Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-65125 | WSDP-NM-000083 | SV-79615r1_rule | Medium |
| Description |
|---|
| If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated. |
| STIG | Date |
|---|---|
| IBM DataPower Network Device Management Security Technical Implementation Guide | 2017-10-05 |
Details
| Check Text ( C-65753r1_chk ) |
|---|
| To verify, log out of a web session and an SSH command line session. Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out. Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred. If this message is not present, this is a finding. |
| Fix Text (F-71065r1_fix) |
|---|
| Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field. A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd. |