The F5 BIG-IP appliance must enforce approved authorizations for logical access to resources by explicitly configuring assigned resources with an authorization list.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260057	F5BI-AP-000240	SV-260057r947423_rule		Medium

Description
Authentication alone must not be sufficient to assign APM resources to a connecting client. Access to APM resources (e.g., Portal, VPN, Webtop, Remote Desktop, etc.,) must be granted only after a successful authorization check occurs. Resource assignments can be configured using APM Access Policy Advanced Resource Assign VPE agents and Resource Assign VPE agents. These agents must be configured explicitly with an authorization list. If resources are assigned to these types of agents with empty expressions, that expression acts as the default authorization list.

Description

Authentication alone must not be sufficient to assign APM resources to a connecting client. Access to APM resources (e.g., Portal, VPN, Webtop, Remote Desktop, etc.,) must be granted only after a successful authorization check occurs. Resource assignments can be configured using APM Access Policy Advanced Resource Assign VPE agents and Resource Assign VPE agents. These agents must be configured explicitly with an authorization list. If resources are assigned to these types of agents with empty expressions, that expression acts as the default authorization list.

STIG	Date
F5 BIG-IP Access Policy Manager Security Technical Implementation Guide	2024-01-26

Details

Check Text ( C-63788r947394_chk )
If Advanced Resource Assign VPE agent is not used in any policy, this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Review each Resource. - If the Advanced Resource Assign agent is used, verify that each Expression listed is explicitly configured to use an authorization list. If the F5 BIG-IP appliance Access Policy has any assigned resources that are not configured with a specific authorization list, this is a finding.

Check Text ( C-63788r947394_chk )

If Advanced Resource Assign VPE agent is not used in any policy, this is not a finding.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Review each Resource.
- If the Advanced Resource Assign agent is used, verify that each Expression listed is explicitly configured to use an authorization list.

If the F5 BIG-IP appliance Access Policy has any assigned resources that are not configured with a specific authorization list, this is a finding.

Fix Text (F-63694r947422_fix)
For each APM Access Policy, ensure that for each resource, all Advanced Resource Assign agents used in the configuration are explicitly configured to use an authorization list. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Click on any items that use the Advanced Resource Assign VPE object. 6. For each entry with an Expression that is "Empty", click "change". 7. Add an appropriate expression that validates the user's authorization to access the resource specified in the item. 8. Click "Finished". 9. Click "Save". 10. Click "Apply Access Policy".

Fix Text (F-63694r947422_fix)

For each APM Access Policy, ensure that for each resource, all Advanced Resource Assign agents used in the configuration are explicitly configured to use an authorization list.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Click on any items that use the Advanced Resource Assign VPE object.
6. For each entry with an Expression that is "Empty", click "change".
7. Add an appropriate expression that validates the user's authorization to access the resource specified in the item.
8. Click "Finished".
9. Click "Save".
10. Click "Apply Access Policy".