Title

SESSION LOCK

Description

Retains the session lock until the user reestablishes access using established identification and authentication procedures.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.6.6 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.8.6 Ensure GDM session lock is enabled	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.36 UBTU-24-200040	Unix	CIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.69 UBTU-22-271020	Unix	CIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.155 OL08-00-020030	Unix	CIS Oracle Linux 8 STIG v1.0.0 CAT II
1.159 OL08-00-020043	Unix	CIS Oracle Linux 8 STIG v1.0.0 CAT II
1.160 OL08-00-020050	Unix	CIS Oracle Linux 8 STIG v1.0.0 CAT II
1.176 WN10-CC-000365	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.203 WN10-SO-000095	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.220 WN16-SO-000180	Windows	CIS Microsoft Windows Server 2016 STIG v4.0.0 MS CAT II
1.220 WN16-SO-000180	Windows	CIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.222 WN19-SO-000150	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.222 WN19-SO-000150	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.222 WN22-SO-000150	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.222 WN22-SO-000150	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.244 RHEL-09-271045	Unix	CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.245 RHEL-09-271050	Unix	CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.246 RHEL-09-271055	Unix	CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.247 RHEL-09-271060	Unix	CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
2.3.7.7 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.7.7 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
5.006 - The system configuration is not set with a password-protected screen saver. - ScreenSaveActive	Windows	DISA Windows Vista STIG v6r41
5.006 - The system configuration is not set with a password-protected screen saver. - ScreenSaverIsSecure	Windows	DISA Windows Vista STIG v6r41
5.006 - The system configuration is not set with a password-protected screen saver. - ScreenSaveTimeOut	Windows	DISA Windows Vista STIG v6r41
18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'	Windows	CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.4.10 Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'	Windows	CIS Windows 7 Workstation Level 1 v3.2.0
AIX7-00-001028 - AIX must provide the lock command to let users retain their session lock until users are reauthenticated.	Unix	DISA STIG AIX 7.x v3r1
AIX7-00-001029 - AIX must provide xlock command in the CDE environment to let users retain their sessions lock until users are reauthenticated.	Unix	DISA STIG AIX 7.x v3r1
ALMA-09-002000 - AlmaLinux OS 9 must be able to directly initiate a session lock for all connection types using smart card when the smart card is removed.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r2
ALMA-09-002110 - AlmaLinux OS 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.	Unix	DISA CloudLinux AlmaLinux OS 9 STIG v1r2
AOSX-13-000007 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000020 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-000025 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-11-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-11-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-12-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple macOS 12 v1r9
APPL-12-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple macOS 12 v1r9
APPL-12-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.	Unix	DISA STIG Apple macOS 12 v1r9
APPL-13-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.	Unix	DISA STIG Apple macOS 13 v1r5
APPL-13-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.	Unix	DISA STIG Apple macOS 13 v1r5

Detections

Analytics

800-53|AC-11b.

Title

Description

Reference Item Details

Audit Items