The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266068 | F5BI-DM-300012 | SV-266068r1029557_rule | Medium |
| Description |
| Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-APP-000343-NDM-000289, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000319-NDM-000283, SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000334, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305 |
| STIG | Date |
| F5 BIG-IP TMOS NDM Security Technical Implementation Guide | 2025-06-12 |
Details
| Check Text (C-69991r1023453_chk) |
| From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under Local Traffic Logging: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under Audit Logging: a. MCP: Enable. From the BIG-IP console, type the following commands: tmsh list sys daemon-log-settings tmm os-log-level Note: This command must return a value of "informational". tmsh list sys daemon-log-settings tmm ssl-log-level Note: This must return a value of "informational": tmsh list sys daemon-log-settings mcpd audit Note: This must return a value of "enabled". tmsh list sys daemon-log-settings mcpd log-level Note: This must return a value of "notice". tmsh list sys db log.ssl.level value Note: This must return a value of "informational". If the BIG-IP appliance is not configured to audit the execution of privileged functions, this is a finding. |
| Fix Text (F-69894r1029557_fix) |
| From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under "Local Traffic Logging": a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under "Audit Logging": a. MCP: Enable. 7. Update. From the BIG-IP console, type the following commands: tmsh modify sys daemon-log-settings tmm os-log-level informational tmsh modify sys daemon-log-settings tmm ssl-log-level informational tmsh modify sys daemon-log-settings mcpd audit enabled tmsh modify sys daemon-log-settings mcpd log-level notice tmsh modify sys db log.ssl.level value informational tmsh save sys config |