{
"stig": {
"date": "2017-10-05",
"description": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-64981": {
"checkid": "C-65639r1_chk",
"checktext": "Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding\n\nPrivileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click \"Credential Mapping\" >> If Credential-mapping method is not \"Local user group\" or \"Search LDAP for group name\" is off, this is a finding.",
"description": "To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Network devices use access control policies and enforcement mechanisms to implement this requirement. \n\nAccess control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the network device to control access between administrators (or processes acting on behalf of administrators) and objects (e.g., device commands, files, records, processes) in the network device.",
"fixid": "F-70921r1_fix",
"fixtext": "Create the appropriate User Group(s) using the \"RBM Builder\": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the \"Add\" button >> Define the policy >> Click \"Add\" >> Click \u201cApply\u201d.\n\nAdd users' accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.\n\nConfigure Role-Based Management to make use of LDAP Group information during logon to map users to local group definitions.",
"iacontrols": null,
"id": "V-64981",
"ruleID": "SV-79471r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.",
"version": "WSDP-NM-000013"
},
"V-65063": {
"checkid": "C-65689r1_chk",
"checktext": "Administration >> Access >> User Group >> Click the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy. If the group profile(s) is/are not present, this is a finding\n\nPrivileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click \"Credential Mapping\" >> If Credential-mapping method is not \"Local user group\" or \"Search LDAP for group name\" is off, this is a finding.",
"description": "A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management information flow is not enforced based on approved authorizations, the network device may become compromised. Information flow control regulates where management information is allowed to travel within a network device. The flow of all management information must be monitored and controlled so it does not introduce any unacceptable risk to the network device or data. \n\nApplication-specific examples of enforcement occur in systems that employ rule sets or establish configuration settings that restrict information system services or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics).\n\nApplications providing information flow control must be able to enforce approved authorizations for controlling the flow of management information within the system in accordance with applicable policy.",
"fixid": "F-71003r1_fix",
"fixtext": "Create the appropriate User Group(s) using the \"RBM Builder\": Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the \"Add\" button >> Define the policy >> Click \"Add\" >> Click \u201cApply\u201d.\n\nAdd users\u2019 accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.\n\nConfigure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.",
"iacontrols": null,
"id": "V-65063",
"ruleID": "SV-79553r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.",
"version": "WSDP-NM-000014"
},
"V-65065": {
"checkid": "C-65691r1_chk",
"checktext": "Privileged user opens browser and navigates to the DataPower logon page.\n\nConfirm that the logon page displays the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the standard banner is not displayed, this is a finding.",
"description": "Display of the DoD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users.",
"fixid": "F-71005r1_fix",
"fixtext": "Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway website >> Copy the template to a new text file on the local operating system named \"ui-customization.xml\".\n\nUpload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click \"local:\" >> Click \"Actions...\" Link corresponding to \"local:\" >> Click \"Upload Files\" >> Click \"Browse\" button >> Select the previously saved \"ui-customization.xml\" file from the local operating system >> Click \"Open\" >> Click the \"Upload\" button\" >> Click the \"Continue\" button.\n\nEdit the \"ui-customization.xml\" file: Click \"refresh page\" >> Click \"local:\" >> Click the \"Edit\" link corresponding to \"ui-customization.xml\" >> Click the \"Edit\" button >> Locate the XML Stanza named \"MarkupBanner\" and 'type=\"pre-logon\"' >> Replace the text \"WebGUI pre-logon message\" with the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n>> Locate the XML Stanza named \"TextBanner\" and 'type=\"pre-logon\"' >> replace the text \"Command line pre-logon message\" with the text of the Standard Mandatory DoD Notice and Consent Banner: \"I've read & consent to terms in IS user agreem't.\" >> Click the \"Submit\" button.\n\nConfigure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to \"Custom user interface file\" section at the bottom of the page and select \"ui-customization.xml\" from the drop-down list >> Scroll to top of the page >> Click \"Apply\" >> Click \"Save Configuration\".\n\nLog out of the appliance.",
"iacontrols": null,
"id": "V-65065",
"ruleID": "SV-79555r1_rule",
"severity": "low",
"title": "The DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.",
"version": "WSDP-NM-000016"
},
"V-65067": {
"checkid": "C-65693r1_chk",
"checktext": "WebGUI logon page: If DataPower does not retain the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.\n\nCLI logon: If DataPower does not display the banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access, this is a finding.",
"description": "The banner must be acknowledged by the administrator prior to allowing the administrator access to the network device. This provides assurance that the administrator has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the administrator, DoD will not be in compliance with system use notifications required by law. \n\nTo establish acceptance of the network administration policy, a click-through banner at management session logon is required. The device must prevent further activity until the administrator executes a positive action to manifest agreement by clicking on a box indicating \"OK\".",
"fixid": "F-71007r1_fix",
"fixtext": "Get the User Interface (UI) Configuration Template File from the IBM DataPower Gateway online website >> Copy the template to a new text file on the local operating system named \"ui-customization.xml\"\n\nUpload the User Interface Customization Template: Privileged account user log on to default domain >> Control Panel >> File Management >> Click \"local:\" >> Click \"Actions...\" link corresponding to \"local:\" >> Click \"Upload Files\" >> Click \"Browse\" button >> Select the previously saved \"ui-customization.xml\" file from the local operating system >> Click \"Open\" >> Click the \"Upload\" button\" >> Click the \"Continue\" button.\n\nEdit the \"ui-customization.xml\" file: Click \"refresh page\" >> Click \"local:\" >> Click the \"Edit\" link corresponding to \"ui-customization.xml\" >> Click the \"Edit\" button >> Locate the XML Stanza named \"MarkupBanner\" and 'type=\"pre-logon\"' >> Replace the text \"WebGUI pre-logon message\" with the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\n>> Locate the XML Stanza named \"TextBanner\" and 'type=\"pre-logon\"' >> replace the text \"Command line pre-logon message\" with the text of the Standard Mandatory DoD Notice and Consent Banner: \"I've read & consent to terms in IS user agreem't.\" >> Click the \"Submit\" button.\n\nConfigure the IBM DataPower Gateway to use the customized User Interface Customization file: Administration >> Device >> System Settings >> Scroll to \"Custom user interface file\" section at the bottom of the page and select \"ui-customization.xml\" from the drop-down list >> Scroll to top of the page >> Click \"Apply\" >> Click \"Save Configuration\".\n\nLog out of the appliance.",
"iacontrols": null,
"id": "V-65067",
"ruleID": "SV-79557r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.",
"version": "WSDP-NM-000017"
},
"V-65069": {
"checkid": "C-65695r1_chk",
"checktext": "Control Panel >> View Logs\n\nSelect \u201cDOD-EventsLog\u201d from the drop-down list at the top of the page. If the log is empty, this is a finding.",
"description": "Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. \n\nAudit records can be generated from various components within the network device (e.g., process, module). Certain specific device functionalities may be audited as well. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records.\n\nDoD has defined the list of events for which the device will provide an audit record generation capability as the following: \n\n(i) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels);\n(ii) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; and\n(iii) All account creation, modification, disabling, and termination actions.",
"fixid": "F-71009r1_fix",
"fixtext": "Privileged account user logon to default domain\n\nIn the search field, enter \u201cLog Target\u201d.\n\nFrom the search results, click \u201cLog Target\u201d.\n\nClick \u201cAdd\u201d.\n\nName: enter the name of the log target (e.g., targetDodEvents)\nTarget Type: File\nLog Format: XML\nTimestamp format: Syslog\nDestination Configuration: File Name: logstore:///dodEvents.log\nLog Size: 1024\nArchive Mode: Rotate\nNumber of Rotations: 6\n\nClick on the \u201cEvent Filters\u201d Tab.\n\nEvent Subscription Filter, click \u201cSelect Code\u201d; select an Event Code from the list in the popup window.\n\nClick the \u201cAdd\u201d button. Repeat the process until all desired event codes have been added.\n\nClick \u201cApply\u201d to save the changes to the running configuration.\n\nClick \u201cSave Configuration\u201d to save the changes to the persisted configuration.",
"iacontrols": null,
"id": "V-65069",
"ruleID": "SV-79559r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.",
"version": "WSDP-NM-000022"
},
"V-65071": {
"checkid": "C-65697r1_chk",
"checktext": "Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the \"groupISSM\" group >> Confirm that the following minimal access profiles are created: \"*/*/*?Access=r\" and \"*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x\". If either profile is not present, this is a finding.\n\nPrivileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Click \"Credential Mapping\" >> If Credential-mapping method is not \"Local user group\" or \"Search LDAP for group name\" is off, this is a finding.",
