CA IDMS CV must supply logout functionality to allow the user to implicitly terminate a session by disconnecting or ending before an explicit logout.
An XCCDF Rule
Description
<VulnDiscussion>If a user cannot explicitly end a DBMS session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. Such logouts may be explicit or implicit. Examples of explicit logouts are: clicking on a "Log Out" link or button in the application window; clicking the Windows Start button and selecting "Log Out" or "Shut Down." Examples of implicit logouts are: closing the application's (main) window; powering off the workstation without invoking the OS shutdown. Both the explicit and implicit logouts must be detected by the DBMS. In all cases, the DBMS must ensure that the user's DBMS session and all processes owned by the session are terminated. This should not, however, interfere with batch processes/jobs initiated by the user during their online session: these should be permitted to run to completion. IDMS must provide a facility by which an inactive user session may be terminated after a predetermined period of time.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251633r855271_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Use TASK SYSGEN if online, or program RHDCSGEN if batch.
Sign on to the dictionary where the system definition is maintained: "SIGNON DICTIONARY SYSTEM.", for example.
Enter: "MODIFY SYSTEM 123 INACTIVE INTERVAL is <the organization-defined timeout number of wall-clock seconds> ." where 123 is the number of the system being modified.