Rule ID
SV-237061r639630_rule
Version
V2R2
CCIs
CCI-000366
If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs. The A10 Networks ADC can be configured to mask data traversing outbound through the device. This is useful in preventing data exfiltration. If any data must be masked before it leaves the enclave (such as Credit Card Numbers, Social Security Numbers, or other sensitive information), a WAF template can be configured with CCN Mask, SSN Mask, and PCRE Mask Request checks. The Mask Request check depends on what information must be masked. This includes using Perl Compatible Regular Expressions (PCRE) for custom masks.
Review the device configuration and ask the device Administrator which templates are used for masking sensitive data. The following command displays the configuration and filters the output on the WAF template section: show run | sec slb template waf If there is no WAF template with the required Mask Request checks, this is a finding.
Review the system or enclave documentation and confer with the data owner(s) if necessary. If any data must be masked before it leaves the enclave (such as credit card numbers, Social Security numbers, or other sensitive information), configure the CCN Mask, SSN Mask, and PCRE Mask Request checks. These checks are applied to a WAF template. The following command replaces all but the last four digits of credit card numbers with an “x” character: ccn-mask The following command replaces all but the last four digits of US Social Security numbers with an “x” character: ssn-mask The following command cloaks patterns in a response that match the specified PCRE pattern: pcre-scrub [pcre-pattern] [keep-end [num-length] |keep-start [num-length] |mask [character]]