"description": "Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.",
"fixid": "F-71011r1_fix",
"fixtext": "Create an ISSM User Group: Privileged account user log on to default domain >> Administration >> Access >> User Group >> Click the \"Add\" button >> Name: \"groupISSM\" >> Enter \"*/*/*?Access=r\" into the \"Access Profile\" field >> Click \"Add\" >> \"*/default/logging/target?Name=logTargetISSM&Access=r+w+a+d+x\" into the \"Access Profile\" field >> Click \"Add\" >> Click \"Apply\".\n\nAdd users\u2019 accounts to the ISSM User Group \"groupISSM\" in the remote Authentication/Authorization server (LDAP). Note: This takes place outside the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.\n\nConfigure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.\n\nAdministration >> Access >> RBM Settings >> When configuring the Authentication method, select \"LDAP\" as the authentication method \n\nConfigure LDAP Authentication\n\nDefine the connection to the LDAP server >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the LDAP version list, select the version >> From the SSL proxy profile list, select a profile to establish a secured connection to the LDAP server >> From the Load balancer group list, select a load balancer group.\n\nIf selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port.\n\nSet the Search LDAP for DN property to use an LDAP search to retrieve the user group >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> From the Local accounts for fallback list, select whether to use local user accounts as fallback users. \n\nWith fallback users, local users can log on to the appliance if authentication fails or during a network outage that affects the primary authentication.\n\nWhen specific users are fallback users, add the local users (from the Fallback user list, select a local user) >> Click Add >> Optional: Repeat this step to add another locally defined fallback user.\n\nDefine the credentials-mapping method.\n\nClick Credentials-mapping >> From the Credentials-mapping method list, select the method to evaluate access profiles. Although available, a local user group is not a valid selection (If custom: In the Custom URL field, specify the URL of the custom style sheet; if with an XML file: In the XML file URL field, specify the URL of the RBM file) >> When the mapping method is a local user group or an XML file, set Search LDAP for group name to control whether to search LDAP to retrieve all user groups that match the query.\n\nWhen LDAP search is enabled, define the LDAP connection >> In the Server host field, enter the IP address or host name of the server >> In the Server port field, enter the port number of the server >> From the SSL proxy profile list, select the profile to establish a secured connection to the server >> From the Load balancer group list, select a load balancer group. If selected, queries are balanced in accordance with the group settings. This setting overrides the settings for the server host and port\n\nIn the LDAP bind DN field, enter the distinguished name (DN) for the bind operation >> In the LDAP bind password fields, enter and confirm the password for the specified DN >> From the LDAP search parameters list, select an LDAP search parameter. The LDAP search operation uses these parameters to retrieve all group names (DN or attribute value) based on the DN of the authenticated user >> In the LDAP read timeout field, enter the time to wait for a response from the server before the appliance closes the connection >> Define the account policy >> If you defined fallback users, define the password policy. \n\nSave the configuration: Click \"Apply\" to save the changes to the running configuration >> Click \"Save Configuration\" to save the changes to the persisted configuration.",
"iacontrols": null,
"id": "V-65071",
"ruleID": "SV-79561r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.",
"version": "WSDP-NM-000023"
},
"V-65073": {
"checkid": "C-65699r1_chk",
"checktext": "Administration >> Miscellaneous >> \"Manage Log Targets\" >> Click the appropriate log target (e.g., \"SystemResourcesLog\") >> Click the \"Event Filters\" tab >> Confirm subscriptions to the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017. If any of these codes are not subscribed to, this is a finding.",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAudit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.",
"fixid": "F-71013r1_fix",
"fixtext": "A Log Target can be configured to generate notifications (e.g., SNMP, SMTP) in the event that any of these event codes are detected.\n\nPrivileged account user log on to default domain >> Administration >> Miscellaneous >> \"Manage Log Targets\" >> Click the \"Add\" button >> Name: \"SystemResourcesLog\u201d >> Target Type: Select the desired notification mechanism (e.g., SMTP) >> Configure the SMTP server, providing the requested information; Log Format: \u201ctext\u201d >> Fixed Format: off >> Rate Limit: \u201c100\u201d >> Feedback Detection: on >> Identical Event Detection: off >> Click the \"Event Filters\" tab >> Under \"Event Subscriptions\", add the following event codes: 0x00330034, 0x01a40001, 0x01a30002, 0x01a30003, 0x01a40005, 0x01a30006, 0x01a30014, 0x01a30015, 0x01a30017 >> Click the \"Apply\" button >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65073",
"ruleID": "SV-79563r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.",
"version": "WSDP-NM-000033"
},
"V-65075": {
"checkid": "C-65701r1_chk",
"checktext": "Login page >> Enter non admin user id and password, select Default for domain >> Click Login. If non admin user can log on, this is a finding.",
"description": "Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nIf audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. In addition, access to audit records provides information an attacker could use to his or her advantage.\n\nTo ensure the veracity of audit data, the information system and/or the network device must protect audit information from any and all unauthorized read access.\n\nThis requirement can be achieved through multiple methods which will depend upon system architecture and design. Commonly employed methods for protecting audit information include least privilege permissions as well as restricting the location and number of log file repositories.\n\nAdditionally, network devices with user interfaces to audit records should not allow for the unfettered manipulation of or access to those records via the device interface. If the device provides access to the audit data, the device becomes accountable for ensuring audit information is protected from unauthorized access.",
"fixid": "F-71015r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> click add >> click Apply >> click Apply >> click Save Configuration",
"iacontrols": null,
"id": "V-65075",
"ruleID": "SV-79565r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must protect audit information from any type of unauthorized read access.",
"version": "WSDP-NM-000036"
},
"V-65077": {
"checkid": "C-65703r1_chk",
"checktext": "Logon page >> Enter non-admin user ID and password, select Default for domain >> Click \"Login\". If non-admin user can log on, this is a finding.",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nNetwork devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.",
"fixid": "F-71017r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> Click \"Add\" >> Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65077",
"ruleID": "SV-79567r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must protect audit tools from unauthorized access.",
"version": "WSDP-NM-000039"
},
"V-65079": {
"checkid": "C-65705r1_chk",
"checktext": "Logon page >> Enter non-admin user ID and password, select Default for domain >> Click \"Login\". If non-admin user can log on, this is a finding.",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nNetwork devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.",
"fixid": "F-71019r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non-privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> Click \"Add\" >> Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65079",
"ruleID": "SV-79569r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must protect audit tools from unauthorized modification.",
"version": "WSDP-NM-000040"
},
"V-65081": {
"checkid": "C-65707r1_chk",
"checktext": "Logon page >> Enter non-admin user ID and password, select Default for domain >> Click \"Login\". If non-admin user can log on, this is a finding.",
"description": "Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit data.\n\nNetwork devices providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.",
"fixid": "F-71021r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> Click \"Add >> Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65081",
"ruleID": "SV-79571r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must protect audit tools from unauthorized deletion.",
"version": "WSDP-NM-000041"
},
"V-65083": {
"checkid": "C-65709r1_chk",
"checktext": "Type \u201cLog Target\u201d in the Search field >> Log target >> Event Subscription tab. \n\nIf \u201caudit\u201d in not listed under Event Category, this is a finding. \n\nIf \u201cRule Action\u201d does not contain a \u201cFilter\u201d action, this is a finding.",
"description": "Protection of log data includes assuring log data is not accidentally lost or deleted. Regularly backing up audit records to a different system or onto separate media than the system being audited helps to assure, in the event of a catastrophic system failure, the audit records will be retained. \n\nThis helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records.",
"fixid": "F-71023r1_fix",
"fixtext": "Type \u201cLog Target\u201d in the Search field >> Log target >> Event Subscription tab >> Add >> Event Category \u201caudit\u201d >> Minimum Event Priority event priority level >> Apply >> Apply >> Save Configuration.\n\nIf the only log target is \u201cdefault-log\u201d: Type \u201cLog Target\u201d in the Search field >> Log target >> Main tab >> Target Type \u201csyslog\u201d >> syslog Facility facility >> Local Identifier identifier >> Remote Host hostname.",
"iacontrols": null,
"id": "V-65083",
"ruleID": "SV-79573r1_rule",
"severity": "low",
