STIGQter STIGQter: STIG Summary: IBM DataPower Network Device Management Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 24 Oct 2017

CheckedNameTitle
SV-79471r1_ruleThe DataPower Gateway must enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-79553r1_ruleThe DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
SV-79555r1_ruleThe DataPower Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-79557r1_ruleThe DataPower Gateway must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until the administrator acknowledges the usage conditions and takes explicit actions to log on for further access.
SV-79559r1_ruleThe DataPower Gateway must provide audit record generation capability for DoD-defined auditable events within DataPower.
SV-79561r1_ruleThe DataPower Gateway must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
SV-79563r1_ruleThe DataPower Gateway must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-79565r1_ruleThe DataPower Gateway must protect audit information from any type of unauthorized read access.
SV-79567r1_ruleThe DataPower Gateway must protect audit tools from unauthorized access.
SV-79569r1_ruleThe DataPower Gateway must protect audit tools from unauthorized modification.
SV-79571r1_ruleThe DataPower Gateway must protect audit tools from unauthorized deletion.
SV-79573r1_ruleThe DataPower Gateway must back up audit records at least every seven days onto a different system or system component than the system or component being audited.
SV-79575r1_ruleThe DataPower Gateway must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
SV-79577r1_ruleThe DataPower Gateway must limit privileges to change the software resident within software libraries.
SV-79579r1_ruleThe DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.
SV-79581r1_ruleThe DataPower Gateway must enforce a minimum 15-character password length.
SV-79583r1_ruleThe DataPower Gateway must prohibit password reuse for a minimum of five generations.
SV-79585r1_ruleIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one upper-case character be used.
SV-79587r1_ruleIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one lower-case character be used.
SV-79589r1_ruleIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one numeric character be used.
SV-79591r1_ruleIf multifactor authentication is not supported and passwords must be used, the DataPower Gateway must enforce password complexity by requiring that at least one special character be used.
SV-79593r1_ruleThe DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.
SV-79595r1_ruleThe DataPower Gateway must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-79597r1_ruleThe DataPower Gateway must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-79599r1_ruleThe DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
SV-79601r1_ruleThe DataPower Gateway must activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
SV-79603r1_ruleThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are created.
SV-79605r1_ruleThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are modified.
SV-79607r1_ruleThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are disabled.
SV-79609r1_ruleThe DataPower Gateway must generate alerts that can be forwarded to the administrators and ISSO when accounts are removed.
SV-79611r2_ruleThe DataPower Gateway must automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-79613r2_ruleThe DataPower Gateway must provide a logout capability for administrator-initiated communication sessions.
SV-79615r1_ruleThe DataPower Gateway must display an explicit logout message to administrators indicating the reliable termination of authenticated communications sessions.
SV-79617r1_ruleThe DataPower Gateway must automatically audit account enabling actions.
SV-79619r1_ruleThe DataPower Gateway must generate an immediate alert for account enabling actions.
SV-79621r1_ruleThe DataPower Gateway must be compliant with at least one IETF standard authentication protocol.
SV-79625r1_ruleIf the DataPower Gateway uses discretionary access control, the DataPower Gateway must enforce organization-defined discretionary access control policies over defined subjects and objects.
SV-79627r1_ruleIf the DataPower Gateway uses role-based access control, the DataPower Gateway must enforce role-based access control policies over defined subjects and objects.
SV-79629r1_ruleThe DataPower Gateway must audit the execution of privileged functions.
SV-79631r1_ruleThe DataPower Gateway must provide the capability for organization-identified individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
SV-79633r1_ruleThe DataPower Gateway must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SV-79635r1_ruleThe DataPower Gateway must generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-79637r1_ruleThe DataPower Gateway must generate an immediate real-time alert of all audit failure events.
SV-79639r1_ruleThe DataPower Gateway must compare internal information system clocks at least every 24 hours with an authoritative time server.
SV-79641r1_ruleThe DataPower Gateway must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
SV-79643r1_ruleThe DataPower Gateway must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-79645r1_ruleThe DataPower Gateway must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
SV-79647r1_ruleThe DataPower Gateway must implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
SV-79649r1_ruleThe DataPower Gateway must enforce access restrictions associated with changes to device configuration.
SV-79651r1_ruleThe DataPower Gateway must audit the enforcement actions used to restrict access associated with changes to the device.
SV-79653r1_ruleThe DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.
SV-79655r1_ruleThe DataPower Gateway must use SNMPv3.
SV-79657r1_ruleThe DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period.
SV-79659r1_ruleThe IBM DataPower Gateway must only allow the use of protocols that implement cryptographic mechanisms to protect the integrity and confidentiality of management communications.
SV-79661r1_ruleThe DataPower Gateway must off-load audit records onto a different system or media than the system being audited.
SV-79663r1_ruleThe DataPower Gateway must use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and in accordance with CJCSM 6510.01B.
SV-79665r1_ruleThe DataPower Gateway must generate audit log events for a locally developed list of auditable events.
SV-79667r1_ruleThe DataPower Gateway must employ automated mechanisms to centrally manage authentication settings.
SV-79669r1_ruleThe DataPower Gateway must employ automated mechanisms to centrally apply authentication settings.
SV-79671r1_ruleThe DataPower Gateway must employ automated mechanisms to centrally verify authentication settings.
SV-79673r1_ruleThe DataPower Gateway must support organizational requirements to conduct backups of system level information contained in the information system when changes occur or weekly, whichever is sooner.
SV-79675r1_ruleThe DataPower Gateway must employ automated mechanisms to assist in the tracking of security incidents.
SV-79677r1_ruleThe DataPower Gateway must obtain its public key certificates from an appropriate certificate policy through an approved service provider.
SV-79679r1_ruleThe DataPower Gateway must not use 0.0.0.0 as the management IP address.