STIGQter: STIG Summary: F5 BIG-IP Local Traffic Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

DISA Rule

SV-215743r557356_rule

Vulnerability Number

V-215743

Group Title

SRG-NET-000043-ALG-000024

Rule Version

F5BI-LT-000027

Severity

CAT III

CCI(s)

CCI-001384 - The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access.
CCI-001385 - The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
CCI-001386 - The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
CCI-001387 - The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
CCI-001388 - The information system, for publicly accessible systems, includes a description of the authorized uses of the system.

Weight

Fix Recommendation

If user access control intermediary services are provided, configure the BIG-IP Core as follows:

Configure a policy in the APM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

Apply the APM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

Check Contents

If the BIG-IP Core does not provide user access control intermediary services for virtual servers, this is not applicable.

When user access control intermediary services are provided, verify the BIG-IP Core is configured as follows:

Verify Virtual Server(s) in the BIG-IP LTM module are configured with an APM policy to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

Navigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.

Select Virtual Servers(s) from the list to verify.

Verify under "Access Policy" section, that "Access Policy" has been set to use an access policy to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

If the BIG-IP Core is not configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the publicly accessible systems, this is a finding.

The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments