800-53|AC-12

Title

SESSION TERMINATION

Description

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Supplemental

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-10,SC-23

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P2

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.11.17 Configure 'Network security: Force logoff when logon hours expire'	Windows	CIS Windows 8 L1 v1.0.0
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - console exec-timeout	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout	Cisco	CIS Cisco NX-OS L1 v1.0.0
1.2.1 Ensure Idle Timeout for Login Sessions is set to 5 minutes - ssh idle-timeout	Cisco	CIS Cisco NX-OS L2 v1.0.0
1.2.4 - /etc/security/login.cfg - 'logintimeout <= 30'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.9 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS 17 L1 v2.0.0
1.2.9 Set 'transport input none' for 'line aux 0' - line aux 0	Cisco	CIS Cisco IOS 16 L1 v2.0.0
1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.0.0
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 11 v1.0.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overridden	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Red Hat EL8 Workstation L1 v3.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS AlmaLinux OS 9 Server L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS AlmaLinux OS 8 Server L1 v3.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS AlmaLinux OS 8 Workstation L1 v3.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 9 Server L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Rocky Linux 9 Workstation L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 9 Workstation L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 8 Server L1 v3.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Rocky Linux 8 Server L1 v2.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS AlmaLinux OS 9 Workstation L1 v1.0.0
1.8.4 Ensure GDM screen locks when the user is idle	Unix	CIS Debian 10 Workstation L1 v2.0.0

Detections

Analytics