STIGQter STIGQter: STIG Summary: F5 BIG-IP Device Management 11.x Security Technical Implementation Guide

Version: 1

Release: 7 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-74521r2_ruleThe BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number.
SV-74523r2_ruleThe BIG-IP appliance must be configured to initiate a session lock after a 10-minute period of inactivity.
SV-74525r1_ruleThe BIG-IP appliance must provide automated support for account management functions.
SV-74527r1_ruleThe BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.
SV-74529r1_ruleThe BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.
SV-74533r1_ruleThe BIG-IP appliance must automatically audit account creation.
SV-74535r1_ruleThe BIG-IP appliance must automatically audit account modification.
SV-74537r1_ruleThe BIG-IP appliance must automatically audit account-disabling actions.
SV-74539r1_ruleThe BIG-IP appliance must automatically audit account removal actions.
SV-74541r1_ruleThe BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.
SV-74543r1_ruleThe BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
SV-74545r1_ruleUpon successful logon, the BIG-IP appliance must be configured to notify the administrator of the date and time of the last logon.
SV-74547r1_ruleUpon successful logon, the BIG-IP appliance must be configured to notify the administrator of the number of unsuccessful logon attempts since the last successful logon.
SV-74551r1_ruleThe BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.
SV-74553r1_ruleThe BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-74555r1_ruleThe BIG-IP appliance must be configured to shut down by default upon audit failure (or restart when availability is an overriding concern).
SV-74557r1_ruleThe BIG-IP appliance must be configured to protect audit information from any type of unauthorized read access.
SV-74559r1_ruleThe BIG-IP appliance must be configured to protect audit information from unauthorized modification.
SV-74561r1_ruleThe BIG-IP appliance must be configured to protect audit information from unauthorized deletion.
SV-74563r1_ruleThe BIG-IP appliance must be configured to protect audit tools from unauthorized access.
SV-74565r1_ruleThe BIG-IP appliance must be configured to back up audit records at least every seven (7) days onto a different system or system component than the system or component being audited.
SV-74567r2_ruleThe BIG-IP appliance must be configured to use NIAP evaluated cryptographic mechanisms to protect the integrity of audit information at rest.
SV-74569r1_ruleThe BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.
SV-74573r1_ruleThe BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
SV-74575r1_ruleThe BIG-IP appliance must be configured to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.
SV-74577r1_ruleThe BIG-IP appliance must be configured to enforce a minimum 15-character password length.
SV-74579r1_ruleThe BIG-IP appliance must be configured to prohibit password reuse for a minimum of five generations.
SV-74581r1_ruleIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one lower-case character be used.
SV-74583r1_ruleIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one special character be used.
SV-74585r2_ruleIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight (8) of the positions within the password.
SV-74587r1_ruleThe BIG-IP appliance must only store encrypted representations of passwords.
SV-74589r1_ruleThe BIG-IP appliance must only transmit encrypted representations of passwords.
SV-74591r1_ruleThe BIG-IP appliance must be configured to enforce a 60-day maximum password lifetime restriction.
SV-74593r2_ruleThe BIG-IP appliance must be configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
SV-74595r1_ruleThe BIG-IP appliance must be configured to terminate all sessions and network connections when nonlocal device maintenance is completed.
SV-74597r1_ruleThe BIG-IP appliance must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be configured to be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.
SV-74601r1_ruleThe BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.
SV-74603r1_ruleThe application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).
SV-74605r1_ruleThe BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected.
SV-74607r1_ruleThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.
SV-74609r1_ruleThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are modified.
SV-74611r1_ruleThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are disabled.
SV-74613r1_ruleThe BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are removed.
SV-74615r1_ruleThe BIG-IP appliance must be configured to automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect.
SV-74617r1_ruleThe BIG-IP appliance must be configured to automatically audit account-enabling actions.
SV-74619r1_ruleThe BIG-IP appliance must be configured to generate an immediate alert for account-enabling actions.
SV-74621r1_ruleThe BIG-IP appliance must be configured to transmit access authorization information using approved security safeguards to authorized information systems that enforce access control decisions.
SV-74623r1_ruleThe BIG-IP appliance must be configured to enforce organization-defined role-based access control policies over defined subjects and objects.
SV-74625r1_ruleThe BIG-IP appliance must be configured to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
SV-74627r1_ruleThe BIG-IP appliance must be configured to notify the administrator, upon successful logon (access), of the location of last logon (terminal or IP address) in addition to the date and time of the last logon (access).
SV-74629r1_ruleThe BIG-IP appliance must be configured to allow designated individuals or roles to change the auditing to be performed based on all selectable event criteria within near-real-time.
SV-74631r1_ruleThe BIG-IP appliance must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
SV-74633r1_ruleThe BIG-IP appliance must be configured to generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.
SV-74635r1_ruleThe BIG-IP appliance must be configured to synchronize internal information system clocks with the primary and secondary time sources located in different geographic regions using redundant authoritative time sources.
SV-74637r1_ruleThe BIG-IP appliance must be configured to implement automated security responses if baseline configurations are changed in an unauthorized manner.
SV-74639r1_ruleThe BIG-IP appliance must be configured to enforce access restrictions associated with changes to device configuration.
SV-74641r1_ruleThe BIG-IP appliance must be configured to audit the enforcement actions used to restrict access associated with changes to the device.
SV-74643r1_ruleThe BIG-IP appliance must be configured to dynamically manage user accounts.
SV-74645r1_ruleThe BIG-IP appliance must be configured to allow the use of a temporary password for system logons with an immediate change to a permanent password.
SV-74647r1_ruleThe BIG-IP appliance must be configured to protect against or limit the effects of all known types of Denial of Service (DoS) attacks on the BIG-IP appliance management network by limiting the number of concurrent sessions.
SV-74649r1_ruleThe BIG-IP appliance must be configured to off-load audit records onto a different system or media than the system being audited.
SV-74651r1_ruleThe BIG-IP appliance must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-74653r1_ruleThe BIG-IP appliance must be configured to notify the administrator of the number of successful logon attempts occurring during an organization-defined time period.
SV-74655r1_ruleThe BIG-IP appliance must be configured to use automated mechanisms to alert security personnel to threats identified by authoritative sources (e.g., CTOs) and IAW with CJCSM 6510.01B.
SV-74657r1_ruleThe BIG-IP appliance must be configured to employ automated mechanisms to centrally manage authentication settings.
SV-74659r1_ruleThe BIG-IP appliance must be configured to employ automated mechanisms to centrally apply authentication settings.
SV-74661r1_ruleThe BIG-IP appliance must be configured to employ automated mechanisms to centrally verify authentication settings.
SV-74663r1_ruleThe BIG-IP appliance must create backups of system-level information contained in the information system when changes occur or weekly, whichever is sooner.
SV-74665r1_ruleThe BIG-IP appliance must be configured to create backups of information system documentation, including security-related documentation, when changes occur or weekly, whichever is sooner.
SV-74667r1_ruleThe BIG-IP appliance must be configured to employ automated mechanisms to assist in the tracking of security incidents.
SV-74669r1_ruleThe BIG-IP appliance must be configured to obtain its public key certificates from an appropriate certificate policy through a DoD-approved service provider.
SV-74671r1_ruleThe BIG-IP appliance must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
SV-74679r1_ruleIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one upper-case character be used.
SV-74681r1_ruleIf multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one numeric character be used.
SV-74683r1_ruleThe BIG-IP appliance must be configured to enforce 24 hours/1 day as the minimum password lifetime.
SV-74685r1_ruleThe BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
SV-106833r1_ruleThe F5 BIG-IP must ensure SSH is disabled for root user logon to prevent remote access using the root account.