STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.

DISA Rule

SV-79613r2_rule

Vulnerability Number

V-65123

Group Title

SRG-APP-000296-NDM-000280

Rule Version

WSDP-NM-000082

Severity

CAT II

CCI(s)

• CCI-002363 - The information system provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to organization-defined information resources.

Weight

10

Fix Recommendation

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.

For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

Check Contents

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.

Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Vulnerability Number

V-65123

Documentable

False

Rule Version

WSDP-NM-000082

Severity Override Guidance

Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.

Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.

Check Content Reference

M

Target Key

2861

Comments