"title": "The DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited.",
"version": "WSDP-NM-000042"
},
"V-65085": {
"checkid": "C-65711r1_chk",
"checktext": "Login page >> Enter non-admin user ID and password, select Default for domain >> Click \"Login\". If non-admin user can log on, this is a finding.",
"description": "Changes to any software components can have significant effects on the overall security of the network device. Verifying software components have been digitally signed using a certificate that is recognized and approved by the organization ensures the software has not been tampered with and has been provided by a trusted vendor. \n\nAccordingly, patches, service packs, or application components must be signed with a certificate recognized and approved by the organization. \n\nVerifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The device should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.",
"fixid": "F-71025r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> Click \"Add\" >> Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65085",
"ruleID": "SV-79575r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.",
"version": "WSDP-NM-000044"
},
"V-65087": {
"checkid": "C-65713r1_chk",
"checktext": "Logon page >> Enter non-admin user ID and password, select Default for domain >> Click \"Login\". If non-admin user can log on, this is a finding.",
"description": "Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.",
"fixid": "F-71027r1_fix",
"fixtext": "Privileged account user log on to default domain >> Administration >> Access >> User Account >> Select non privileged user account >> Click \u201c\u2026\u201d button next to User Group field >> Enter */default/*?Access=NONE into field >> Click \"Add\" >> Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65087",
"ruleID": "SV-79577r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must limit privileges to change the software resident within software libraries.",
"version": "WSDP-NM-000045"
},
"V-65089": {
"checkid": "C-65715r1_chk",
"checktext": "Logon to the Default Domain.\n\nNavigate to Network >> Management>> Web Management Service. If the Administrative State is not enabled, this is a finding.\n\nNavigate to Network >> Management>> SSH Service. If the Administrative State is not enabled, this is a finding.\n\nNavigate to Network >> Management>> Telnet Service. If the Administrative State is enabled, this is a finding.",
"description": "In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable unused or unnecessary physical and logical ports/protocols on information systems. Network devices are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., email and web services); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the network device must support the organizational requirements providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.\n\nThis requirement applies to applications, services, protocols, and ports used for network device management. NTP, SSH, HTTPS and SNMP are associated with device management, but, when used to manage the device, must be restricted to the management network.",
"fixid": "F-71029r1_fix",
"fixtext": "Log on to the Default Domain.\n\nNavigate to Network >> Management>> Web Management Service. Set the Administrative State to enabled.\n\nNavigate to Network >> Management>> SSH Service. Set the Administrative State to enabled.\n\nIn the Local IP Address field, enter the local IP address of the device monitors for incoming SSH requests.\n\nClick \"Apply\" to save the changes to the running configuration.\n\nClick \"Save Config\" to save the changes to the startup configuration.",
"iacontrols": null,
"id": "V-65089",
"ruleID": "SV-79579r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.",
"version": "WSDP-NM-000046"
},
"V-65091": {
"checkid": "C-65717r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Minimum length is Off, this is a finding",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password.\n\nThe shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.",
"fixid": "F-71031r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Minimum length to at least 15",
"iacontrols": null,
"id": "V-65091",
"ruleID": "SV-79581r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must enforce a minimum 15-character password length.",
"version": "WSDP-NM-000053"
},
"V-65093": {
"checkid": "C-65719r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Control reuse is Off, this is a finding.",
"description": "Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. \n\nIf the network device allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.",
"fixid": "F-71033r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Control reuse to On, set Reuse history to at least 5.",
"iacontrols": null,
"id": "V-65093",
"ruleID": "SV-79583r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must prohibit password reuse for a minimum of five generations.",
"version": "WSDP-NM-000054"
},
"V-65095": {
"checkid": "C-65721r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.",
"description": "Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.",
"fixid": "F-71035r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.",
"iacontrols": null,
"id": "V-65095",
"ruleID": "SV-79585r1_rule",
"severity": "medium",
"title": "If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.",
"version": "WSDP-NM-000055"
},
"V-65097": {
"checkid": "C-65723r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Require mixed case is Off, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
"fixid": "F-71037r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Require mixed case to On.",
"iacontrols": null,
"id": "V-65097",
"ruleID": "SV-79587r1_rule",
"severity": "medium",
"title": "If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.",
"version": "WSDP-NM-000056"
},
"V-65099": {
"checkid": "C-65725r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Require number is Off, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
"fixid": "F-71039r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Require number to On.",
"iacontrols": null,
"id": "V-65099",
"ruleID": "SV-79589r1_rule",
"severity": "medium",
"title": "If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used.",
"version": "WSDP-NM-000057"
},
"V-65101": {
"checkid": "C-65729r1_chk",
"checktext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. If Require non-alphanumeric is Off, this is a finding.",
"description": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.",
"fixid": "F-71041r1_fix",
"fixtext": "Search Bar \u201cAdministration\u201d >> Access >> RBM Settings >> Password Policy. Set Require non- alphanumeric to On.",
"iacontrols": null,
"id": "V-65101",
"ruleID": "SV-79591r1_rule",
"severity": "medium",
"title": "If multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.",
"version": "WSDP-NM-000058"
},
"V-65103": {
"checkid": "C-65731r1_chk",
"checktext": "Search Bar \u201cRBM\u201d >> RBM Settings. Check that the Authentication method list has the User certificate selected. If not, this is a finding.",
"description": "Authorization for access to any network device requires an approved and assigned individual account identifier. To ensure only the assigned individual is using the account, the account must be bound to a user certificate when PKI-based authentication is implemented.",
"fixid": "F-71043r1_fix",
"fixtext": "Search Bar \u201cRBM\u201d >> RBM Settings. Click User certificate in the Authentication method list.",
"iacontrols": null,
"id": "V-65103",
"ruleID": "SV-79593r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.",
"version": "WSDP-NM-000065"
},
"V-65105": {
"checkid": "C-65733r1_chk",
"checktext": "Default domain >> Status >> Cryptographic Mode Status: If Target=Permissive AND Current=Permissive AND Pending Target=Permissive, this is a finding.",
"description": "Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.\n\nNetwork devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.\n\nFIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements.",
"fixid": "F-71045r1_fix",
"fixtext": "Administration >> Access >> RBM Settings >> Password Policy. Change Password hash algorithm to sha256crypt. \n\nAdministration >> Miscellaneous >> Crypto Tools. Set Cryptographic Mode to FIPS 140-2 Level 1 and click Set Cryptographic Mode button. \n\nControl Panel >> System Control >> Shutdown. Set Mode to Reload Firmware >> Click \"Shutdown\" button.",
"iacontrols": null,
"id": "V-65105",
"ruleID": "SV-79595r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.",
"version": "WSDP-NM-000067"
},
"V-65107": {
"checkid": "C-65735r1_chk",
"checktext": "Using the DataPower WebGUI: \nIn the search field, enter Web Management, \nFrom the search results, click Web Management Service, \nIn the Idle timeout field, check to ensure that the value entered in no greater than 600 (the number of seconds after which the appliance closes the connection).\nIf the number is greater than 600, this is a finding.",
"description": "Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. \n\nTerminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. This does not mean that the device terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.",
"fixid": "F-71047r1_fix",
"fixtext": "Using the DataPower WebGUI: \nIn the search field, enter Web Management, \nFrom the search results, click Web Management Service, \nIn the Idle timeout field, enter 600 (the number of seconds after which the appliance closes the connection).",
"iacontrols": null,
"id": "V-65107",
"ruleID": "SV-79597r1_rule",
"severity": "high",
"title": "The DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.",
"version": "WSDP-NM-000069"
},
"V-65109": {
"checkid": "C-65737r1_chk",
"checktext": "From the web interface for DataPower device management, verify that the DataPower Gateway Cryptographic Mode is Set to FIPS 140-2 Level 1; Status >> Crypto >> Cryptographic Mode Status.\n\nIf it is not set to FIPS 140-2, this is a finding.\n\nThen, verify that the session identifiers (TIDs) in the System Log are random: Status >> View Logs >> Systems Logs.\n\nIf they are not random, this is a finding.",
"description": "Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.\n\nUnique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.\n\nThis requirement is applicable to devices that use a web interface for device management.",
"fixid": "F-71049r1_fix",
"fixtext": "From the DataPower command line, enter \"use-fips on\" to configure DataPower to generate unique session identifiers using a FIPS 140-2 approved random number generator. From the web interface, use \"Set Cryptographic Mode\" (Administration >> Miscellaneous >> Crypto Tools, Set Cryptographic Mode tab) to set the appliance to \"FIPS 140-2 Level 1\" mode.\n\nThis will achieve NIST SP800-131a compliance.",
"iacontrols": null,
"id": "V-65109",
"ruleID": "SV-79599r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.",
"version": "WSDP-NM-000072"
},
"V-65111": {
"checkid": "C-65739r1_chk",
"checktext": "From the DataPower command line, enter \"failure-notification\", then enter \"show failure-notification\". If it is \"disabled\", this is a finding. This capability is enabled by default.",
"description": "Predictable failure prevention requires organizational planning to address device failure issues. If components key to maintaining the device's security fail to function, the device could continue operating in an insecure state. If appropriate actions are not taken when a network device failure occurs, a denial of service condition may occur which could result in mission failure since the network would be operating without a critical security monitoring and prevention function. Upon detecting a failure of network device security components, the network device must activate a system alert message, send an alarm, or shut down.",
"fixid": "F-71051r1_fix",
"fixtext": "From the DataPower command line, enter \"failure-notification\" to configure DataPower to generate failure notifications. \n\nWith failure notification enabled, you can send an error report to a designated recipient or upload to a specific location after the appliance returns to service from an unscheduled outage. \n\nThis error report can contain diagnostic details. Intrusion detection will provide a warning and restart in Fail-Safe mode.",
"iacontrols": null,
"id": "V-65111",
"ruleID": "SV-79601r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.",
"version": "WSDP-NM-000076"
},
"V-65113": {
"checkid": "C-65741r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include the Event Subscription code that indicates account creation: 0x8240001c.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account creation events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nConfirm that when an account is created, an appropriate 0x8240001c \"Configuration added\" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the \"Trap and Notification Targets\" tab of the DataPower SNMP Settings.\n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.",
"fixid": "F-71053r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. \n\nOn the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> set to \"warning\" the \"Minimum Priority\" option >> configure \"Trap Event Subscriptions\" to include an Event Subscription that indicates account creation by adding a 0x8240001c Event Subscription.\n\nExample log result: \"[conf][success][0x8240001c] (SYSTEM:default:*:*): user 'admin' Configuration added\"\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are created.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65113",
"ruleID": "SV-79603r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.",
"version": "WSDP-NM-000077"
},
"V-65115": {
"checkid": "C-65743r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nConfirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f \"Configuration settings applied\" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the \"Trap and Notification Targets\" tab of the DataPower SNMP Settings. \n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the modification of device administrator accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously modified and provides logging that can be used for forensic purposes.\n\nThe network device must generate the alert. Notification may be done by a management server.",
"fixid": "F-71055r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. \n\nOn the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> set to \"warning\" the \"Minimum Priority\" option >> configure \"Trap Event Subscriptions\" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions.\n\nExample log result: \"[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied\"\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65115",
"ruleID": "SV-79605r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.",
"version": "WSDP-NM-000078"
},
"V-65117": {
"checkid": "C-65745r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include the Event Subscription codes that indicate an account is disabled: 0x8240001c and 0x8240001f.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nConfirm that when an account is disabled, an appropriate 0x8240001c or 0x8240001f \"disabled\" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the \"Trap and Notification Targets\" tab of the DataPower SNMP Settings.\n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "When application accounts are disabled, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. \n\nIn order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.",
"fixid": "F-71057r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. \n\nOn the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> set to \"warning\" the \"Minimum Priority\" option >> configure \"Trap Event Subscriptions\" to include an Event Subscription that indicates account is disabled by adding 0x8240001c and 0x8240001f Event Subscriptions.\n\nExample log result: \"[conf][success][0x8240001c] (dp-technician:default:system:*): web-mgmt 'WebGUI-Settings' - admin-state disabled.\"\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are disabled.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65117",
"ruleID": "SV-79607r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.",
"version": "WSDP-NM-000079"
},
"V-65119": {
"checkid": "C-65747r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include the Event Subscription code that indicates account removal: 0x8240001c.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nConfirm that when an account is removed, an appropriate 0x8240001c \"Configuration deleted\" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the \"Trap and Notification Targets\" tab of the DataPower SNMP Settings. \n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. \n\nIn order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.",
"fixid": "F-71059r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. \n\nOn the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> set to \"warning\" the \"Minimum Priority\" option >> configure \"Trap Event Subscriptions\" to include an Event Subscription that indicates account removal by adding a 0x8240001c Event Subscription.\n\nExample log result: \"[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration deleted\"\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are removed.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65119",
"ruleID": "SV-79609r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.",
"version": "WSDP-NM-000080"
},
"V-65121": {
"checkid": "C-65749r3_chk",
"checktext": "Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. \n\nReview the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> \"Persistent Idle Timeout\" is set to 900 or less. If it is not, this is a finding.",
"description": "Automatic session termination addresses the termination of administrator-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever an administrator (or process acting on behalf of a user) accesses a network device. Such administrator sessions can be terminated (and thus terminate network administrator access) without terminating network sessions. \n\nSession termination terminates all processes associated with an administrator's logical session except those processes that are specifically created by the administrator (i.e., session owner) to continue after the session is terminated. \n\nConditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. These conditions will vary across environments and network device types.",
"fixid": "F-71061r3_fix",
"fixtext": "For the Web Management service used by an administrator, configure an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.\n\nFor the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the \"Persistent Idle Timeout\" to 900 or less.",
"iacontrols": null,
"id": "V-65121",
"ruleID": "SV-79611r2_rule",
"severity": "medium",
"title": "The DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.",
"version": "WSDP-NM-000081"
},
"V-65123": {
"checkid": "C-65751r2_chk",
"checktext": "Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less. \n\nReview the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> \"Persistent Idle Timeout\" is set to 900 or less. If it is not, this is a finding.",
"description": "If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.",
"fixid": "F-71063r2_fix",
"fixtext": "Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.\n\nFor the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the \"Persistent Idle Timeout\" to 900 or less.",
"iacontrols": null,
"id": "V-65123",
"ruleID": "SV-79613r2_rule",
"severity": "medium",
"title": "The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.",
"version": "WSDP-NM-000082"
},
"V-65125": {
"checkid": "C-65753r1_chk",
"checktext": "To verify, log out of a web session and an SSH command line session.\n\nUpon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out. \n\nUpon logout from an administrative SSH command line session, the following message is displayed: \"Unauthorized access prohibited. logon:\" A clear indication that logout has occurred.\n\nIf this message is not present, this is a finding.",
"description": "If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.",
"fixid": "F-71065r1_fix",
"fixtext": "Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. \n\nFrom the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the \"Customer User Interface\" field. \n\nA template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.",
"iacontrols": null,
"id": "V-65125",
"ruleID": "SV-79615r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.",
"version": "WSDP-NM-000083"
},
"V-65127": {
"checkid": "C-65755r1_chk",
"checktext": "View the logging settings: Objects >> Logging Configuration >> Audit Log Settings. Then examine the audit log after enabling or disabling an account (the most recent entry will be at the bottom of the log).\n\nIf this message is not present, this is a finding.",
