Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Verify that System Settings view is set to Advanced. 4. Verify Maximum HTTP connections to Configuration Utility is set to 10 or an organization-defined number. From the BIG-IP console, type the following command: tmsh list sys httpd max-clients If the device is not configured to limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number, this is a finding.
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Set System Settings view to Advanced. 4. Maximum HTTP connections to Configuration Utility: enter 10 or an organization-defined number. 5. Update. From the BIG-IP console, type the following commands: tmsh modify sys httpd max-clients <10 or an organization-defined number> tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. User List. From the BIG-IP console, type the following command: tmsh list auth user If there are any shared accounts that must not be active, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. User List. 4. Check the box next to any shared/group accounts that must not be active. 5. Click "Delete". 6. Click "Delete" again on the next page. From the BIG-IP console, type the following command: tmsh delete auth user <username> tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. User List. 4. Verify there is only one account of last resort listed. From the BIG-IP console, type the following command: tmsh list auth user If there is more than one account of last resort listed, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. User List. 4. Delete any local users that are not the account of last resort. From the BIG-IP console, type the following commands: tmsh delete auth user <username> tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Remote Role Groups. 4. Verify configured groups are assigned the appropriate role. From the BIG-IP console, type the following command: tmsh list auth remote-role Note: Verify configured groups are assigned the appropriate role. If the BIG-IP appliance is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.
Remote Roles (e.g., RADIUS, LDAP groups) From the BIG-IP GUI: 1. System. 2. Users. 3. Remote Role Groups. 4. Select the Group Name. 5. Modify the Properties of the group to the appropriate access level. 6. Update. Local Users 1. System. 2. Users. 3. User List. 4. Select the user. 5. Modify "Partition Access" to the appropriate access level. 6. Update.
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under Local Traffic Logging: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under Audit Logging: a. MCP: Enable. From the BIG-IP console, type the following commands: tmsh list sys daemon-log-settings tmm os-log-level Note: This command must return a value of "informational". tmsh list sys daemon-log-settings tmm ssl-log-level Note: This must return a value of "informational": tmsh list sys daemon-log-settings mcpd audit Note: This must return a value of "enabled". tmsh list sys daemon-log-settings mcpd log-level Note: This must return a value of "notice". tmsh list sys db log.ssl.level value Note: This must return a value of "informational". If the BIG-IP appliance is not configured to audit the execution of privileged functions, this is a finding.
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under “Local Traffic Logging”: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under “Audit Logging”: a. MCP: Enable. 7. Update. From the BIG-IP console, type the following commands: tmsh modify sys daemon-log-settings tmm os-log-level informational tmsh modify sys daemon-log-settings tmm ssl-log-level informational tmsh modify sys daemon-log-settings mcpd audit enabled tmsh modify sys daemon-log-settings mcpd log-level notice tmsh modify sys db log.ssl.level value informational tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify Maximum Login Failures set to "3". 5. Verify User Lockout set to "Automatically enable locked-out user after 900 seconds". From the BIG-IP console, type the following command: tmsh list auth password-policy max-login-failures Note: Check for a value of "3". tmsh list auth password-policy lockout-duration Note: Check for a value of "900". If the BIG-IP appliance is not configured to enforce the limit of three consecutive invalid logon attempts and lock out users for 900 seconds, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Set Maximum Login Failures to "3". 5. Set User Lockout to "Automatically enable locked-out user after 900 seconds". 6. Update. From the BIG-IP console, type the following commands: tmsh modify auth password-policy max-login-failures 3 tmsh modify auth password-policy lockout-duration 900 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Security Banner Text To Show On The Login Screen. 4. Review the "Security Banner Text To Show On The Login Screen" under the "Security Settings" section for the following verbiage: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the banner is not presented, this is a finding.
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Security Banner Text To Show On The Login Screen. 4. Enter the text below in the "Security Banner Text To Show On The Login Screen" under the "Security Settings" section and then click "Update" to save. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." SSH Banner: From the BIG-IP GUI: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Check the box for "Show The Security Banner On The Login Screen". 6. Enter the following in the "Security Banner Text To Show On The Login Screen" under the "Security Settings" section: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." 7. Update. 8. From the BIG-IP console, type the following commands: tmsh modify sys sshd banner enabled tmsh modify sys sshd banner-text "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. At any time, the USG may inspect and seize data stored on this IS. Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." tmsh save sys config
Verify the site configures the local audit record storage capacity using any of the following log-related elements in accordance with the site's System Security Plan: - Log rotation frequency. - Age at which log files become eligible for removal. - The number of archive copies that the system retains. - The message count for alertd log check. If the site does not manage log storage capacity in compliance with the SSP or if the process is not documented, this is a finding.
