The BIG-IP appliance must be configured to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-217397	F5BI-DM-000101	SV-217397r557520_rule		Medium

Description
To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.

Description

To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.

STIG	Date
F5 BIG-IP Device Management 11.x Security Technical Implementation Guide	2020-09-28

Details

Check Text ( C-18622r290745_chk )
Verify the BIG-IP appliance is configured to authenticate administrators with an individual authenticator prior to using a group authenticator. Navigate to the BIG-IP System manager >> System >> Users >> Authentication. Verify "Authentication: User Directory" is configured for an approved remote authentication server that authenticates administrators to an administrators group. Navigate to System >> Users >> Remote Role Groups. Verify that administrators are assigned to the Administrator Role. If the BIG-IP appliance is not configured to authenticate administrators with an individual authenticator prior to using a group authenticator, this is a finding.

Check Text ( C-18622r290745_chk )

Verify the BIG-IP appliance is configured to authenticate administrators with an individual authenticator prior to using a group authenticator.

Navigate to the BIG-IP System manager >> System >> Users >> Authentication.

Verify "Authentication: User Directory" is configured for an approved remote authentication server that authenticates administrators to an administrators group.

Navigate to System >> Users >> Remote Role Groups.

Verify that administrators are assigned to the Administrator Role.

If the BIG-IP appliance is not configured to authenticate administrators with an individual authenticator prior to using a group authenticator, this is a finding.

Fix Text (F-18620r290746_fix)
Configure the BIG-IP appliance to authenticate administrators with an individual authenticator prior to using a group authenticator.