{"stig":{"title":"F5 BIG-IP Application Security Manager Security Technical Implementation Guide","version":"2","release":"2"},"checks":[{"vulnId":"V-214504","ruleId":"SV-214504r395904_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module supporting intermediary services for remote access communications traffic must ensure inbound traffic is monitored for compliance with remote access security policies.","description":"Automated monitoring of remote access traffic allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by inspecting connection activities of remote access capabilities.\n\nRemote access methods include both unencrypted and encrypted traffic (e.g., web portals, web content filter, TLS, and webmail). With inbound TLS inspection, the traffic must be inspected prior to being allowed on the enclave's web servers hosting TLS or HTTPS applications. \n\nRemote access security policies provide the guidance and define the traffic that will be monitored.  These policies consist of local policies, organizational policies, and DoD policies.","checkContent":"If the BIG-IP ASM module does not support intermediary services for remote access traffic (e.g., web content filter, TLS, and webmail) for virtual servers, this is not applicable.\n\nWhen the BIG-IP ASM module is used to support intermediary services for remote access communications traffic to virtual servers, verify the security policy is configured as follows:\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect the applicable Virtual Servers(s) from the list to verify.\n\nNavigate to the Security >> Policies tab.\n\nVerify an ASM policy is assigned and Enabled for \"Application Security Policy\".\n\nVerify configuration of the identified ASM policy:\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nReview the list under \"Active Security Policies\" for a security policy that monitors inbound traffic for compliance with remote access security policies. \n\nVerify \"Enforcement Mode\" is set to \"Transparent\" or \"Blocking\" in accordance with the requirements for the applicable virtual server.\n\nIf the BIG-IP ASM module is not configured with a policy to monitor inbound traffic for compliance with remote access security policies and applied to the applicable virtual servers, this is a finding.","fixText":"If intermediary services for remote access communications traffic for virtual servers is supported by the BIG-IP ASM module, configure an ASM security policy to monitor inbound traffic for compliance with remote access security policies, to be applied to the applicable virtual servers in the BIG-IP LTM module.","ccis":["CCI-000067"]},{"vulnId":"V-214505","ruleId":"SV-214505r395919_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must be configured to produce ASM Event Logs containing information to establish what type of unauthorized events occurred.","description":"Without establishing what type of event occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.\n\nEvent log content that may be necessary to satisfy this requirement includes, for example, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.\n\nAssociating event types with detected events in the event logs provide a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured network element.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).","checkContent":"Verify the BIG-IP ASM module is configured to produce ASM Event Logs containing information to establish what type of unauthorized events occurred.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration for ASM Event Logging.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nVerify that \"Log Profile\" is Enabled and a logging profile is assigned under \"Selected\".\n\nNavigate to the BIG-IP System manager >> Security >> Event Logs >> Logging Profiles.\n\nSelect the Logging Profile that was assigned to the virtual server.\n\nVerify \"Request Type\" is set to \"Illegal requests, and requests that include staged attack signatures\" is selected under \"Storage Filter\".\n\nIf the BIG-IP ASM module does not produce ASM Event Logs containing information to establish what type of unauthorized events occurred, this is a finding.","fixText":"Configure the BIG-IP ASM module to produce ASM Event Logs containing information to establish what type of unauthorized events occurred. \n\nNavigate to the BIG-IP System manager >> Security >> Event Logs >> Logging Profiles.\n\nClick on 'Create'.\n\nName the Profile.\n\nCheck the box next to 'Application Security'.\n\nSet \"Request Type\" to \"Illegal requests, and requests that include staged attack signatures\" under \"Storage Filter\".\n\nClick 'Finished'.\n\nApply Logging Profile to applicable Virtual Server(s).\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to assign the ASM Event Logging Profile.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nUnder \"Log Profile\" set to Enabled and move new Logging Profile from \"Available\" to \"Selected\".\n\nClick \"Update\".","ccis":["CCI-000130"]},{"vulnId":"V-214506","ruleId":"SV-214506r981632_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must be configured to update malicious code protection mechanisms and signature definitions when providing content filtering to virtual servers for whenever new releases are available in accordance with organizational configuration management policy and procedures.","description":"Malicious code protection mechanisms include, but are not limited to, anti-virus and malware detection software. In order to minimize any potential negative impact to the organization caused by malicious code, malicious code must be identified and eradicated. Malicious code includes viruses, worms, Trojan horses, and Spyware.\n\nThis requirement is limited to ALGs, web content filters, and packet inspection firewalls that perform malicious code detection as part of their functionality.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nWhen content filtering is performed as part of the traffic management functionality, verify the BIG-IP ASM module is configured to update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policies and procedures.