"description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.",
"fixid": "F-71067r1_fix",
"fixtext": "Configure a comprehensive audit trail by turning on the audit log using the web interface (Objects >> Logging Configuration >> Audit Log Settings) then setting the desired level of logging detail for audit-events.",
"iacontrols": null,
"id": "V-65127",
"ruleID": "SV-79617r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must automatically audit account enabling actions.",
"version": "WSDP-NM-000085"
},
"V-65129": {
"checkid": "C-65757r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include the Event Subscription codes that indicate account modification: 0x8240001c and 0x8240001f.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account modification events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nConfirm that when an account is modified, an appropriate 0x8240001c or 0x8240001f \"Configuration settings applied\" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the \"Trap and Notification Targets\" tab of the DataPower SNMP Settings.\n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies administrators and ISSOs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. \n\nIn order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.",
"fixid": "F-71069r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. \n\nOn the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> set to \"warning\" the \"Minimum Priority\" option >> configure \"Trap Event Subscriptions\" to include an Event Subscription that indicates account creation by adding 0x8240001c and 0x8240001f Event Subscriptions.\n\nExample log result: \"[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration settings applied\"\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are modified.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65129",
"ruleID": "SV-79619r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate an immediate alert for account enabling actions.",
"version": "WSDP-NM-000086"
},
"V-65131": {
"checkid": "C-65759r1_chk",
"checktext": "To verify that the secure transmission of authentication information has been configured, use the WebGUI to go to Objects >> XML Processing >> AAA Policy, select and existing AAA Policy.\n\nValidate the authorization parameters on the Resource extraction, Resource mapping, and Authorization tabs. \n\nOn the Authorization tab, confirm that all necessary parameters are properly configured for secure access to the authorization server. If they are not, this is a finding.",
"description": "Protecting access authorization information (i.e., access control decisions) ensures that authorization information cannot be altered, spoofed, or otherwise compromised during transmission.\n\nIn distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit, as part of the access authorization information, supporting security attributes. This is because, in distributed information systems, there are various access control decisions that need to be made, and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions.",
"fixid": "F-71071r1_fix",
"fixtext": "The DataPower Gateway provides support for the secure transmission of authorization information to any supported authorization server. The following methods are supported: binarytokenx509, cleartrust, client-ssl, custom, kerberos, ldap, ltpa, netegrity, radius, saml-artifact, saml-authen-query, saml-signature, tivoli, token, validate-signer, ws-secureconversation, ws-trust, xmlfile, zosnss. \n\nTo configure secure authorization, use the WebGUI to go to Objects >> XML Processing >> AAA Policy >> Press the \"Add\" button.\n\nAfter completing the parameters for authentication (Main, Identity extraction, Authentication, and Credential Mapping tabs), complete the parameters for authorization (Resource extraction, Resource mapping, and Authorization tabs). \n\nDataPower provides secure access to all of the above-listed supported authorization methods. For example, on the AAA Policy Authorization tab described above, select \"Check membership in LDAP group\" as the authentication method. Parameters will then appear that allow the configuration of a secure SSL/TLS connection to that authorization server.",
"iacontrols": null,
"id": "V-65131",
"ruleID": "SV-79621r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must be compliant with at least one IETF standard authentication protocol.",
"version": "WSDP-NM-000087"
},
"V-65135": {
"checkid": "C-65763r1_chk",
"checktext": "Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.",
"description": "Discretionary Access Control (DAC) is based on the notion that individual network administrators are \"owners\" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.\n\nWhen discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside of the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.\n\nThe discretionary access control policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.",
"fixid": "F-71075r1_fix",
"fixtext": "As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.",
"iacontrols": null,
"id": "V-65135",
"ruleID": "SV-79625r1_rule",
"severity": "medium",
"title": "If the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.",
"version": "WSDP-NM-000088"
},
"V-65137": {
"checkid": "C-65765r1_chk",
"checktext": "Navigate to the DataPower Gateway RBM settings at Administration >> Access >> RBM, Authentication tab using the web interface. Verify that each role is authenticated according to appropriate control policy. If they are not, this is a finding.",
"description": "Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When administrators are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every administrator (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control.\n\nThe RBAC policies and the subjects and objects are defined uniquely for each network device, so they cannot be specified in the requirement.",
"fixid": "F-71077r1_fix",
"fixtext": "As the DataPower administrator, configure the DataPower Gateway to enforce role-based access control policy over defined subjects and objects. In the WebGUI, go to Administration >> Access >> RBM Settings. On the Authentication tab, select the approved authentication server. Enter the information required for an authenticated user to access defined subjects and objects.",
"iacontrols": null,
"id": "V-65137",
"ruleID": "SV-79627r1_rule",
"severity": "medium",
"title": "If the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.",
"version": "WSDP-NM-000089"
},
"V-65139": {
"checkid": "C-65767r1_chk",
"checktext": "Using the WebGUI, go to Objects >> Logging Configuration >> Audit Log Settings. Confirm that the Administrative state is \"enabled\" and that the status displayed alongside the \"Audit Log Settings\" heading is \"[up]\".\n\nAs a final test, execute a privileged function and confirm that an entry appears in the audit log. Using the WebGUI, go to Administration >> Access >> New User Account. Click \"No\". Select \"Developer\". Click Next. Enter \"TestDeveloper\" as the name and enter a password. Click Next. Click Commit. Click Done.\n\nNow view the Audit log by using the WebGUI to got to Status >> View Logs >> Audit Log. Scroll to the bottom of the log and confirm that you see the following entry: \"user 'TestDeveloper' - Configuration added\". \n\nIf this event message does not appear in the audit log, this is a finding.",
"description": "Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.",
"fixid": "F-71079r1_fix",
"fixtext": "The DataPower device logs the execution of all privileged functions.\n\nThe DataPower Audit log is enabled by default. To configure this log, go to the WebGUI at Objects >> Logging Configuration >> Audit Log Settings. Set the Administrative state to \"enable\". Specify the desired Log Size, Number of Rotations. Set the Audit Level to \"full\" (the default setting). The result of this configuration must be that the status displayed alongside the \"Audit Log Settings\" heading is \"[up]\".",
"iacontrols": null,
"id": "V-65139",
"ruleID": "SV-79629r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must audit the execution of privileged functions.",
"version": "WSDP-NM-000091"
},
"V-65141": {
"checkid": "C-65769r1_chk",
"checktext": "View the following three auditing configuration capabilities:\n\nVerify existing log targets and Event Subscriptions. Using the web interface, go to Objects >> Logging Configuration >> Log Target. View the Event Subscriptions tab to audit log subscription Event Priority levels.\n\nSNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. View the Event Subscriptions tab to verify audit log subscription Event Priority levels.\n\nAudit log settings. Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Verify that the Audit Level is set at the full. If it is not, this is a finding.",
"description": "If authorized individuals do not have the ability to modify auditing parameters in response to a changing threat environment, the organization may not be able to effectively respond, and important forensic information may be lost.\n\nThis requirement enables organizations to extend or limit auditing as necessary to meet organizational requirements. Auditing that is limited to conserve information system resources may be extended to address certain threat situations. In addition, auditing may be limited to a specific set of events to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which audit actions are changed, for example, near-real-time, within minutes, or within hours.\n\nThe individuals or roles to change the auditing are dependent on the security configuration of the network device--for example, it may be configured to allow only some administrators to change the auditing, while other administrators can review audit logs but not reconfigure auditing. Because this capability is so powerful, organizations should be extremely cautious about only granting this capability to fully authorized security personnel.",
"fixid": "F-71081r1_fix",
"fixtext": "Configure the following near real-time auditing capabilities: \n\n1. Subscriptions to the DataPower audit logs and associated event categories and Minimum Event Priority.\n\nSet log targets and Event Subscription. Using the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level.\n\n2. SNMP trap event subscriptions to audit log events\n\nSNMP Settings. Using the web interface, go to Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab. Add audit log event codes to the SNMP notification configuration. \n\n3. Audit levels.\n\nUsing the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Set the Audit Levels at the desired level (standard or full).",
"iacontrols": null,
"id": "V-65141",
"ruleID": "SV-79631r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.",
"version": "WSDP-NM-000094"
},
"V-65143": {
"checkid": "C-65771r2_chk",
"checktext": "Development configuration (on-box logging): Using the DataPower web interface, navigate to Objects >> Logging Configuration >> Audit Log Settings. Verify that the desired Log Size, Number of Rotations has resulted in \"[up]\" status displayed after the \"Audit Log Settings\" heading at the top of page. In the WebGUI, navigate to Status >> View Logs >> System Logs. Ensure the following event message is not displayed: 0x82400067 Audit log space low - using audit reserve space.\n\nIf this message appears, it is a finding.\n\nProduction configuration (off-box logging)\nUsing the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.\n\nIf the status is not up, this is a finding.",
"description": "In order to ensure network devices have a sufficient storage capacity in which to write the audit logs, they need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial device setup if it is modifiable. \n\nThe value for the organization-defined audit record storage requirement will depend on the amount of storage available on the network device, the anticipated volume of logs, the frequency of transfer from the network device to centralized log servers, and other factors.",
"fixid": "F-71083r1_fix",
"fixtext": "Development configuration (on-box logging):\nUsing the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Audit Log Settings. Specify the desired Log Size, Number of Rotations, and audit level. Press Apply then Save Configuration. (Maximum available log space is approximately 50GB - less space consumed by other data on the device.) \n\nProduction configuration (off-box logging):\nUsing the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security.\n\nOn the Event Subscriptions tab, add an Event Subscription. Select \"audit\" as the Event Category. Select a minimum Event Priority, e.g., \"error. Click \"Apply\" >> Click \"Apply\" >> Click \"Save Configuration\". Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.",
"iacontrols": null,
"id": "V-65143",
"ruleID": "SV-79633r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.",
"version": "WSDP-NM-000095"
},
"V-65145": {
"checkid": "C-65773r1_chk",
"checktext": "Production configuration (off-box logging):\nUsing the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, verify that the correct Target Type and Log Format are selected. Confirm that the remote host and port of an organizationally approved logging server are designated. Confirm that all additional parameters are chosen according to your requirements. Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.\n\nTo test 75 percent notification: Set the allowed maximum file size to a minimum value, e.g., 250k. Restart the DataPower Gateway several times to generate sufficient audit log messages to fill up the off-box audit log file. Confirm that notification is received at 75 percent of capacity. If it is not, this is a finding.",
"description": "If security personnel are not notified immediately upon storage volume utilization reaching 75%, they are unable to plan for storage capacity expansion. This could lead to the loss of audit information. Note that while the network device must generate the alert, notification may be done by a management server.",
"fixid": "F-71085r1_fix",
"fixtext": "Production configuration (off-box logging):\nOff-box logging provides optimal storage size flexibility and log size notification capability.\nUsing the DataPower WebGUI, navigate to Objects >> Logging Configuration >> Log Target. On the main tab, choose a Target Type, e.g., syslog-tcp, and a Log Format. Specify the remote host and port of the logging server. Enter other parameters according to your requirements, e.g., SSL security.\n\nOn the Event Subscriptions tab, add an Event Subscription. Select \"audit\" as the Event Category. Select a minimum Event Priority, e.g., \"error\u201d. Click \"Apply\" >>Click \"Apply\u201d >> Click \"Save Configuration.\" Confirm that the status of the log target is displayed as [up] alongside the Log Target heading at the top of the page.\n\nIt is the responsibility of the target log server to provide an alert when the audit log has reached 75 percent of capacity.",
"iacontrols": null,
"id": "V-65145",
"ruleID": "SV-79635r1_rule",
"severity": "low",
"title": "The DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.",
"version": "WSDP-NM-000096"
},
"V-65147": {
"checkid": "C-65775r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that \"Trap Event Subscriptions\" include Event Subscription codes that indicate audit failure: 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.\n\nOn the \"Trap and Notification Targets\" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.\n\nOn the Main tab, confirm that the \"Administrative state\" is set to \"enabled\". Additionally, confirm that that the run time state (shown at the top of the page after the text \"SNMP Settings\") indicates in brackets that the SNMP object is in an \"up\" state.\n\nIf the SNMP object state is down, this is a finding.",
"description": "It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. \n\nAlerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).",
"fixid": "F-71087r1_fix",
"fixtext": "In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to \"on\" the \"Enable Default Event Subscriptions\" option >> Set to \"warning\" the \"Minimum Priority\" option >> Configure \"Trap Event Subscriptions\" to include Event Subscriptions that indicate audit log failure: add 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.\n\nOn the \"Trap and Notification Targets\" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.\n\nOn the Main tab, set the \"Administrative state\" to \"enabled\" >> Click \"Save Configuration\".",
"iacontrols": null,
"id": "V-65147",
"ruleID": "SV-79637r1_rule",
"severity": "low",
"title": "The DataPower Gateway must generate an immediate real-time alert of all audit failure events.",
"version": "WSDP-NM-000097"
},
"V-65149": {
"checkid": "C-65777r1_chk",
"checktext": "Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.",
"description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside of the configured acceptable allowance (drift) may be inaccurate. Additionally, unnecessary synchronization may have an adverse impact on system performance and may indicate malicious activity. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.",
"fixid": "F-71089r1_fix",
"fixtext": "Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers).\n\nIn the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.",
"iacontrols": null,
"id": "V-65149",
"ruleID": "SV-79639r1_rule",
"severity": "low",
"title": "The DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.",
"version": "WSDP-NM-000098"
},
"V-65151": {
"checkid": "C-65779r1_chk",
"checktext": "Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.",
"description": "Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. \n\nSynchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in CCI-001891 because a comparison must be done in order to determine the time difference.\n\nThe organization-defined time period will depend on multiple factors, most notably the granularity of time stamps in audit logs. For example, if time stamps only show to the nearest second, there is no need to have accuracy of a tenth of a second in clocks.",
"fixid": "F-71091r1_fix",
"fixtext": "Configure the DataPower Gateway to synchronize internal information system clocks to the authoritative time source (NTP servers).\n\nIn the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.",
"iacontrols": null,
"id": "V-65151",
"ruleID": "SV-79641r1_rule",
"severity": "low",
"title": "The DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.",
"version": "WSDP-NM-000099"
},
"V-65153": {
"checkid": "C-65781r1_chk",
"checktext": "Using the DataPower web interface, go to Network >> Interface >> NTP Service. Confirm that the Administrative state is enabled, NTP Servers are configured, and that the Refresh Interval is set to 2040 seconds or less. If it is not, this is a finding.",
"description": "The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly inaccurate time stamps on audit events and other functions. \n\nMultiple time sources provide redundancy by including a secondary source. Time synchronization is usually a hierarchy; clients synchronize time to a local source while that source synchronizes its time to a more accurate source. The network device must utilize an authoritative time server and/or be configured to use redundant authoritative time sources. This requirement is related to the comparison done in CCI-001891.\n\nDoD-approved solutions consist of a combination of a primary and secondary time source using a combination or multiple instances of the following: a time server designated for the appropriate DoD network (NIPRNet/SIPRNet); United States Naval Observatory (USNO) time servers; and/or the Global Positioning System (GPS). The secondary time source must be located in a different geographic region than the primary time source.",
"fixid": "F-71093r1_fix",
"fixtext": "In the DataPower WebGUI, go to Network >> Interface >> NTP Service. Specify the IP addresses of several approved NTP servers. The refresh interval may be defined at any value between 60 and 86400 seconds.",
"iacontrols": null,
"id": "V-65153",
"ruleID": "SV-79643r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.",
"version": "WSDP-NM-000100"
},
"V-65155": {
"checkid": "C-65783r1_chk",
"checktext": "In the web interface, go to Status >> View Logs >> Audit Log to display current time stamped log entries. \n\nIf the UTC format is not used, this is a finding.",
"description": "If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis.\n\nTime stamps generated by the application include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.",
"fixid": "F-71095r1_fix",
"fixtext": "By default, the DataPower Gateway records time stamps for audit records in Coordinated Universal Time (UTC). The following is an example: March 30, 2015 followed by the number of milliseconds since January 1, 1970.\n\n20150330T072434.296Z",
