The DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
An XCCDF Rule
Description
<VulnDiscussion>If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-79615r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators.
From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field.
A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.