To manage audit record storage capacity, configure the following log-related elements on the BIG-IP system in accordance with the site's System Security Plan: - Change the log rotation frequency. - Change the age at which log files become eligible for removal. - Change the number of archive copies that the system retains. - Change the message count for alertd log check.
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Remote Logging. From the BIG-IP Console, issue the following command: tmsh list sys syslog remote-servers Note: This must return at least two remote IP addresses of syslog server. If the BIG-IP appliance does not send audit records to one or more central syslog servers that are separate from the appliance, this is a finding.
Configure two or more central syslog servers. From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Remote Logging. 5. Add the IP address of a syslog server in the "Remote IP" field, modify the port if necessary, and click "Add". 6. Click "Update". From the BIG-IP Console, issue the following commands: tmsh modify sys syslog remote-servers add { <name> { host <ip address> remote-port <port> } } tmsh save sys config
From the BIG-IP Console, issue the following commands: tmsh list sys ntp include #Verify there is a line similar to the following with more than one "server" listed #server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> If the BIG-IP appliance is not configured to synchronize internal information system clocks using redundant authoritative time sources, this is a finding.
From the BIG-IP Console, issue the following commands: tmsh edit sys ntp all-properties #Replace the "include" section with the following (add as many ntp server lines as necessary for the environment): include "server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys>" tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Platform. 3. Verify that "UTC" is configured for "Time Zone". From the BIG-IP Console, issue the following commands: tmsh list sys ntp timezone Note: This must return a value of "UTC". If the BIG-IP appliance is not configured for the UTC time zone, this is a finding.
From the BIG-IP GUI: 1. System. 2. Platform. 3. Set "UTC" for "Time Zone". 4. Click "Update". From the BIG-IP Console, issue the following commands: tmsh modify sys ntp timezone UTC tmsh save sys config
From the BIG-IP console, type the following command: tmsh list /sys db liveinstall.checksig value Note: This must return a value of "enable". If the db variable is not set to "enable", this is a finding.
From the BIG-IP console, type the following commands: tmsh modify /sys db liveinstall.checksig value "enable" tmsh save sys config
From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", verify different Primary and Secondary Hosts exist in the configuration. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", verify multiple servers exist in the configuration. 5. Verify "Authentication" is set to "Authenticate to each server until success". If the BIG-IP appliance is not configured to use at least two authentication servers to authenticate administrative users, this is a finding.
From the BIG-IP GUI: RADIUS: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - RADIUS", click "Change" at the bottom. 5. Configure values for Primary and Secondary servers. Note: To view Primary and Secondary Hosts, the "Server Configuration" must be set to "Primary & Secondary". 6. Click "Finished". TACACS+ 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - TACACS+", click "Change" at the bottom 5. Add multiple IP Addresses to the "Servers" field. 6. Set "Authentication" to "Authenticate to each server until success". 7. Click "Finished".
From the BIG-IP GUI: 1. System. 2. Configuration. 3. Device. 4. General. 5. Verify "Version" is currently supported according to the vendor support site. From the BIG-IP console, type the following command(s): tmsh list cm device version Note: Verify the version is currently supported on the vendor's website. If the BIG-IP appliance is not running an operating system release that is currently supported by the vendor, this is a finding.
If the release is not a supported version, then update the version. From the BIG-IP GUI: 1. Import .iso. a. System. b. Software Management. c. Image List. d. Import .iso of supported BIG-IP operating system. e. Import the corresponding .iso.sig file. f. Install. 2. Switch boot location to new install. a. System. b. Software Management. c. Boot Locations. d. Select new install location. e. Optionally change "Install Configuration" to "Yes". f. Activate.
From the BIG-IP GUI: 1. System. 2. Certificate Management. 3. Device Certificate Management. 4. Device Certificate. 5. Verify the Issuer is an approved CA. From the BIG-IP console, type the following command: openssl x509 -in /config/httpd/conf/ssl.crt/server.crt -text Note: Verify the issuer is an approved CA. If the BIG-IP appliance does not obtain its public key certificates from an appropriate certificate policy through an approved service provider, this is a finding.
From the BIG-IP GUI: 1. System. 2. Certificate Management. 3. Device Certificate Management. 4. Device Certificate Signing Request. 5. Click "Renew". 6. Select "Certificate Authority" in "Issuer" and complete the form. 7. Copy or download and submit CSR to an approved CA. 8. Import the certificate via Device Certificate Management >> Device Certificate >> Import.
From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. Verify the list of virtual servers are not configured to listen on unnecessary and/or nonsecure functions, ports, protocols, and/or services. If the BIG-IP appliance is configured to listen or run unnecessary and/or nonsecure functions, ports, protocols, and/or services, this is a finding.
Check the PPSM CAL and the site's System Security Plan/documentation for a list of prohibited ports, protocols, and services. From the BIG-IP GUI: 1. Local Traffic. 2. Virtual Servers. 3. For any virtual server(s) listening on all unnecessary and/or nonsecure functions, ports, protocols, and/or services, check the box next to the virtual server and click "Delete". 4. Click "Delete" again.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify "User Directory" is configured to use one of the following options: ClientCert LDAP, RADIUS, or TACACS+. From the BIG-IP console, type the following command(s): tmsh list auth source Note: Verify "type" is set to one of the following options: ClientCert LDAP, RADIUS, or TACACS+. If the BIG-IP appliance is not configured to use DOD PKI for interactive logins, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Click "Change". 5. Select one of the "Remote" options and fill out the configuration depending on the chosen option. Note: DOD sites must configure only the options for ClientCert LDAP, RADIUS, or TACACS+. 6. Fill out all other fields as appropriate for the environment. 7. Click "Finished".
From the BIG-IP Console: cat /etc/ntp/keys #Verify this key is installed on all the NTP servers and clients participating in the NTP time synchronization. tmsh list sys ntp include #Verify there is a line similar to the following: #server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> If the BIG-IP appliance is not configured to authenticate Network Time Protocol sources using authentication that is cryptographically based, this is a finding.
From the BIG-IP console, type the following commands: echo "1 M <passphrase> #MD5 Key" > /etc/ntp/keys Note: This command assumes that no other keys have been previously configured in the /etc/ntp/keys file. Running this command will overwrite the file. #Make sure this key is installed on all the NTP servers and clients participating in the NTP time synchronization. tmsh edit sys ntp all-properties #Replace the "include" section with the following (add as many ntp server lines as necessary for the environment, but configure at least 2): include "server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys> server <ntp server> key <trusted key number matched to /etc/ntp/keys> iburst trustedkey <trusted key number matched to /etc/ntp/keys>" tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify that "Secure Password Enforcement" is set to "Enabled". 5. Verify that "Minimum Length" is set to at least 15. From the BIG-IP console, type the following command(s): tmsh list auth password-policy minimum-length Note: Verify the value is set to at least 15. If the BIG-IP appliance is not configured to enforce a minimum 15-character password length, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Under "Password Policy" set "Secure Password Enforcement" to "Enabled". 5. Configure "Minimum Length" to 15. 6. Click "Update". From the BIG-IP console, type the following command(s): tmsh modify auth password-policy minimum-length 15 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify that "Secure Password Enforcement" is set to "Enabled". 5. Verify under "Required Characters" that "Uppercase" is set to at least 1. From the BIG-IP console, type the following command(s): tmsh list auth password-policy required-uppercase Note: Verify the value is set to at least 1. If the BIG-IP appliance is not configured to enforce password complexity by requiring that at least one uppercase character be used, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Under "Password Policy" set "Secure Password Enforcement" to "Enabled". 5. Under "Required Characters" set "Uppercase" to at least 1. 6. Click "Update". From the BIG-IP console, type the following command(s): tmsh modify auth password-policy required-uppercase 1 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify that "Secure Password Enforcement" is set to "Enabled". 5. Verify under "Required Characters" that "Lowercase" is set to at least 1. From the BIG-IP console, type the following command: tmsh list auth password-policy required-lowercase Note: Verify the value is set to at least 1. If the BIG-IP appliance is not configured to enforce password complexity by requiring that at least one lowercase character be used, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Under "Password Policy" set "Secure Password Enforcement" to "Enabled". 5. Under "Required Characters" set "Lowercase" to at least 1. 6. Click "Update". From the BIG-IP console, type the following commands: tmsh modify auth password-policy required-lowercase 1 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify that "Secure Password Enforcement" is set to "Enabled". 5. Verify under "Required Characters" that "Numeric" is set to at least 1. From the BIG-IP console, type the following command: tmsh list auth password-policy required-numeric Note: Verify the value is set to at least 1. If the BIG-IP appliance is not configured to enforce password complexity by requiring that at least one numeric character be used, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Under "Password Policy" set "Secure Password Enforcement" to "Enabled". 5. Under "Required Characters" set "Numeric" to at least 1. 6. Click "Update". From the BIG-IP console, type the following command: tmsh modify auth password-policy required-numeric 1 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Verify that "Secure Password Enforcement" is set to "Enabled". 5. Verify under "Required Characters" that "Other" is set to at least 1. From the BIG-IP console, type the following command: tmsh list auth password-policy required-special Note: Verify the value is set to at least 1. If the BIG-IP appliance is not configured to enforce password complexity by requiring that at least one special character be used, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. Under "Password Policy" set "Secure Password Enforcement" to "Enabled". 5. Under "Required Characters" set "Other" to at least 1. 6. Click "Update". From the BIG-IP console, type the following command: tmsh modify auth password-policy required-special 1 tmsh save sys config
From the BIG-IP console, type the following command: tmsh list sys db password.difok Note: Verify the value is set to at least 8. If the BIG-IP appliance is not configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password, this is a finding.
