Title

The application must be able to define the maximum number of concurrent sessions for an application account globally, by account type, by account, or a combination thereof. (Cat II impact)

Discussion

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. This is typically at the operating system-level, but may be at the application-level. When the application design specifies the application rather than the operating system will determine when to lock the session, the application session lock event must include an obfuscation of the display screen so as to prevent other users from reading what was previously displayed. An example of obfuscation is a screensaver creating a viewable pattern that overwrites the entire screen rendering the screen contents unreadable. Rationale for non-applicability: This control is required in the MOS SRG. A user may lock a session by locking the device. Permitting a mobile application to obfuscate the screen independently from the operating system control would make the operating system and other applications vulnerable to a Denial of Service (DoS) attack.

Check Content

This requirement is NA for the MAPP SRG.

Fix Text

The requirement is NA. No fix is required.

Additional Identifiers

Rule ID: SV-46339r1_rule

Vulnerability ID: V-35072

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.