The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.

An XCCDF Rule

Description

If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.

ID: SV-79615r1_rule
Version: WSDP-NM-000083
Severity: Medium
References: CCI-002364
Updated: 5 days ago

Remediation Templates

Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. 

From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field. 

A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.

The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.

Description

Remediation Templates

A Manual Procedure