From Video Services Policy STIG
Part of RTS-VTC 2325.00 [IP][ISDN]
An established and/or open configuration/administration (user or administrator) session that is inactive, idle, or unattended is an avenue for unauthorized access to the management port/interface of the VTU. This can lead to compromise of the system’s/device’s configuration and/or denial of service. Idle sessions can be caused simply by a user or administrator being distracted or diverted from a configuration/administration session/task or by forgetting to log out of the management session when finished with his/her tasks. To ensure that the capability for unauthorized access in the event of an idle/inactive session is mitigated; an idle/inactive session timeout/logout capability must exist and be used. The timeout duration must be configurable to adjust for changing policies and requirements. Typically this duration should be set for 15 minutes as a maximum; however it can be shortened for tighter security. This requirement applies to all types of local and remote management connections/sessions and all management session protocols.
[IP][ISDN]; Interview the IAO to validate compliance with the following requirement: Ensure a configurable “idle/inactive session timeout/logout feature” is available and used to disconnect idle/inactive management connections or sessions. The idle timer is set to a maximum of 15 minutes. Longer time periods are documented and approved by the responsible DAA. This requirement applies to all types of physical and logical management connections and all management session protocols. NOTE 1: This is not a finding in the event an approved management connection/session must be established for permanent full time monitoring of a system/device or the production traffic it processes. NOTE 2: This is not a finding during management operations where the disconnection of the connection/session due to idle session timeout would inhibit the successful completion of a management task. A SOP must be established and enforced, or an automated process used, to ensure the idle/inactive session timeout feature is re-enabled and reset following such activity NOTE 3: During APL testing, this is a finding in the event this requirement is not supported by the VTU. > Determine if a configurable “idle/inactive session timeout/logout feature” is available and used to disconnect idle/inactive management connections or sessions. > Determine if the timeout is set to a maximum of 15 minutes. > If the timeout is set to a longer period, determine if the extended time period is documented and approved by the responsible DAA and a SOP is in place and enforced that will insure that the idle/inactive session timeout feature is re-enabled and reset following monitoring/testing activity.
[IP][ISDN]; Perform the following tasks: > Implement a VTU with a configurable “idle/inactive session timeout/logout feature” for management sessions. > Configure/set the idle timer to a maximum of 15 minutes. > If longer periods are necessary, obtain approval from the responsible DAA. Document approval for inspection by auditors. Develop and enforce a SOP that will insure that the idle/inactive session timeout feature is re-enabled and reset following monitoring/testing activity. Include this SOP in administrator training, agreements and guides.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer