The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-65119	WSDP-NM-000080	SV-79609r1_rule		Medium

Description
When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

Description

When application accounts are removed, administrator accessibility is affected. Accounts are utilized for identifying individual device administrators or for identifying the device processes themselves. In order to detect and respond to events that affect administrator accessibility and device processing, devices must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that device accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes.

STIG	Date
IBM DataPower Network Device Management Security Technical Implementation Guide	2017-10-05

Details

Check Text ( C-65747r1_chk )
In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account removal: 0x8240001c. On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur. On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state. Confirm that when an account is removed, an appropriate 0x8240001c "Configuration deleted" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings. If this event message does not appear in the audit log, this is a finding.

Check Text ( C-65747r1_chk )

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include the Event Subscription code that indicates account removal: 0x8240001c.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when account disabled events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

Confirm that when an account is removed, an appropriate 0x8240001c "Configuration deleted" event appears in the DataPower audit log (In the WebGUI go to Status >> View Logs >> Audit Log), and that an appropriate notification is sent by the SNMP server specified on the "Trap and Notification Targets" tab of the DataPower SNMP Settings.

If this event message does not appear in the audit log, this is a finding.

Fix Text (F-71059r1_fix)
In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account removal by adding a 0x8240001c Event Subscription. Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration deleted" On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are removed. On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

Fix Text (F-71059r1_fix)

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings.

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account removal by adding a 0x8240001c Event Subscription.

Example log result: "[conf][success][0x8240001c] (admin:default:web-gui:192.168.65.1): user 'TestUser' Configuration deleted"

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are removed.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".