DISA STIGS Viewer

The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.

Overview

Finding ID Version Rule ID IA Controls Severity
V-266067 F5BI-DM-300010 SV-266067r1024598_rule   High
Description
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. The F5 BIG-IP appliance must enforce organization-defined roles to control privileged access to configure the types or objects a user can manage and/or the tasks a user can perform. For each BIG-IP user account, a different user role can be assigned to each administrative partition to which the user has access. This allows assignment of multiple user roles to each user account on the system. Users can assign a specific user role to each administrative partition to grant the user access. In this way, the BIG-IP configuration objects that the user can manage are controlled, as well as the types of actions the user can perform on those objects. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287
STIG Date
F5 BIG-IP TMOS NDM Security Technical Implementation Guide 2025-06-12

Details

Check Text (C-69990r1023450_chk)
From the BIG-IP GUI:
1. System.
2. Users.
3. Remote Role Groups.
4. Verify configured groups are assigned the appropriate role.

From the BIG-IP console, type the following command:

tmsh list auth remote-role

Note: Verify configured groups are assigned the appropriate role.

If the BIG-IP appliance is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.
Fix Text (F-69893r1023451_fix)
Remote Roles (e.g., RADIUS, LDAP groups)
From the BIG-IP GUI:
1. System.
2. Users.
3. Remote Role Groups.
4. Select the Group Name.
5. Modify the Properties of the group to the appropriate access level.
6. Update.

Local Users
1. System.
2. Users.
3. User List.
4. Select the user.
5. Modify "Partition Access" to the appropriate access level.
6. Update.