"iacontrols": null,
"id": "V-65155",
"ruleID": "SV-79645r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).",
"version": "WSDP-NM-000101"
},
"V-65157": {
"checkid": "C-65785r1_chk",
"checktext": "This requirement may be verified by executing each configuration item modification event that requires tracking and then examining the audit log (the most recent entry will be at the bottom of the log).\n\nUsing the DataPower Gateway web interface, the audit log event code for each configuration item modification event shown in the audit log must be confirmed to exist in the list of Trap Event Subscriptions in the SNMP notification settings: Administration >> Access >> SNMP Settings, Trap Event Subscriptions tab.\n\nIf the code is not present, this is a finding.",
"description": "Unauthorized changes to the baseline configuration could make the device vulnerable to various attacks or allow unauthorized access to the device. Changes to device configurations can have unintended side effects, some of which may be relevant to security. \n\nDetecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the device. Examples of security responses include, but are not limited to the following: halting application processing; halting selected functions; or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item. The appropriate automated security response may vary depending on the nature of the baseline configuration change, the role of the network device, the availability of organizational personnel to respond to alerts, etc.",
"fixid": "F-71097r1_fix",
"fixtext": "Configure the DataPower Gateway to use an SNMP trap to send the log failure event to a properly configured SNMP server.\n\nIn the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Configure \"Trap Event Subscriptions\" to include Event Subscriptions that indicate unauthorized configuration changes. Configure \"Trap and Notification Targets\" to include an approved SNMP server that generates alerts that will be forwarded to organizational personnel when a modification to a configuration item has occurred.",
"iacontrols": null,
"id": "V-65157",
"ruleID": "SV-79647r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.",
"version": "WSDP-NM-000105"
},
"V-65159": {
"checkid": "C-65787r1_chk",
"checktext": "In the DataPower web interface, navigate to Administration >> Access. Check User Account, User Group, and RBM settings to ensure that appropriate access restrictions are in place\n\nIf the User Account, User Group, and RBM settings have not been configured, this is a finding.",
"description": "Failure to provide logical access restrictions associated with changes to device configuration may have significant effects on the overall security of the system. \n\nWhen dealing with access restrictions pertaining to change control, it should be noted that any changes to the hardware, software, and/or firmware components of the device can potentially have significant effects on the overall security of the device. \n\nAccordingly, only qualified and authorized individuals should be allowed to obtain access to device components for the purposes of initiating changes, including upgrades and modifications. \n\nLogical access restrictions include, for example, controls that restrict access to workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).",
"fixid": "F-71099r1_fix",
"fixtext": "Configure DataPower Gateway to restrict actions associated with device configuration. This is defined and enforced through group and user access privileges as well as DataPower's Role-based management settings.\n\nConfigure these settings using the DataPower WebGUI at Administration >> Access.",
"iacontrols": null,
"id": "V-65159",
"ruleID": "SV-79649r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must enforce access restrictions associated with changes to device configuration.",
"version": "WSDP-NM-000106"
},
"V-65161": {
"checkid": "C-65789r1_chk",
"checktext": "Confirm that the Audit log administrative state is \"up\". Using the web interface, go to Object >> Logging Configuration >> Audit Log Settings. Confirm that the Audit Level is set to Full. If it is not, this is a finding.",
"description": "Without auditing the enforcement of access restrictions against changes to the device configuration, it will be difficult to identify attempted attacks, and an audit trail will not be available for forensic investigation for after-the-fact actions. \n\nEnforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.",
"fixid": "F-71101r1_fix",
"fixtext": "Configure the DataPower Gateway to log all enforcement action audit events to an external log target. \n\nUsing the web interface, go to Objects >> Logging Configuration >> Log Target. Add an audit log target. View the Event Subscriptions tab to set audit log subscription Event Priority level.",
"iacontrols": null,
"id": "V-65161",
"ruleID": "SV-79651r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device.",
"version": "WSDP-NM-000107"
},
"V-65163": {
"checkid": "C-65791r1_chk",
"checktext": "Go to Status >> Main >> Active Users and ensure that the user is not currently logged on. If the user is logged in, it is a finding.",
"description": "Without re-authentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen devices provide the capability to change security roles, it is critical the user re-authenticate.\n\nIn addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances.\n\n(i) When authenticators change;\n(ii) When roles change;\n(iii) When security categories of information systems change;\n(iv) When the execution of privileged functions occurs;\n(v) After a fixed period of time; or\n(vi) Periodically.\n\nWithin the DoD, the minimum circumstances requiring re-authentication are privilege escalation and role changes.",
"fixid": "F-71103r1_fix",
"fixtext": "After making any account privilege changes, administrator must go to Status >> Main >> Active Users and disconnect the user's current session if they are currently logged on.",
"iacontrols": null,
"id": "V-65163",
"ruleID": "SV-79653r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.",
"version": "WSDP-NM-000108"
},
"V-65165": {
"checkid": "C-65793r1_chk",
"checktext": "For SNMP, go to Administration >> Access >> SNMP Settings. Ensure the SNMP v3 Security Level is set to Authenticate. If it is not, this is a finding.",
"description": "Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk.\n\nA local connection is any connection with a device communicating without the use of a network. A network connection is any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet).\n\nBecause of the challenges of applying this requirement on a large scale, organizations are encouraged to only apply the requirement to those limited number (and type) of devices that truly need to support this capability. For network device management, this has been determined to be network management device addresses, SNMP authentication, and NTP authentication.",
"fixid": "F-71105r1_fix",
"fixtext": "The browser, SSH, and XML Management network interfaces are set to SSL/TLS and require authentication by default. For SNMP, go to Administration >> Access >> SNMP Settings. Set SNMP v3 Security Level to Authenticate. Create one or more new SNMPv3 users that employ Authentication (may be password or key). Network transport for SNMP uses TLS by default.",
"iacontrols": null,
"id": "V-65165",
"ruleID": "SV-79655r1_rule",
"severity": "high",
"title": "The DataPower Gateway must use SNMPv3.",
"version": "WSDP-NM-000112"
},
"V-65167": {
"checkid": "C-65795r1_chk",
"checktext": "Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Verify cache mode is set to absolute and set timeout value is set. If it is not, this is a finding.",
"description": "Some authentication implementations can be configured to use cached authenticators.\n\nIf cached authentication information is out-of-date, the validity of the authentication information may be questionable.\n\nThe organization-defined time period should be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.",
"fixid": "F-71107r1_fix",
"fixtext": "Go to Administration >> Access >> RBM Settings. Click on the Authentication tab. Set cache mode to absolute and set timeout value as needed.",
"iacontrols": null,
"id": "V-65167",
"ruleID": "SV-79657r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.",
"version": "WSDP-NM-000115"
},
"V-65169": {
"checkid": "C-65797r1_chk",
"checktext": "Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed. If Telnet configurations exist, this is a finding.",
"description": "This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instead of HTTP. If unsecured protocols (lacking cryptographic mechanisms) are used for sessions, the contents of those sessions will be susceptible to manipulation, potentially allowing alteration and hijacking of maintenance sessions.",
"fixid": "F-71109r1_fix",
"fixtext": "Go to Network >> Management >> Telnet Service and ensure that no active Telnet configurations exist for device management. Other administrative interfaces (SSH, browser, XML Management) are run over secure protocols by default and cannot be changed.",
"iacontrols": null,
"id": "V-65169",
"ruleID": "SV-79659r1_rule",
"severity": "medium",
"title": "The IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.",
"version": "WSDP-NM-000117"
},
"V-65171": {
"checkid": "C-65799r1_chk",
"checktext": "Go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab and check for acceptable configuration in the name and category fields. Go to the Main tab and check for the desired values in the protocol field.\n\nIf no Log Targets are configured, this is a finding.",
"description": "Information stored in one location is vulnerable to accidental or incidental deletion or alteration.\n\nOff-loading is a common process in information systems with limited audit storage capacity.",
"fixid": "F-71111r1_fix",
"fixtext": "Use the CLI copy command. Syntax: copy -f sourceURL destinationURL\n-f is an optional switch that forces an unconditional copy. Example: xi52(config)# copy audit:audit-log sftp://test@xx.xx.x.xxx/LOGS/x/Week1.log. \n\nOr, go to Administration-Miscellaneous >> Manage Log Targets, Event Subscription Tab, provide a name, press Add, choose Category \u201caudit\u201d. \n\nGo to Main tab, choose protocol (NFS, SMTP, SNMP, File, etc.) and configure.",
"iacontrols": null,
"id": "V-65171",
