Detections
Analytics

F5BI-AP-300018 - The F5 BIG-IP appliance must generate event log records that can be forwarded to the centralized events log.

Information

Without generating audit records that log usage of objects by subjects and other objects, it would be difficult to establish, correlate, and investigate the events relating to an incident, or identify those responsible for one. The device logs internal users associated with denied outgoing communications traffic posing a threat to external information systems.

Audit records can be generated from various components within the information system (e.g., module or policy filter). Security objects are data objects which are controlled by security policy and bound to security attributes.

Satisfies: SRG-NET-000492-ALG-000027, SRG-NET-000494-ALG-000029, SRG-NET-000495-ALG-000030, SRG-NET-000496-ALG-000031, SRG-NET-000497-ALG-000032, SRG-NET-000498-ALG-000033, SRG-NET-000499-ALG-000034, SRG-NET-000500-ALG-000035, SRG-NET-000501-ALG-000036, SRG-NET-000502-ALG-000037, SRG-NET-000503-ALG-000038, SRG-NET-000505-ALG-000039, SRG-NET-000513-ALG-000026, SRG-NET-000074-ALG-000043, SRG-NET-000075-ALG-000044, SRG-NET-000076-ALG-000045, SRG-NET-000077-ALG-000046, SRG-NET-000078-ALG-000047, SRG-NET-000079-ALG-000048, SRG-NET-000249-ALG-000146, SRG-NET-000383-ALG-000135, SRG-NET-000385-ALG-000138, SRG-NET-000392-ALG-000141, SRG-NET-000392-ALG-000142, SRG-NET-000392-ALG-000143, SRG-NET-000392-ALG-000147, SRG-NET-000392-ALG-000148, SRG-NET-000392-ALG-000149, SRG-NET-000370-ALG-000125

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Note: Performing this Fix modifies the "default-log-setting" log profile, but users can use a different log profile for the Access Profile. However, this requires using the APM Module.

APM Default Log Profile:
From the BIG-IP GUI:
1. Access.
2. Overview.
3. Event Logs.
4. Settings.
5. Check the box for the "default-log-setting" and click "Edit".
6. Check "Enable Access System Logs".
7. On the "Access System Logs" tab, set all items are to "Notice".
8. Click "OK".

Access Profile Log Setting:
From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles (Per-Session Policies).
4. Click the Name of the Access Profile.
5. Logs tab.
6. Move "default-log-setting" to the "Selected" column.
7. Click "Update".

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_TMOS_Y25M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AU-3, 800-53|AU-12c., 800-53|SC-7(9)(b), 800-53|SI-3c.2., 800-53|SI-4(1), 800-53|SI-4(5), 800-53|SI-4(22), CAT|II, CCI|CCI-000130, CCI|CCI-000131, CCI|CCI-000132, CCI|CCI-000133, CCI|CCI-000134, CCI|CCI-000172, CCI|CCI-001243, CCI|CCI-001487, CCI|CCI-002400, CCI|CCI-002656, CCI|CCI-002664, CCI|CCI-002684, Rule-ID|SV-266146r1024841_rule, STIG-ID|F5BI-AP-300018, Vuln-ID|V-266146

Plugin: F5

Control ID: 7f1f931ef29e65ae349b32e7f4fd6a57f406a9e9427f1d257b207414104d1755