800-53|AC-12

Title

SESSION TERMINATION

Description

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Supplemental

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-10,SC-23

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P2

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.21 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.21 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.2.1.59 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.59 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'	Windows	CIS Windows 2003 MS v3.1.0
1.1.3.11.17 Configure 'Network security: Force logoff when logon hours expire'	Windows	CIS Windows 8 L1 v1.0.0
1.1.19 Ensure the option to remain signed in is hidden	microsoft_azure	CIS Microsoft 365 Foundations E3 L2 v2.0.0
1.2.4 - /etc/security/login.cfg - 'logintimeout <= 30'	Unix	CIS AIX 5.3/6.1 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'	Cisco	CIS Cisco IOS 15 L1 v4.0.1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 15 L1 v4.0.1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 15 L1 v4.0.1
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 12 L1 v4.0.0
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 15 L1 v4.0.1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.2.9 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.9 Set 'transport input none' for 'line aux 0'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L1
1.2.12 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'	Cisco	CIS Cisco IOS 16 L1 v1.1.0
1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devices	microsoft_azure	CIS Microsoft 365 Foundations E3 L1 v3.1.0
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device management	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L1
1.4.14.8 Secure Remote Login 'ClientAliveCountMax'	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.4.14.8 Secure Remote Login 'ClientAliveInterval'	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.4.14.8 Secure Remote Login 'LoginGraceTime'	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Debian Linux 11 v2.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Debian Linux 12 v1.0.1 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS CentOS Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Oracle Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idle	Unix	CIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Workstation

Detections

Analytics