The BIG-IP Core implementation must require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).

An XCCDF Rule

Description

<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which authorization has been removed. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation, idle timeout, maximum session timeout, and/or role changes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-215779r939150_rule
Severity: Medium
References: CCI-002038
Updated: 9 months ago

If user access control intermediary services are provided, configure the BIG-IP Core as follows:

Configure a policy in the BIG-IP APM module to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).

Apply APM policy to the applicable virtual server(s) in the BIG-IP LTM module.

The BIG-IP Core implementation must require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).

Description

Remediation - Manual Procedure