Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
F5 BIG-IP TMOS ALG Security Technical Implementation Guide
F5BI-AP-300046
F5BI-AP-300046
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
F5BI-AP-300046
1 Rule
<GroupDescription></GroupDescription>
The F5 BIG-IP appliance providing user authentication intermediary services must require users to reauthenticate when the user's role or information authorizations is changed.
Medium Severity
<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations, including (but not limited to) the following circumstances: 1. When authenticators change; 2. When roles change; 3. When security categories of information systems change; 4. When the execution of privileged functions occurs; 5. After a fixed period of time; 6. Periodically. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes. This requirement only applies to components where this is specific to the function of the device or has the concept of user authentication (e.g., VPN or ALG capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>