The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-65125 | WSDP-NM-000083 | SV-79615r1_rule | Medium |
| Description |
|---|
| If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated. |
| STIG | Date |
|---|---|
| IBM DataPower Network Device Management Security Technical Implementation Guide | 2017-10-05 |
Details
| Check Text ( C-65753r1_chk ) |
|---|
| To verify, log out of a web session and an SSH command line session. Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out. Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred. If this message is not present, this is a finding. |
| Fix Text (F-71065r1_fix) |
|---|
| Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field. A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd. |