STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.

DISA Rule

SV-79635r1_rule

Vulnerability Number

V-65145

Group Title

SRG-APP-000359-NDM-000294

Rule Version

WSDP-NM-000096

Severity

CAT III

CCI(s)

• CCI-001855 - The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.

Weight

10

Fix Recommendation

Production configuration (off-box logging):
Off-box logging provides optimal storage size flexibility and log size notification capability.
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security.

On the Event Subscriptions tab, add an Event Subscription. Select "audit" as the Event Category. Select a minimum Event Priority, e.g., "error”. Click "Apply" >>Click "Apply” >> Click "Save Configuration." Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

It is the responsibility of the target log server to provide an alert when the audit log has reached 75 percent of capacity.

Check Contents

Production configuration (off-box logging):
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

To test 75 percent notification: Set the allowed maximum file size to a minimum value, e.g., 250k. Restart the DataPower Gateway several times to generate sufficient audit log messages to fill up the off-box audit log file. Confirm that notification is received at 75 percent of capacity. If it is not, this is a finding.

Vulnerability Number

V-65145

Documentable

False

Rule Version

WSDP-NM-000096

Severity Override Guidance

Production configuration (off-box logging):
Using the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.

To test 75 percent notification: Set the allowed maximum file size to a minimum value, e.g., 250k. Restart the DataPower Gateway several times to generate sufficient audit log messages to fill up the off-box audit log file. Confirm that notification is received at 75 percent of capacity. If it is not, this is a finding.

Check Content Reference

M

Target Key

2861

Comments