Free DISA STIG and SRG Library | Vaulted

V-60145

The BIG-IP appliance must be configured to ensure administrators are authenticated with an individual authenticator prior to using a group authenticator.

Finding ID
F5BI-DM-000101
Rule ID
SV-74575r1_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000153-NDM-000249
CCI
CCI-000770
Target Key
(None)
Documentable
No
Discussion

To assure individual accountability and prevent unauthorized access, administrators must be individually identified and authenticated. Individual accountability mandates that each administrator is uniquely identified. A group authenticator is a shared account or some other form of authentication that allows multiple unique individuals to access the network device using a single account. If a device allows or provides for group authenticators, it must first individually authenticate administrators prior to implementing group authenticator functionality. Some devices may not have the need to provide a group authenticator; this is considered a matter of device design. In those instances where the device design includes the use of a group authenticator, this requirement will apply. This requirement applies to accounts created and managed on or by the network device.

Fix Text

Configure the BIG-IP appliance to authenticate administrators with an individual authenticator prior to using a group authenticator.

Check Content

Verify the BIG-IP appliance is configured to authenticate administrators with an individual authenticator prior to using a group authenticator. Navigate to the BIG-IP System manager >> System >> Users >> Authentication. Verify "Authentication: User Directory" is configured for an approved remote authentication server that authenticates administrators to an administrators group. Navigate to System >> Users >> Remote Role Groups. Verify that administrators are assigned to the Administrator Role. If the BIG-IP appliance is not configured to authenticate administrators with an individual authenticator prior to using a group authenticator, this is a finding.