STIGQter STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.

DISA Rule

SV-79603r1_rule

Vulnerability Number

V-65113

Group Title

SRG-APP-000291-NDM-000275

Rule Version

WSDP-NM-000077

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding a 0x8240001c Event Subscription.

Example log result: "[conf][success][0x8240001c] (SYSTEM:default:*:*): user 'admin' Configuration added"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are created.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

Check Contents

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account creation: 0x8240001c.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account creation events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is created, an appropriate 0x8240001c "Configuration added" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Vulnerability Number

V-65113

Documentable

False

Rule Version

WSDP-NM-000077

Severity Override Guidance

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account creation: 0x8240001c.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account creation events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is created, an appropriate 0x8240001c "Configuration added" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Check Content Reference

M

Target Key

2861

Comments