800-53|AC-12

Title

SESSION TERMINATION

Description

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Supplemental

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

Reference Item Details

Related: SC-10,SC-23

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P2

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.21 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.21 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.59 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.59 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'WindowsCIS Windows 2003 DC v3.1.0
1.1.3.11.17 Configure 'Network security: Force logoff when logon hours expire'WindowsCIS Windows 8 L1 v1.0.0
1.1.19 Ensure the option to remain signed in is hiddenmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v2.0.0
1.2.4 - /etc/security/login.cfg - 'logintimeout <= 30'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 15 L1 v4.0.1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.2.9 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'CiscoCIS Cisco IOS 16 L1 v1.1.0
1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devicesmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configuredPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configuredPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.4.14.8 Secure Remote Login 'ClientAliveCountMax'UnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.4.14.8 Secure Remote Login 'ClientAliveInterval'UnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.4.14.8 Secure Remote Login 'LoginGraceTime'UnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 11 v2.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 12 v1.0.1 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Oracle Linux 7 v4.0.0 L1 Server