← Back to Network Device Management Security Requirements Guide

V-202086

CAT II (Medium)

The network device must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.

Rule ID

SV-202086r961227_rule

STIG

Network Device Management Security Requirements Guide

Version

V5R4

CCIs

CCI-002364

Discussion

If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated. A prompt for new logon is an acceptable indication of previous session termination. If the device takes the user back to the logon page or prompt after selecting the logoff button, it is considered an explicit logout message. In the case of terminal sessions (such as SSH), an explicit logoff message is displayed by the client application. Usually this is a message such as "connect closed by remote host" displayed by the client. For a terminal connected to the console port of a network device, either a logoff message is displayed or the device takes the user back to the logon prompt.

Check Content

This requirement may be verified by demonstration. If an explicit logoff message is not displayed, or provides clear evidence that the session has been terminated, this is a finding.

Fix Text

Configure the network device to display an explicit logoff message to administrators indicating the reliable termination of authenticated communications sessions. This may be a capability the device is inherently capable of.