Detections
Analytics
F5BI-DM-300034 - The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.
Information
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
MCP audit records are generated from various components within the network device. For example, it logs the creation of DNS objects and DNSSEC configuration, including key creations.
Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000360-NDM-000295, SRG-APP-000516-NDM-000350
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure two or more central syslog servers.From the BIG-IP GUI:
1. System.
2. Logs.
3. Configuration.
4. Remote Logging.
5. Add the IP address of a syslog server in the "Remote IP" field, modify the port if necessary, and click "Add".
6. Click "Update".
From the BIG-IP Console, issue the following commands:
tmsh modify sys syslog remote-servers add { <name> { host <ip address> remote-port <port> } }
tmsh save sys config
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_F5_BIG-IP_TMOS_Y25M07_STIG.zip
Item Details
Audit Name: DISA F5 BIG-IP TMOS NDM STIG v1r2
Category: AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY
References: 800-53|AU-4(1), 800-53|AU-5(2), 800-53|SI-2c., CAT|I, CCI|CCI-001851, CCI|CCI-001858, CCI|CCI-002605, Rule-ID|SV-266075r1024607_rule, STIG-ID|F5BI-DM-300034, Vuln-ID|V-266075
Plugin: F5
Control ID: 243cfd41c3277983e18f6fdd984bda38ebe7aa5fb429a4eb090777130e110627