STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.

DISA Rule

SV-79689r1_rule

Vulnerability Number

V-65199

Group Title

SRG-NET-000043-ALG-000024

Rule Version

WSDP-AG-000013

Severity

CAT II

CCI(s)

• CCI-001384 - The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access.
• CCI-001385 - The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
• CCI-001386 - The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
• CCI-001387 - The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
• CCI-001388 - The information system, for publicly accessible systems, includes a description of the authorized uses of the system.

Weight

10

Fix Recommendation

The application designer will create a service object in DataPower (e.g., Multi Protocol Gateway). As part of the object configuration, the application designer will create a Processing Policy object. The processing policy controls access to the Processing Rules of the application.

The application designer will create a Processing Rule that allows the banner page to be displayed when a user accesses the application. The application designer will ensure that the banner page redirects the application user to the appropriate next step (e.g., logon page, application page, etc.) after the end user has accepted the terms of the agreement.

Check Contents

For an HTTP application hosted on DataPower to display a landing page, the application designer will need to make that landing page available on the DataPower appliance or remotely accessible on a server. This landing page will be the page that the user sees, and the user will have to acknowledge this page before being redirected to the application/logon.

If the banner page does not load when first accessing an application, this is a finding.

Vulnerability Number

V-65199

Documentable

False

Rule Version

WSDP-AG-000013

Severity Override Guidance

For an HTTP application hosted on DataPower to display a landing page, the application designer will need to make that landing page available on the DataPower appliance or remotely accessible on a server. This landing page will be the page that the user sees, and the user will have to acknowledge this page before being redirected to the application/logon.

If the banner page does not load when first accessing an application, this is a finding.

Check Content Reference

M

Target Key

2859

Comments