The BIG-IP appliance must be configured to automatically remove or disable emergency accounts after 72 hours.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-228992	F5BI-DM-000149	SV-228992r557520_rule		Medium

Description
Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If emergency accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by network administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account that is created for use by vendors or system maintainers.

Description

Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If emergency accounts remain active when no longer needed, they may be used to gain unauthorized access. The risk is greater for the network device since these accounts have elevated privileges. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by network administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency account is normally a different account that is created for use by vendors or system maintainers.

STIG	Date
F5 BIG-IP Device Management 11.x Security Technical Implementation Guide	2020-09-28

Details

Check Text ( C-31307r518021_chk )
Verify the BIG-IP appliance is configured to use a properly configured remote authentication server to automatically disable or remove emergency accounts after 72 hours. Navigate to the BIG-IP System manager >> System >> Users >> Authentication. Verify that "User Directory" is set to an approved authentication server type that automatically removes or disables emergency accounts after 72 hours. If the use of emergency accounts is prohibited, this is not a finding. If the BIG-IP appliance is not configured to use a properly configured authentication server to automatically disable or remove emergency accounts after 72 hours, this is a finding.

Check Text ( C-31307r518021_chk )

Verify the BIG-IP appliance is configured to use a properly configured remote authentication server to automatically disable or remove emergency accounts after 72 hours.

Navigate to the BIG-IP System manager >> System >> Users >> Authentication.

Verify that "User Directory" is set to an approved authentication server type that automatically removes or disables emergency accounts after 72 hours.

If the use of emergency accounts is prohibited, this is not a finding.

If the BIG-IP appliance is not configured to use a properly configured authentication server to automatically disable or remove emergency accounts after 72 hours, this is a finding.

Fix Text (F-31284r518022_fix)
Configure the BIG-IP appliance to use a properly configured remote authentication server to automatically disable or remove emergency accounts after 72 hours.