800-53|AC-12

Title

SESSION TERMINATION

Description

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

Supplemental

This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use.

Reference Item Details

Related: SC-10,SC-23

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P2

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.11.17 Configure 'Network security: Force logoff when logon hours expire'WindowsCIS Windows 8 L1 v1.0.0
1.2.4 - /etc/security/login.cfg - 'logintimeout <= 30'UnixCIS AIX 5.3/6.1 L1 v1.1.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' less than or equal to 10 minutes 'line tty'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty'CiscoCIS Cisco IOS 12 L1 v4.0.0
1.2.9 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.9 Set 'transport input none' for 'line aux 0'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.2.11 Set 'exec-timeout' to less than or equal to 10 min on 'ip http'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.3.2 Ensure 'Idle session timeout' is set to '3 hours (or less)' for unmanaged devicesmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v3.1.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.4.1 Ensure 'Idle timeout' is less than or equal to 10 minutes for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configuredPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configuredPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 12 v1.1.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 11 v2.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 12 v1.1.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Oracle Linux 7 v4.0.0 L1 Server
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Debian Linux 11 v2.0.0 L1 Workstation
1.7.4 Ensure GDM screen locks when the user is idleUnixCIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Debian Linux 11 v2.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS CentOS Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Oracle Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Debian Linux 11 v2.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Ubuntu Linux 22.04 LTS v2.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Workstation
1.7.5 Ensure GDM screen locks cannot be overriddenUnixCIS Debian Linux 12 v1.1.0 L1 Server