If this setting has been changed from the default value of 8, reset the value. From the BIG-IP console, type the following command: tmsh modify sys db password.difok value 8 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - ClientCert LDAP", verify "OCSP Response Max Age" is configured for an organization-defined time period. Note: The OCSP Override option must be set to "on" to view the OCSP Response Max Age value. If the BIG-IP appliance is not configured to prohibit the use of cached authenticators after an organization-defined time period, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. If ClientCert LDAP is used as the remote authentication type, configure "OCSP Response Max Age" for an organization-defined time period. Note: The OCSP Override option must be set to "on" to view the OCSP Response Max Age value.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. If "User Directory" is configured for "Remote - ClientCert LDAP", verify the "OCSP Responder" configured is DOD approved Note: The OCSP Override option must be set to "on" to view the OCSP Responder value. If the BIG-IP appliance is not configured to use DOD-approved OCSP responders or CRLs to validate certificates used for PKI-based authentication, this is a finding.
From the BIG-IP GUI: 1. System. 2. Users. 3. Authentication. 4. If ClientCert LDAP is used as the remote authentication type, click "Change". 6. Set "OCSP Responder" IP address to one that is DOD approved. Note: The OCSP Override option must be set to "on" to view the OCSP Responder value. 7. Click "Finish".
If a documented and validated reason for not implementing the five-minute idle timeout exists, this is not a finding. From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings, verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Verify "Idle Time Before Automatic Logout" is configured for 300 seconds or less. From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh list sys httpd auth-pam-idle-timeout Note: This must return a value of 300 or less. tmsh list sys httpd auth-pam-dashboard-timeout Note: This must return a value of "on". tmsh list sys global-settings console-inactivity-timeout Note: This must return a value of 300 or less. tmsh list cli global-settings idle-timeout Note: This must return a value of 5. SSHD: tmsh list sys sshd inactivity-timeout Note: This must return a value of 300 or less. If the BIG-IP appliance is not configured to terminate inactive sessions after five minutes of inactivity, this is a finding.
From the BIG-IP GUI: HTTPD/TMSH: 1. System. 2. Preferences. 3. Under Security Settings configure "Idle Time Before Automatic Logout" to 300 seconds. 4. Click "Update". SSHD: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Configure "Idle Time Before Automatic Logout" to 300 seconds. 6. Click "Update". From the BIG-IP Console, issue the following commands: HTTPD/TMSH: tmsh modify sys httpd auth-pam-idle-timeout 300 tmsh modify sys httpd auth-pam-dashboard-timeout on tmsh modify sys global-settings console-inactivity-timeout 300 tmsh modify cli global-settings idle-timeout 5 SSHD: tmsh modify sys sshd inactivity-timeout 300 tmsh save sys config
From the BIG-IP GUI: 1. System. 2. Archives. 3. Review the list of archives to verify backups are conducted in accordance with the local backup policy. From the BIG-IP console, type the following command: tmsh list sys ucs If the BIG-IP appliance is not configured to back up at system-level information weekly or at an organization-defined frequency this is a finding.
Document this process in the system security plan (SSP) and perform periodic manual backups. This process backs up the current configuration. Backups must be weekly or a documented organization-defined frequency. From the BIG-IP GUI: 1. System. 2. Archives. 3. Create. From the BIG-IP console, type the following command: tmsh save sys ucs <name>
From the BIG-IP GUI: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Verify the box for “Show The Security Banner On The Login Screen” is checked. 6. Review the "Security Banner Text To Show On The Login Screen" under the "Security Settings" section for the following verbiage: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If such a banner is not presented, this is a finding.
From the BIG-IP GUI: 1. System. 2. Configuration. 3. Device. 4. SSHD. 5. Check the box for "Show The Security Banner On The Login Screen". 6. Enter the following in the "Security Banner Text To Show On The Login Screen" under the "Security Settings" section and then select "Update" to save. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Under "Security Settings", verify "Require A Consistent Inbound IP For The Entire Web Session" box is checked. If the BIG-IP appliance is not configured to require a consistent inbound IP for the entire session for management sessions, this is a finding.
From the BIG-IP GUI: 1. System. 2. Preferences. 3. Under "Security Settings", check "Require A Consistent Inbound IP For The Entire Web Session". 4. Update.