Title: The DBMS must not interfere or be impacted by an OS level session lock.
Vulnerability ID: V-32160
IA Controls: None
Description: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user’s application session has idled and take action to initiate the session lock.
The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system-level and results in a system lock, but may be at the application-level where the application interface window is secured instead. The organization defines the period of inactivity that shall pass before a session lock is initiated, so this must be configurable.
Session locks typically take place at the operating system level, however the DBMS must not interfere with the OS’s ability to implement and execute session locks. If the DBMS were to interfere with the ability of the OS to perform session locks, workstations could remain open and available to use when users believe they have locked their sessions.
Check Text: Verify the OS is able to execute a session lock while the database software is running on the system. If it is not, this is a finding.
Verify long running database transactions are not abandoned when the OS executes a session lock. If long running database transactions are abandoned, this is a finding.
Fix Text: Utilize a DBMS that supports the ability of the OS to initiate session locks or configure the existing DBMS to allow operating system session locks.[divider]