The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.

An XCCDF Rule

Details
Profiles

Description

If an administrator cannot explicitly end a device management session, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.

ID: SV-79613r2_rule
Version: WSDP-NM-000082
Severity: Medium
References: CCI-002363
Updated: 5 days ago

Remediation Templates

Configure the DataPower Gateway Web Management service used by an administrator, to include an idle timeout (Objects >> Device Management >> Web Management Service): The time after which to invalidate idle administrator sessions. When invalidated, the web interface requires reauthentication.

For the SSH command-line interface used by an administrator, use the web interface (Objects >> Crypto Configuration >> SSH Client Profile) to configure an SSH Client Profile for the administrator user ID. Configure the "Persistent Idle Timeout" to 900 or less.

The DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.

Description

Remediation Templates

A Manual Procedure