\n\nVerify the BIG-IP ASM module is configured to update malicious code protection mechanisms and signature definitions when providing content filtering to virtual servers for whenever new releases are available in accordance with organizational configuration management policies and procedures.\n\nNavigate to the BIG-IP System manager >> Security >> Options >> Application Security >> Attack Signatures >> Attack Signature Updates.\n\nReview the following settings to confirm compliance with organizational configuration management policies and procedures:\n\nUpdate Mode is set to \"Manual\", unless defined differently by the Organization.\n\nDelivery Mode is set to \"Automatic\", unless defined differently by the Organization.\n\nVerify that \"Auto Apply New Signatures Configurations After Update\" is NOT \"Enabled\", unless defined differently by the Organization.\n\nIf the BIG-IP ASM module does not update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policies and procedures, this is a finding.","fixText":"If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP ASM module to update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policies and procedures.","ccis":["CCI-001240"]},{"vulnId":"V-214507","ruleId":"SV-214507r981634_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must be configured to automatically update malicious code protection mechanisms when providing content filtering to virtual servers.","description":"The malicious software detection functionality on network elements needs to be constantly updated in order to identify new threats as they are discovered.\n\nAll malicious software detection functions must come with an update mechanism that automatically updates the application and any associated signature definitions. The organization (including any contractor to the organization) is required to promptly install security-relevant malicious code protection updates. Examples of relevant updates include anti-virus signatures, detection heuristic rule sets, and/or file reputation data employed to identify and/or block malicious software from executing.\n\nMalicious code includes viruses, worms, Trojan horses, and Spyware.\n\nThis requirement is limited to ALGs, web content filters, and packet inspection firewalls that perform malicious code detection as part of their functionality.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nWhen content filtering is performed as part of the traffic management functionality, verify the BIG-IP ASM module is configured to update malicious code protection mechanisms and signature definitions whenever new releases are available in accordance with organizational configuration management policies and procedures.\n\nVerify the BIG-IP ASM module is configured to update malicious code protection mechanisms when providing content filtering to virtual servers for whenever new releases are available in accordance with organizational configuration management policies and procedures.\n\nNavigate to the BIG-IP System manager >> Security >> Options >> Application Security >> Attack Signatures >> Attack Signature Updates.\n\nReview the following settings to confirm compliance with organizational configuration management policies and procedures:\n\nUpdate Mode is set to \"Manual\", unless defined differently by the Organization.\n\nDelivery Mode is set to \"Automatic\", unless defined differently by the Organization.\n\nVerify that \"Auto Apply New Signatures Configurations After Update\" is NOT \"Enabled\", unless defined differently by the Organization.\n\nIf the BIG-IP ASM module does not update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policies and procedures, this is a finding.","fixText":"If the BIG-IP Core performs content filtering as part of the traffic management functionality, configure the BIG-IP ASM module to update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policies and procedures.","ccis":["CCI-001247"]},{"vulnId":"V-214508","ruleId":"SV-214508r831452_rule","severity":"medium","ruleTitle":"To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nCompliance requires the Application Layer Gateway (ALG) to have the capability to prevent code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module prevents code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to prevent code injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect the Security Policy that has been assigned to the Virtual Server(s).\n\nVerify the \"Enforcement Mode\" is Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assigned Signature Sets\" listed above have the \"Block\" button checked.\n\nIf the BIG-IP ASM module is not configured to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","ccis":["CCI-002346"]},{"vulnId":"V-214509","ruleId":"SV-214509r831453_rule","severity":"medium","ruleTitle":"To protect against data mining, the BIG-IP ASM module must be configured to prevent code injection attacks launched against application objects, including, at a minimum, application URLs and application code when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nCompliance requires the ALG to have the capability to prevent code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to prevent code injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect the Security Policy that has been assigned to the Virtual Server(s).\n\nVerify the \"Enforcement Mode\" is Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assigned Signature Sets\" listed above have the \"Block\" button checked.\n\nIf the BIG-IP ASM module is not configured to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to prevent code injection attacks from being launched against application objects, including, at a minimum, application URLs and application code.","ccis":["CCI-002346"]},{"vulnId":"V-214510","ruleId":"SV-214510r831454_rule","severity":"medium","ruleTitle":"To protect against data mining, The BIG-IP ASM module must be configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launched against organizational information from unauthorized data mining may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nCompliance requires the ALG to have the capability to prevent SQL code injections. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to prevent SQL injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect the Security Policy that has been assigned the Virtual Server(s).\n\nVerify the \"Enforcement Mode\" is Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nVerify \"Signature Staging\" is Enabled.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assigned Signature Sets\" listed above have the \"Block\" button checked.\n\nIf the BIG-IP ASM module is not configured to prevent SQL injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.","ccis":["CCI-002346"]},{"vulnId":"V-214511","ruleId":"SV-214511r831455_rule","severity":"medium","ruleTitle":"To protect against data mining, The BIG-IP ASM module must be configured to detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware into a computer to execute remote commands that can read or modify a database or change data on a website. Web applications frequently access databases to store, retrieve, and update information. An attacker can construct inputs that the database will execute. This is most commonly referred to as a code injection attack. This type of attack includes XPath and LDAP injections.\n\nALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to prevent code injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect the Security Policy that has been assigned to the Virtual Server(s).\n\nVerify the \"Enforcement Mode\" is Transparent or Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assignment Signature Sets\" listed above have the \"Alarm\" button checked.\n\nIf the BIG-IP ASM module is not configured to detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to detect code injection attacks launched against data storage objects, including, at a minimum, databases, database records, queries, and fields.","ccis":["CCI-002347"]},{"vulnId":"V-214512","ruleId":"SV-214512r831456_rule","severity":"medium","ruleTitle":"To protect against data mining, The BIG-IP ASM module must be configured to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational databases may result in the compromise of information.\n\nSQL injection attacks are the most prevalent attacks against web applications and databases. These attacks inject SQL commands that can read, modify, or compromise the meaning of the original SQL query. An attacker can spoof identity; expose, tamper, destroy, or make existing data unavailable; or gain unauthorized privileges on the database server.\n\nALGs with anomaly detection must be configured to protect against unauthorized data mining attacks. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module detects SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to detect SQL injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect a Security Policy that has been assigned to Virtual Server(s).\n\nVerify the \"Enforcement Mode\" is Transparent or Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assignment Signature Sets\" listed above have the \"Alarm\" button checked.\n\nIf the BIG-IP ASM module is not configured to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields.","ccis":["CCI-002347"]},{"vulnId":"V-214513","ruleId":"SV-214513r831457_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must be configured to detect code injection attacks launched against application objects including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.","description":"Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched against organizational applications may result in the compromise of information.\n\nInjection attacks allow an attacker to inject code into a program or query or inject malware onto a computer to execute remote commands that can read or modify a database, or change data on a website. These attacks include buffer overrun, XML, JavaScript, and HTML injections.\n\nALGs with anomaly detection must be configured to protect against unauthorized code injections. These devices must include rules and anomaly detection algorithms to monitor for atypical database queries or accesses. Examples include Web Application Firewalls (WAFs) or database application gateways.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration of an ASM policy to detect code injection attacks.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nNavigate to the BIG-IP System manager >> Security >> Application Security >> Security Policies.\n\nSelect the Security Policy that has been assigned to the Virtual Server(s).\n\nVerify \"Enforcement Mode\" is Transparent or Blocking.\n\nClick \"Attack Signatures Configurations\" for \"Signature Staging\" under the \"Configuration\" section.\n\nReview the list under \"Assigned Signature Sets\" for the following signatures:\n\nGeneric Detection Signatures\n\nCustom Systems Signature Set (based on systems identified in the application make-up).\n\nVerify the \"Assignment Signature Sets\" listed above have the \"Alarm\" button checked.\n\nIf the BIG-IP ASM module is not configured to detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to detect code injection attacks launched against application objects, including, at a minimum, application URLs and application code.","ccis":["CCI-002347"]},{"vulnId":"V-214514","ruleId":"SV-214514r831458_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.","description":"A common vulnerability of network elements is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unintended system behavior caused by invalid inputs, where information system responses to the invalid input may be disruptive or cause the system to fail into an unsafe state.\n\nThe behavior will be derived from the organizational and system requirements and includes, but is not limited to, notifying the appropriate personnel, creating an audit record, and rejecting invalid input.