The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-65123 | WSDP-NM-000082 | SV-79613r2_rule | CCI-002363 | medium |
| Description | ||||
| If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. | ||||
| STIG | Date | |||
| IBM DataPower Network Device Management Security Technical Implementation Guide | 2017-10-05 | |||
Details
Check Text (C-79613r2_chk)
Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.
Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.
Fix Text (F-71063r2_fix)
Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.
For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.