The F5 BIG-IP appliance must be configured to assign appropriate user roles or access levels to authenticated users.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-266067	SRG-APP-000033-NDM-000212	F5BI-DM-300010	SV-266067r1024598_rule	2024-09-20	1

Description
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. The F5 BIG-IP appliance must enforce organization-defined roles to control privileged access to configure the types or objects a user can manage and/or the tasks a user can perform. For each BIG-IP user account, a different user role can be assigned to each administrative partition to which the user has access. This allows assignment of multiple user roles to each user account on the system. Users can assign a specific user role to each administrative partition to grant the user access. In this way, the BIG-IP configuration objects that the user can manage are controlled, as well as the types of actions the user can perform on those objects. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287

Description

Successful identification and authentication must not automatically give an entity full access to a network device or security domain. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. The F5 BIG-IP appliance must enforce organization-defined roles to control privileged access to configure the types or objects a user can manage and/or the tasks a user can perform. For each BIG-IP user account, a different user role can be assigned to each administrative partition to which the user has access. This allows assignment of multiple user roles to each user account on the system. Users can assign a specific user role to each administrative partition to grant the user access. In this way, the BIG-IP configuration objects that the user can manage are controlled, as well as the types of actions the user can perform on those objects. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000329-NDM-000287

ℹ️ Check
From the BIG-IP GUI: 1. System. 2. Users. 3. Remote Role Groups. 4. Verify configured groups are assigned the appropriate role. From the BIG-IP console, type the following command: tmsh list auth remote-role Note: Verify configured groups are assigned the appropriate role. If the BIG-IP appliance is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.

ℹ️ Check

From the BIG-IP GUI: 1. System. 2. Users. 3. Remote Role Groups. 4. Verify configured groups are assigned the appropriate role. From the BIG-IP console, type the following command: tmsh list auth remote-role Note: Verify configured groups are assigned the appropriate role. If the BIG-IP appliance is not configured to assign appropriate user roles or access levels to authenticated users, this is a finding.

✔️ Fix
Remote Roles (e.g., RADIUS, LDAP groups) From the BIG-IP GUI: 1. System. 2. Users. 3. Remote Role Groups. 4. Select the Group Name. 5. Modify the Properties of the group to the appropriate access level. 6. Update. Local Users 1. System. 2. Users. 3. User List. 4. Select the user. 5. Modify "Partition Access" to the appropriate access level. 6. Update.