The F5 BIG-IP appliance must be configured to audit the execution of privileged functions such as accounts additions and changes.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-266068	SRG-APP-000343-NDM-000289	F5BI-DM-300012	SV-266068r1024599_rule	2024-09-20	1

Description
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-APP-000343-NDM-000289, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000319-NDM-000283, SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000334, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305

Description

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-APP-000343-NDM-000289, SRG-APP-000026-NDM-000208, SRG-APP-000027-NDM-000209, SRG-APP-000028-NDM-000210, SRG-APP-000029-NDM-000211, SRG-APP-000319-NDM-000283, SRG-APP-000080-NDM-000220, SRG-APP-000516-NDM-000334, SRG-APP-000091-NDM-000223, SRG-APP-000495-NDM-000318, SRG-APP-000499-NDM-000319, SRG-APP-000503-NDM-000320, SRG-APP-000504-NDM-000321, SRG-APP-000095-NDM-000225, SRG-APP-000096-NDM-000226, SRG-APP-000097-NDM-000227, SRG-APP-000098-NDM-000228, SRG-APP-000099-NDM-000229, SRG-APP-000100-NDM-000230, SRG-APP-000101-NDM-000231, SRG-APP-000381-NDM-000305

ℹ️ Check
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under Local Traffic Logging: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under Audit Logging: a. MCP: Enable. From the BIG-IP console, type the following commands: tmsh list sys daemon-log-settings tmm os-log-level Note: This command must return a value of "informational". tmsh list sys daemon-log-settings tmm ssl-log-level Note: This must return a value of "informational": tmsh list sys daemon-log-settings mcpd audit Note: This must return a value of "enabled". tmsh list sys daemon-log-settings mcpd log-level Note: This must return a value of "notice". tmsh list sys db log.ssl.level value Note: This must return a value of "informational". If the BIG-IP appliance is not configured to audit the execution of privileged functions, this is a finding.

ℹ️ Check

From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under Local Traffic Logging: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under Audit Logging: a. MCP: Enable. From the BIG-IP console, type the following commands: tmsh list sys daemon-log-settings tmm os-log-level Note: This command must return a value of "informational". tmsh list sys daemon-log-settings tmm ssl-log-level Note: This must return a value of "informational": tmsh list sys daemon-log-settings mcpd audit Note: This must return a value of "enabled". tmsh list sys daemon-log-settings mcpd log-level Note: This must return a value of "notice". tmsh list sys db log.ssl.level value Note: This must return a value of "informational". If the BIG-IP appliance is not configured to audit the execution of privileged functions, this is a finding.

✔️ Fix
From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under “Local Traffic Logging”: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under “Audit Logging”: a. MCP: Enable. 7. Update. From the BIG-IP console, type the following commands: tmsh modify sys daemon-log-settings tmm os-log-level informational tmsh modify sys daemon-log-settings tmm ssl-log-level informational tmsh modify sys daemon-log-settings mcpd audit enabled tmsh modify sys daemon-log-settings mcpd log-level notice tmsh modify sys db log.ssl.level value informational tmsh save sys config

✔️ Fix

From the BIG-IP GUI: 1. System. 2. Logs. 3. Configuration. 4. Options. 5. Under “Local Traffic Logging”: a. MCP: Notice. b. SSL: Informational. c. Traffic Management OS: Informational. 6. Under “Audit Logging”: a. MCP: Enable. 7. Update. From the BIG-IP console, type the following commands: tmsh modify sys daemon-log-settings tmm os-log-level informational tmsh modify sys daemon-log-settings tmm ssl-log-level informational tmsh modify sys daemon-log-settings mcpd audit enabled tmsh modify sys daemon-log-settings mcpd log-level notice tmsh modify sys db log.ssl.level value informational tmsh save sys config