Check: F5BI-DM-000019
F5 BIG-IP Device Management STIG:
F5BI-DM-000019
(in versions v2 r3 through v1 r3)
Title
The BIG-IP appliance must automatically audit account creation. (Cat II impact)
Discussion
Upon gaining access to a network device, an attacker will often first attempt to create a persistent method of reestablishing access. One way to accomplish this is to create a new account. Notification of account creation helps to mitigate this risk. Auditing account creation provides the necessary reconciliation that account management procedures are being followed. Without this audit trail, personnel without the proper authorization may gain access to critical network nodes.
Check Content
Verify the BIG-IP appliance is configured to use a remote authentication server that automatically audits account creation. Navigate to the BIG-IP System manager >> System >> Users >> Authentication. Verify "Authentication: User Directory" is configured for an approved remote authentication server that automatically audits account creation. If the BIG-IP appliance is not configured to use a remote authentication server that automatically audits account creation, this is a finding.
Fix Text
Configure the BIG-IP appliance to use an approved remote authentication server that automatically audits the creation of accounts.
Additional Identifiers
Rule ID: SV-217383r879525_rule
Vulnerability ID: V-217383
Group Title: SRG-APP-000026-NDM-000208
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |