Check: APSC-DV-002000
Application Security and Development STIG:
APSC-DV-002000
(in versions v5 r3 through v4 r2)
Title
The application must terminate all network connections associated with a communications session at the end of the session. (Cat II impact)
Discussion
Networked applications routinely open connections to and from other systems as part of their design and function. When connections are opened by the application, system resources are consumed. Terminating the network connection at the end of the application session frees up these resources for later use and aids in maintaining system stability. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system level network connection. This does not mean that the application terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Many applications rely on the underlying OS to control the network connection aspect of the application which is perfectly acceptable. Additionally, application specific operational issues may occasionally be encountered which dictate exceptions be granted to this requirement in order to ensure continuity of operations and application availability. When the aforementioned type of situation occurs, the root cause of the issue as well as the mitigations implemented in order to prevent a loss of availability must be documented. Common mitigation procedures include but are not limited to stopping and restarting application or system services in order to manually release system resources.
Check Content
Review the application documentation and interview the system administrator to determine how the application is designed and configured to terminate network connections at the end of the application session. Identify any documented exceptions to the requirement and review associated mitigations. If the application provides a management interface for controlling or monitoring application network sessions, access that management interface. Monitor application network activity. If the application utilizes the underlying OS to control network connections, access the command prompt of the OS. Run the OS command for observing network connections at the OS. For Windows and Unix OS's, use the "netstat" command. Include command parameters that identify the application and/or process ID. netstat /? or -h provides the list of available parameters. Observe network activity and associate application processes with network connections. Repeat use of the command to identify changing network state. Determine if application session network connections are being terminated at the end of the session by observing the "state" column of the netstat command output with each iteration. If the application does not terminate network connections when application sessions end, this is a finding. If exceptions are documented with no mitigation this is a finding.
Fix Text
Configure or design the application to terminate application network sessions at the end of the session.
Additional Identifiers
Rule ID: SV-222568r879622_rule
Vulnerability ID: V-222568
Group Title: SRG-APP-000190
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |
Controls
Number | Title |
---|---|
SC-10 |
Network Disconnect |