STIGQter STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.

DISA Rule

SV-79561r1_rule

Vulnerability Number

V-65071

Group Title

SRG-APP-000090-NDM-000222

Rule Version

WSDP-NM-000023

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create an ISSM User Group: Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "Add" button >> Name: "groupISSM" >> Enter "*/*/*?Access=r" into the "Access Profile" field >> Click "Add" >> "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x" into the "Access Profile" field >> Click "Add" >> Click "Apply".

Add users’ accounts to the ISSM User Group "groupISSM" in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.

Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.

Administration >> Access >> RBM Settings >> When configuring the Authentication method, select "LDAP" as the authentication method

Configure LDAP Authentication

Define the connection to the LDAP server >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the LDAP version list, select the version >> From the SSL proxy profile list, select a profile to establish a secured connection to the LDAP server >> From the Load balancer group list, select a load balancer group.

If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port.

Set the Search LDAP for DN property to use an LDAP search to retrieve the user group >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> From the Local accounts for fallback list, select whether to use local user accounts as fallback users.

With fallback users, local users can log on to the appliance if authentication fails or during a network outage that affects the primary authentication.

When specific users are fallback users, add the local users (from the Fallback user list, select a local user) >> Click Add >> Optional: Repeat this step to add another locally defined fallback user.

Define the credentials-mapping method.

Click Credentials-mapping >> From the Credentials-mapping method list, select the method to evaluate access profiles. Although available, a local user group is not a valid selection (If custom: In the Custom URL field, specify the URL of the custom style sheet; if with an XML file: In the XML file URL field, specify the URL of the RBM file) >> When the mapping method is a local user group or an XML file, set Search LDAP for group name to control whether to search LDAP to retrieve all user groups that match the query.

When LDAP search is enabled, define the LDAP connection >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the SSL proxy profile list, select the profile to establish a secured connection to the server >> From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port

In the LDAP bind DN field, enter the distinguished name (DN) for the bind operation >> In the LDAP bind password fields, enter and confirm the password for the specified DN >> From the LDAP search parameters list, select an LDAP search parameter. The LDAP search operation uses these parameters to retrieve all group names (DN or attribute value) based on the DN of the authenticated user >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> Define the account policy >> If you defined fallback users, define the password policy.

Save the configuration: Click "Apply" to save the changes to the running configuration >> Click "Save Configuration" to save the changes to the persisted configuration.

Check Contents

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "groupISSM" group >> Confirm that the following minimal access profiles are created: "*/*/*?Access=r" and "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x". If either profile is not present, this is a finding.

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Vulnerability Number

V-65071

Documentable

False

Rule Version

WSDP-NM-000023

Severity Override Guidance

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the "groupISSM" group >> Confirm that the following minimal access profiles are created: "*/*/*?Access=r" and "*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x". If either profile is not present, this is a finding.

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click "Credential Mapping" >> If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Check Content Reference

M

Target Key

2861

Comments