From IBM DataPower Network Device Management Security Technical Implementation Guide
Part of SRG-APP-000297-NDM-000281
Associated with: CCI-002364
If an explicit logout message is not displayed and the administrator does not expect to see one, the administrator may inadvertently leave a management session un-terminated. The session may remain open and be exploited by an attacker; this is referred to as a zombie session. Administrators need to be aware of whether or not the session has been terminated.
To verify, log out of a web session and an SSH command line session. Upon logout from the web interface, the DataPower Gateway displays the IBM DataPower Login panel. This is a clear indication that the administrator has logged out. Upon logout from an administrative SSH command line session, the following message is displayed: "Unauthorized access prohibited. logon:" A clear indication that logout has occurred. If this message is not present, this is a finding.
Configure the DataPower Gateway to use a custom user interface XML file that can be configured to provide the desired logout message to administrators. From the WebGUI, go to Administration >> Device >> System Settings and associate the custom interface file with the "Customer User Interface" field. A template of the custom user interface file may be found on the DataPower file system at store:///schemas/dp-user-interface.xsd.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer