STIGQter: STIG Summary: CA API Gateway ALG Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Apr 2017:

The CA API Gateway providing user access control intermediary services must generate audit records showing starting and ending time for user access to the system.

DISA Rule

SV-86095r1_rule

Vulnerability Number

V-71471

Group Title

SRG-NET-000505-ALG-000039

Rule Version

CAGW-GW-000870

Severity

CAT II

CCI(s)

• CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Weight

10

Fix Recommendation

If any of the Registered Services/API's do not provide a logout/terminate session capability as part of the API, create and register a "Logoff" Registered Service and call this service from the user's application upon ending a session. This will automatically generate the ending event as required and be audited on the Gateway.

For more details on registering and authoring services, refer to the “CA API Management Documentation Wiki" at https://wiki.ca.com/display/GATEWAY90/CA+API+Gateway+Home.

Check Contents

Open the CA API Gateway - Policy Manager.

Verify that each Registered Service requiring starting and ending event auditing includes the logout/terminate session capability as part of the Registered Service/API.

If it does not, this is a finding.

Vulnerability Number

V-71471

Documentable

False

Rule Version

CAGW-GW-000870

Severity Override Guidance

Open the CA API Gateway - Policy Manager.

Verify that each Registered Service requiring starting and ending event auditing includes the logout/terminate session capability as part of the Registered Service/API.

If it does not, this is a finding.

Check Content Reference

M

Target Key

3049

Comments