SC-23: Session Authenticity


2019-05-20 15:48:11.984914




The information system protects the authenticity of communications sessions.


STIG # Description Result
V-73031 PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions. failed
V-73037 PostgreSQL must invalidate session identifiers upon user logout or other session termination. passed
V-73047 PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values. failed

Additional Guidance

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.