STIGQter STIGQter: STIG Summary: IBM DataPower ALG Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Jan 2016:

The DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.

DISA Rule

SV-79469r1_rule

Vulnerability Number

V-64979

Group Title

SRG-NET-000015-ALG-000016

Rule Version

WSDP-AG-000001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Create the appropriate User Group(s) using the "RBM Builder". Privileged account user log on to default domain >> Administration >> Access >> User Group >> Select the "Add" button >> Define the policy, per the RBM Builder documentation >> Click "Add" >> Click “Apply”.

Add users’ accounts to LDAP groups with the same names as those defined with the RBM Builder, in the remote Authentication/Authorization server (LDAP).

Note: This takes place outside of the context of the IBM DataPower Gateway. Specific instructions will depend on the LDAP server being used.

Configure Role-Based Management to use LDAP Group information during logon to map users to local group definitions.

Check Contents

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Select the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy.

If the group profile(s) is/are not present, this is a finding

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Select "Credential Mapping".

If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Vulnerability Number

V-64979

Documentable

False

Rule Version

WSDP-AG-000001

Severity Override Guidance

Privileged account user log on to default domain >> Administration >> Access >> User Group >> Select the group to be confirmed >> Confirm that the access profiles are configured appropriately for the desired security policy.

If the group profile(s) is/are not present, this is a finding

Privileged account user log on to default domain >> Administration >> Access >> RBM Settings >> Select "Credential Mapping".

If Credential-mapping method is not "Local user group" or "Search LDAP for group name" is off, this is a finding.

Check Content Reference

M

Target Key

2859

Comments