UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-65125 WSDP-NM-000083 SV-79615r1_rule Medium
Description
If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.
STIG Date
IBM DataPower Network Device Management Security Technical Implementation Guide 2016-01-21

Details

Check Text ( C-65753r1_chk )
To verify, log out of a web session and an SSH command line session.

Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out.

Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred.

If this message is not present, this is a finding.
Fix Text (F-71065r1_fix)
Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators.

From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field.

A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.