The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-65123 | WSDP-NM-000082 | SV-79613r2_rule | CCI-002363 | medium |
| Description | ||||
| If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. | ||||
| STIG | Date | |||
| IBM DataPower Network Device Management Security Technical Implementation Guide | 2017-10-05 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AC-12(1)
1.00
- DISA · V1R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-002363
1.00
- DISA · V1R2 · disa_xccdf · related
Details
Check Text (C-79613r2_chk)
Objects >> Device Management >> Web Management Service >> Idle timeout is set to 900 or less.
Review the administrator's SSH Client Profile: Objects >> Crypto Configuration >> SSH Client Profile >> "Persistent Idle Timeout" is set to 900 or less. If it is not, this is a finding.
Fix Text (F-71063r2_fix)
Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.
For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.