STIGQter: STIG Summary: F5 BIG-IP Access Policy Manager 11.x Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The BIG-IP APM module access policy profile must be configured to automatically terminate user sessions for users connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect.

DISA Rule

SV-230211r561151_rule

Vulnerability Number

V-230211

Group Title

SRG-NET-000517-ALG-000006

Rule Version

F5BI-AP-000147

Severity

CAT II

CCI(s)

• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

If user access control intermediary services are provided, configure an access policy in the BIG-IP APM module to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect.

Check Contents

If the BIG-IP Am module does not provide user access control intermediary services, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used for organizational access.

Verify the Access Profile is configured to automatically terminate user sessions when organization-defined conditions or trigger events occur that require a session disconnect.

If the BIG-IP APM module is not configured to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect, this is a finding.

Vulnerability Number

V-230211

Documentable

False

Rule Version

F5BI-AP-000147

Severity Override Guidance

If the BIG-IP Am module does not provide user access control intermediary services, this is not applicable.

Verify the BIG-IP APM module is configured as follows:

Navigate to the BIG-IP System manager >> Access Policy >> Access Profiles.

Click "Edit..." in the "Access Policy" column for an Access Profile used for organizational access.

Verify the Access Profile is configured to automatically terminate user sessions when organization-defined conditions or trigger events occur that require a session disconnect.

If the BIG-IP APM module is not configured to automatically terminate a user session when organization-defined conditions or trigger events occur that require a session disconnect, this is a finding.

Check Content Reference

M

Target Key

4018

Comments