Tenable F5 BIG-IP Best Practice Audit

Audit Details

Name: Tenable F5 BIG-IP Best Practice Audit

Updated: 4/25/2022

Authority: TNS

Plugin: F5

Revision: 1.3

Estimated Item Count: 53

File Details

Filename: Tenable_Best_Practices_F5_BIG-IP_v1.0.0.audit

Size: 123 kB

MD5: a8754b3e29582ea30e35ceb1330d666b
SHA256: a889e0b2975dcb2808b40cdf37b7ac5e73a61236bae6a79bf57ab00f517c2c9f

Audit Items

DescriptionCategories
Configuring a pre-login or post-login message banner for the BIG-IP or Enterprise Manager system - Banner Enabled

ACCESS CONTROL

Configuring a pre-login or post-login message banner for the BIG-IP or Enterprise Manager system - Banner Text

ACCESS CONTROL

Configuring a secure password policy for the BIG-IP system - Expiration Warning

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Maximum Duration

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Maximum Login Failures

ACCESS CONTROL

Configuring a secure password policy for the BIG-IP system - Minimum Duration

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Minimum Length

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Password Memory

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Required Lowercase Characters

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Required Numeric Characters

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Required Special Characters

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Required Uppercase Characters

IDENTIFICATION AND AUTHENTICATION

Configuring a secure password policy for the BIG-IP system - Secure Password Enforcement

IDENTIFICATION AND AUTHENTICATION

Configuring an automatic logout for idle sessions - Configuration utility

ACCESS CONTROL

Configuring an automatic logout for idle sessions - Console Sessions

ACCESS CONTROL

Configuring an automatic logout for idle sessions - SSH

ACCESS CONTROL

Configuring an automatic logout for idle sessions - TMSH

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Always accept ARP

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Always accept important ICMP

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - enabled

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Filter established connections

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Packet filter logging

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Review Packet-Filter Rules

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Send ICMP error on packet reject

ACCESS CONTROL

Configuring CIDR Network Addresses for the BIG-IP packet filter - Unhandled Packet Action

ACCESS CONTROL

Configuring cookie encryption within the HTTP profile

SYSTEM AND COMMUNICATIONS PROTECTION

Configuring LDAP remote authentication for Active Directory - Scope

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - Servers

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - SSL

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - SSL CA Cert

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - SSL Check Peer

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - SSL Client Cert

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring LDAP remote authentication for Active Directory - SSL Client Key

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Configuring the BIG-IP system to enforce the use of strict passwords

ACCESS CONTROL

Configuring the BIG-IP system to exclude inode information from Etags

ACCESS CONTROL

Defining advanced NTP configurations on the BIG-IP system

AUDIT AND ACCOUNTABILITY

Disabling the admin account

ACCESS CONTROL

Disabling the root shell login account

ACCESS CONTROL

Mitigating an attack using TCP profiles

SYSTEM AND COMMUNICATIONS PROTECTION

Mitigating risk from SSH brute force login attacks - Monitor login attempts

ACCESS CONTROL

Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system

ACCESS CONTROL

Overview of Appliance mode

ACCESS CONTROL

Overview of BIG-IP administrative access controls

ACCESS CONTROL, CONFIGURATION MANAGEMENT

Overview of port lockdown behavior

CONFIGURATION MANAGEMENT

Overview of the HTTP profile

SYSTEM AND COMMUNICATIONS PROTECTION

Preserving or modifying HTTP response headers removed by the BIG-IP ASM system

SYSTEM AND COMMUNICATIONS PROTECTION

Restricting access to the Configuration utility by source IP address

SYSTEM AND COMMUNICATIONS PROTECTION

Settings to Lock Down your BIG-IP - Admin Terminal Access

CONFIGURATION MANAGEMENT

Settings to Lock Down your BIG-IP - Remote Role

CONFIGURATION MANAGEMENT

Specifying allowable IP ranges for SSH access

SYSTEM AND COMMUNICATIONS PROTECTION