STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Oct 2017:

The DataPower Gateway must generate an immediate real-time alert of all audit failure events.

DISA Rule

SV-79637r1_rule

Vulnerability Number

V-65147

Group Title

SRG-APP-000360-NDM-000295

Rule Version

WSDP-NM-000097

Severity

CAT III

CCI(s)

• CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Weight

10

Fix Recommendation

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. On the Trap Event Subscriptions tab, set to "on" the "Enable Default Event Subscriptions" option >> Set to "warning" the "Minimum Priority" option >> Configure "Trap Event Subscriptions" to include Event Subscriptions that indicate audit log failure: add 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.

On the "Trap and Notification Targets" tab, add the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.

On the Main tab, set the "Administrative state" to "enabled" >> Click "Save Configuration".

Check Contents

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include Event Subscription codes that indicate audit failure: 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

If the SNMP object state is down, this is a finding.

Vulnerability Number

V-65147

Documentable

False

Rule Version

WSDP-NM-000097

Severity Override Guidance

In the DataPower web interface, navigate to Administration >> Access >> SNMP Settings. Verify that "Trap Event Subscriptions" include Event Subscription codes that indicate audit failure: 0x80c0006a, 0x82400067, 0x00330034, and 0x80400080.

On the "Trap and Notification Targets" tab, verify that this configuration includes the Remote Host Address and Remote Port of an approved SNMP server that generates alerts that will be forwarded to the administrators and ISSO when audit failure events occur.

On the Main tab, confirm that the "Administrative state" is set to "enabled". Additionally, confirm that that the run time state (shown at the top of the page after the text "SNMP Settings") indicates in brackets that the SNMP object is in an "up" state.

If the SNMP object state is down, this is a finding.

Check Content Reference

M

Target Key

2861

Comments