DISA F5 BIG-IP Device Management 11.x STIG v2r1

Audit Details

Name: DISA F5 BIG-IP Device Management 11.x STIG v2r1

Updated: 4/25/2022

Authority: DISA STIG

Plugin: F5

Revision: 1.3

Estimated Item Count: 90

File Details

Filename: DISA_F5_BIG-IP_Device_Management_11_v2r1.audit

Size: 167 kB

MD5: b44531e791e58400a2bd09b1ea021f85
SHA256: 1db84c3290d75f03bc01e931f90dde45811770fd832e6356264888cff48da6ce

Audit Items

DescriptionCategories
DISA_F5_BIG-IP_Device_Management_11_v2r1.audit from DISA F5 BIG-IP Device Management 11.x v2r1 STIG
F5BI-DM-000003 - The BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number - 1 for each administrator account and/or administrator account type.

ACCESS CONTROL

F5BI-DM-000007 - The BIG-IP appliance must be configured to initiate a session lock after a 10-minute period of inactivity.

ACCESS CONTROL

F5BI-DM-000013 - The BIG-IP appliance must provide automated support for account management functions.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000015 - The BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000017 - The BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000019 - The BIG-IP appliance must automatically audit account creation.

ACCESS CONTROL

F5BI-DM-000021 - The BIG-IP appliance must automatically audit account modification.

ACCESS CONTROL

F5BI-DM-000023 - The BIG-IP appliance must automatically audit account-disabling actions.

ACCESS CONTROL

F5BI-DM-000025 - The BIG-IP appliance must automatically audit account removal actions.

ACCESS CONTROL

F5BI-DM-000027 - The BIG-IP appliance must be configured to enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level in accordance with applicable policy for the device.

ACCESS CONTROL

F5BI-DM-000031 - The BIG-IP appliance must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.

ACCESS CONTROL

F5BI-DM-000033 - The BIG-IP appliance must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device - Banner Enabled

ACCESS CONTROL

F5BI-DM-000033 - The BIG-IP appliance must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device - Banner Text

ACCESS CONTROL

F5BI-DM-000037 - Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the date and time of the last logon.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000039 - Upon successful logon, the BIG-IP appliance must be configured to notify the administrator of the number of unsuccessful logon attempts since the last successful logon.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000043 - The BIG-IP appliance must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed system configuration changes.

AUDIT AND ACCOUNTABILITY

F5BI-DM-000067 - The BIG-IP appliance must be configured to alert the ISSO and SA (at a minimum) in the event of an audit processing failure - at a minimum in the event of an audit processing failure.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

F5BI-DM-000073 - The BIG-IP appliance must be configured to protect audit information from any type of unauthorized read access.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

F5BI-DM-000075 - The BIG-IP appliance must be configured to protect audit information from unauthorized modification.

AUDIT AND ACCOUNTABILITY

F5BI-DM-000077 - The BIG-IP appliance must be configured to protect audit information from unauthorized deletion.

AUDIT AND ACCOUNTABILITY

F5BI-DM-000079 - The BIG-IP appliance must be configured to protect audit tools from unauthorized access.

AUDIT AND ACCOUNTABILITY

F5BI-DM-000087 - The BIG-IP appliance must be configured to use NIAP evaluated cryptographic mechanisms to protect the integrity of audit information at rest.

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

F5BI-DM-000093 - The BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

CONFIGURATION MANAGEMENT

F5BI-DM-000095 - The BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000101 - The BIG-IP appliance must be configured to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000107 - The BIG-IP appliance must be configured to enforce a minimum 15-character password length.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000109 - The BIG-IP appliance must be configured to prohibit password reuse for a minimum of five generations.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000111 - If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one upper-case character be used.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000113 - If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one lower-case character be used.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000115 - If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one numeric character be used.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000117 - If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must enforce password complexity by requiring that at least one special character be used.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000119 - If multifactor authentication is not supported and passwords must be used, the BIG-IP appliance must require that when a password is changed, the characters are changed in at least eight (8) of the positions within the password.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000121 - The BIG-IP appliance must only store encrypted representations of passwords.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000123 - The BIG-IP appliance must only transmit encrypted representations of passwords.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000125 - The BIG-IP appliance must be configured to enforce 24 hours/1 day as the minimum password lifetime.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000127 - The BIG-IP appliance must be configured to enforce a 60-day maximum password lifetime restriction.

CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000133 - The BIG-IP appliance must be configured to obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000135 - The BIG-IP appliance must be configured to use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

IDENTIFICATION AND AUTHENTICATION

F5BI-DM-000137 - The BIG-IP appliance must be configured to terminate all sessions and network connections when nonlocal device maintenance is completed.

MAINTENANCE

F5BI-DM-000139 - The BIG-IP appliance must be configured to terminate all network connections associated with a device management session at the end of the session, or the session must be configured to be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirements.

SYSTEM AND COMMUNICATIONS PROTECTION

F5BI-DM-000149 - The BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000151 - The application must be configured to reveal error messages only to authorized individuals (ISSO, ISSM, and SA).

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

F5BI-DM-000153 - The BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected - Fail-Safe Action

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

F5BI-DM-000153 - The BIG-IP appliance must be configured to activate a system alert message, send an alarm, and/or automatically shut down when a component failure is detected - MCP Audit Logging

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

F5BI-DM-000155 - The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are created.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000157 - The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are modified.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000159 - The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000161 - The BIG-IP appliance must be configured to generate alerts that can be forwarded to the administrators and Information System Security Officer (ISSO) when accounts are removed.

ACCESS CONTROL, CONFIGURATION MANAGEMENT

F5BI-DM-000163 - The BIG-IP appliance must be configured to automatically terminate a network administrator session after organization-defined conditions or trigger events requiring session disconnect - Enforce Idle Timeout

ACCESS CONTROL, CONFIGURATION MANAGEMENT