"ruleID": "SV-79661r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must off-load audit records onto a different system or media than the system being audited.",
"version": "WSDP-NM-000128"
},
"V-65173": {
"checkid": "C-65801r1_chk",
"checktext": "Go to Administration >> Access >> SNMP Settings. Verify the IP address, port, and security settings. Go to the Trap and Notification Targets tab. Verify the remote server/receiver information. If these values have not been set, this is a finding.",
"description": "By immediately displaying an alarm message, potential security violations can be identified more quickly even when administrators are not logged into the network device. An example of a mechanism to facilitate this would be through the utilization of SNMP traps.",
"fixid": "F-71113r1_fix",
"fixtext": "Go to Administration >> Access >> SNMP Settings. Configure the IP address, port, and security settings. \n\nGo to the Trap and Notification Targets tab. Enter the remote server/receiver information.",
"iacontrols": null,
"id": "V-65173",
"ruleID": "SV-79663r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.",
"version": "WSDP-NM-000131"
},
"V-65175": {
"checkid": "C-65803r1_chk",
"checktext": "Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the settings. If they are blank, this is a finding.",
"description": "Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack; to recognize resource utilization or capacity thresholds; or to identify an improperly configured network device. If auditing is not comprehensive, it will not be useful for intrusion monitoring, security investigations, and forensic analysis.",
"fixid": "F-71115r1_fix",
"fixtext": "Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one. \n\nGo to the Event Subscriptions tab and click on the event categories that are required to be audited.",
"iacontrols": null,
"id": "V-65175",
"ruleID": "SV-79665r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must generate audit log events for a locally developed list of auditable events.",
"version": "WSDP-NM-000132"
},
"V-65177": {
"checkid": "C-65805r1_chk",
"checktext": "Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.",
"description": "The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.",
"fixid": "F-71117r1_fix",
"fixtext": "Go to Administration >> Access >> RBM Settings.\nSet Authentication Method to LDAP.\n\nConfigure LDAP connection as needed.",
"iacontrols": null,
"id": "V-65177",
"ruleID": "SV-79667r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.",
"version": "WSDP-NM-000134"
},
"V-65179": {
"checkid": "C-65807r1_chk",
"checktext": "Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.",
"description": "The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.",
"fixid": "F-71119r1_fix",
"fixtext": "Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP.\n\nConfigure LDAP connection as needed.",
"iacontrols": null,
"id": "V-65179",
"ruleID": "SV-79669r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.",
"version": "WSDP-NM-000135"
},
"V-65181": {
"checkid": "C-65809r1_chk",
"checktext": "Go to Administration >> Access >> RBM Settings. Verify Authentication Method is LDAP. If it is not, this is a finding.",
"description": "The use of authentication servers or other centralized management servers for providing centralized authentication services is required for network device management. Maintaining local administrator accounts for daily usage on each network device without centralized management is not scalable or feasible. Without centralized management, it is likely that credentials for some network devices will be forgotten, leading to delays in administration, which itself leads to delays in remediating production problems and in addressing compromises in a timely fashion.",
"fixid": "F-71121r1_fix",
"fixtext": "Go to Administration >> Access >> RBM Settings. Set Authentication Method to LDAP.\n\nConfigure LDAP connection as needed. The connection will be verified.",
"iacontrols": null,
"id": "V-65181",
"ruleID": "SV-79671r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.",
"version": "WSDP-NM-000136"
},
"V-65183": {
"checkid": "C-65811r1_chk",
"checktext": "Go to Administration >> Main >> System Control. Verify Secure Backup. If it is not configured, this is a finding.",
"description": "System-level information includes default and customized settings and security attributes, including ACLs that relate to the network device configuration, as well as software required for the execution and operation of the device. Information system backup is a critical step in ensuring system integrity and availability. If the system fails and there is no backup of the system-level information, a denial of service condition is possible for all who utilize this critical network component.\n\nThis control requires the network device to support the organizational central backup process for system-level information associated with the network device. This function may be provided by the network device itself; however, the preferred best practice is a centralized backup rather than each network device performing discrete backups.",
"fixid": "F-71123r1_fix",
"fixtext": "Go to Administration >> Main >> System Control and configure Secure Backup. Go to Administration >> Configuration >> Export Configuration to do the backup. This can be automated via external scripting or Scheduled Rule - XML Manager in default domain.",
"iacontrols": null,
"id": "V-65183",
"ruleID": "SV-79673r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.",
"version": "WSDP-NM-000138"
},
"V-65185": {
"checkid": "C-65813r1_chk",
"checktext": "Go to Administration >> Miscellaneous >> Manage Log Targets. Verify the log target. If no log target exists, this is a finding.",
"description": "Despite the investment in perimeter defense technologies, enclaves are still faced with detecting, analyzing, and remediating network breaches and exploits that have made it past the network device. An automated incident response infrastructure allows network operations to immediately react to incidents by identifying, analyzing, and mitigating any network device compromise. Incident response teams can perform root cause analysis, determine how the exploit proliferated, and identify all affected nodes, as well as contain and eliminate the threat.\n\nThe network device assists in the tracking of security incidents by logging detected security events. The audit log and network device application logs capture different types of events. The audit log tracks audit events occurring on the components of the network device. The application log tracks the results of the network device content filtering function. These logs must be aggregated into a centralized server and can be used as part of the organization's security incident tracking and analysis.",
"fixid": "F-71125r1_fix",
"fixtext": "Go to Administration >> Miscellaneous >> Manage Log Targets. Click the log target or add one. Go to the Event Subscriptions tab and click on the event categories that are required to be audited.",
"iacontrols": null,
"id": "V-65185",
"ruleID": "SV-79675r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.",
"version": "WSDP-NM-000140"
},
"V-65187": {
"checkid": "C-65815r1_chk",
"checktext": "Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to verify external keys/certs on the encrypted flash or FIPS 140-2 Level 3 HSM. If none exist, this is a finding.",
"description": "For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice.",
"fixid": "F-71127r1_fix",
"fixtext": "Go to Objects >> Crypto Configuration >> Crypto Certificate (for certs) or Crypto Key (for keys) to upload external keys/certs to the encrypted flash or FIPS 140-2 Level 3 HSM.",
"iacontrols": null,
"id": "V-65187",
"ruleID": "SV-79677r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.",
"version": "WSDP-NM-000141"
},
"V-65189": {
"checkid": "C-65817r1_chk",
"checktext": "Using an administrator account, log on to the default domain of the appliance.\n\nNavigate to Network >> Management >> Web Management Service.\n\nView the Local Address field; if the value is \u201c0.0.0.0\u201d, this is a finding.",
"description": "If 0.0.0.0 as the management IP address, the DataPower appliance will listen on all configured interfaces for management traffic. This can allow an attacker to gain privileged-level access from an untrusted network.",
"fixid": "F-71129r1_fix",
"fixtext": "To configure the DataPower appliance for web management:\n\nUsing an administrator account, log on to the default domain of the appliance.\n\nOn the Configure Web Management Service screen, complete the required information.\n\nSet the Administrative state to \u201cenabled\u201d.\n\nFor the Local Address, use the IP address from the management subnet assigned to the unit.",
"iacontrols": null,
"id": "V-65189",
"ruleID": "SV-79679r1_rule",
"severity": "medium",
"title": "The DataPower Gateway must not use 0.0.0.0 as the management IP address.",
"version": "WSDP-NM-000143"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-64981": "true",
"V-65063": "true",
"V-65065": "true",
"V-65067": "true",
"V-65069": "true",
"V-65071": "true",
"V-65073": "true",
"V-65075": "true",
"V-65077": "true",
"V-65079": "true",
"V-65081": "true",
"V-65083": "true",
"V-65085": "true",
"V-65087": "true",
"V-65089": "true",
"V-65091": "true",
"V-65093": "true",
"V-65095": "true",
"V-65097": "true",
"V-65099": "true",
"V-65101": "true",
"V-65103": "true",
"V-65105": "true",
"V-65107": "true",
"V-65109": "true",
"V-65111": "true",
"V-65113": "true",
"V-65115": "true",
"V-65117": "true",
"V-65119": "true",
"V-65121": "true",
"V-65123": "true",
"V-65125": "true",
"V-65127": "true",
"V-65129": "true",
"V-65131": "true",
"V-65135": "true",
"V-65137": "true",
"V-65139": "true",
"V-65141": "true",
"V-65143": "true",
"V-65145": "true",
"V-65147": "true",
"V-65149": "true",
"V-65151": "true",
"V-65153": "true",
"V-65155": "true",
"V-65157": "true",
"V-65159": "true",
"V-65161": "true",
"V-65163": "true",
"V-65165": "true",
"V-65167": "true",
"V-65169": "true",
"V-65171": "true",
"V-65173": "true",
"V-65175": "true",
"V-65177": "true",
"V-65179": "true",
"V-65181": "true",
"V-65183": "true",
"V-65185": "true",
"V-65187": "true",
"V-65189": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "ibm_datapower_network_device_management",
"title": "IBM DataPower Network Device Management Security Technical Implementation Guide",
"version": "1"
}
}