The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.

An XCCDF Rule

Description

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of accounts and notifies administrators and Information System Security Officers (ISSOs). Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes.

ID: SV-79603r1_rule
Version: WSDP-NM-000077
Severity: Medium
References: CCI-001683
Updated: 5 days ago

Remediation Templates

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. 

On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> set to "warning" the "Minimum Priority" option >> configure "Trap Event Subscriptions" to include an Event Subscription that indicates account creation by adding a 0x8240001c Event Subscription.

Example log result: "[conf][success][0x8240001c] (SYSTEM:default:*:*): user 'admin' Configuration added"
On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when accounts are created.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

The DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.

Description

Remediation Templates

A Manual Procedure