David, You know where to find the DISA STIGs, right? If not: http://iase.disa.mil/stigs/stig/index.html Curiously, the Network Infrastructure STIG says this: "(NET1453: CAT III) The IAO/NSO will ensure that a session that exceeds 30 minutes of inactivity is disconnected." While the MQ section of the OS/390 STIG (there is no z/OS STIG yet) says: "4.3.1.7 Userid Timeouts Userids signed on to a queue manager will be logged off after 15 minutes of inactivity. This timeout process will be implemented by including the ALTER SECURITY command in the CSQINP1 data set. The format of the command will be specified as follows: ALTER SECURITY INTERVAL(5) TIMEOUT(15) • (ZWMQ0020: CAT II) The systems programmer responsible for supporting MQSeries/WebSphere MQ will ensure that the timeout is set to 15 and the interval is set to 5." Farther into that same STIG: "The TELNETPARMS INACTIVE statement defines the terminal inactivity timeout value. When there has been no client-VTAM activity for the specified number of seconds, the session will be dropped. Note that the value of the INACTIVE parameter can impact the values of the PRTINACTIVE and KEEPINACTIVE (OS/390 Release 2.10) statements. The STIG requirement recommends that user sessions be terminated or locked out after 15 minutes of inactivity. Documentation must be maintained with the IAM when this guideline is not followed." The OS/390 STIG vol. 2 also says this about CICS: "(12) Enforce a CICS time-out time limit, which is implemented based on 15 minutes of user inactivity. • (ZCIC0042: CAT II) The IAO will ensure that all CICS users have a 15 minute time-out limit specified." So there is incomplete agreement among the various STIGs regarding the exact amount of time (15 vs. 30 in those four sections of 2.5 different STIGs). They generally say 15 but at least one says 30. (I didn't produce an exhaustive list.) Much of this will depend upon just how secure you are required to become (Secret, Top Secret, etc.). -- Tom Schmidt Madison, WI
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html