The F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less.

An XCCDF Rule

Description

Some authentication implementations can be configured to use cached authenticators. If cached authentication information is out-of-date, the validity of the authentication information may be questionable. The organization-defined time period must be established for each device depending on the nature of the device; for example, a device with just a few administrators in a facility with spotty network connectivity may merit a longer caching time period than a device with many administrators.

ID: SV-266093r1024899_rule
Version: F5BI-DM-300055
Severity: Medium
References: CCI-002007
Updated: 24 days ago

Remediation Templates

From the BIG-IP GUI:
1. System.
2. Users.
3. Authentication.
4. If ClientCert LDAP is used as the remote authentication type, configure "OCSP Response Max Age" for an organization-defined time period.
Note: The OCSP Override option must be set to "on" to view the OCSP Response Max Age value.

The F5 BIG-IP appliance must prohibit the use of cached authenticators after eight hours or less.

Description

Remediation Templates

A Manual Procedure