\n\nThis requirement applies to gateways and firewalls that perform content inspection or have higher layer proxy functions.","checkContent":"Verify the BIG-IP ASM module is configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.\n\nThis can be demonstrated by the SA sending an invalid input to a virtual server.  Provide evidence that the virtual server was able to handle the invalid input and maintain operation.\n\nIf the BIG-IP ASM module is not configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives, this is a finding.","fixText":"Configure the BIG-IP ASM module to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.","ccis":["CCI-002754"]},{"vulnId":"V-214515","ruleId":"SV-214515r831459_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.","description":"If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs.\n\nInternal monitoring includes the observation of events occurring on the network crossing internal boundaries at managed interfaces such as web content filters. Depending on the type of ALG, organizations can monitor information systems by monitoring audit activities, application access patterns, characteristics of access, content filtering, or unauthorized exporting of information across boundaries. Unusual/unauthorized activities or conditions may include large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.\n\nNavigate to the BIG-IP System manager >> Local Traffic >> Virtual Servers >> Virtual Servers List tab.\n\nSelect Virtual Servers(s) from the list to verify the configuration for ASM Event Logging.\n\nNavigate to the Security >> Policies tab.\n\nSet \"Policy Settings\" to \"Advanced\".\n\nVerify that \"Application Security Policy\" is Enabled and \"Policy\" is set to use an ASM policy for the virtual server.\n\nVerify that \"Log Profile\" is Enabled and a logging profile is assigned under \"Selected\".\n\nNavigate to the BIG-IP System manager >> Security >> Event Logs >> Logging Profiles.\n\nSelect the Logging Profile that was assigned to the virtual server.\n\nVerify \"Request Type\" is set to \"Illegal requests, and requests that include staged attack signatures\" is selected under \"Storage Filter\".\n\nIf the BIG-IP ASM module is not configured to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions, this is a finding.","fixText":"Configure a policy in the BIG-IP ASM module to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.\n\nApply the ASM policy to the applicable Virtual Server(s) in the BIG-IP LTM module to continuously monitor inbound communications traffic for unusual or unauthorized activities or conditions.","ccis":["CCI-002661"]},{"vulnId":"V-214516","ruleId":"SV-214516r396456_rule","severity":"medium","ruleTitle":"The BIG-IP ASM module must check the validity of all data inputs except those specifically identified by the organization.","description":"Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid input is one of the primary methods employed when attempting to compromise an application.\n\nNetwork devices with the functionality to perform application layer inspection may be leveraged to validate data content of network communications. Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software typically follows well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If network elements use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Pre-screening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.\n\nThis requirement applies to gateways and firewalls that perform content inspection or have higher-layer proxy functionality.\n\nNote: A limitation of ~200 policies per cluster currently exists on the BIG-IP Core.  If this requirement cannot be met due to this limitation, documentation from the AO is required.","checkContent":"If the BIG-IP ASM module is not used to support content filtering as part of the traffic management functions of the BIG-IP Core, this is not applicable.\n\nVerify the BIG-IP ASM module is configured to check the validity of all data inputs except those specifically identified by the organization.\n\nNavigate to the BIG-IP System manager >> Application Security >> Parameters >> Parameters List.\n\nSelect the policy for \"Current Edited Policy\" used for checking data inputs.\n\nReview the parameters under the \"Parameters List\" section.\n\nVerify parameters are configured to check the validity of all data inputs except those specifically identified by the organization.\n\nIf the BIG-IP ASM module is not configured to check the validity of all data inputs except those specifically identified by the organization, this is a finding.","fixText":"If the BIG-IP ASM module is used to support content filtering as part of the traffic management functionality of the BIG-IP Core, configure the BIG-IP ASM module to check the validity of all data inputs except those specifically identified by the organization.","ccis":["CCI-001310"]},{"vulnId":"V-270902","ruleId":"SV-270902r1056155_rule","severity":"high","ruleTitle":"The version of F5 BIG-IP must be a supported version.","description":"Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations (including any contractor to the organization) are required to promptly install security-relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling must also be addressed expeditiously.\n\nOrganization-defined time periods for updating security-relevant software may vary based on a variety of factors including, for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw).\n\nThis requirement will apply to software patch management solutions that are used to install patches across the enclave and to applications that are not part of that patch management solution. For example, many browsers today provide the capability to install their own patch software. Patch criticality, as well as system criticality, will vary. Therefore, the tactical situations regarding the patch management process will also vary. This means that the period used must be a configurable parameter. Time frames for application of security-relevant software updates may be dependent upon the Information Assurance Vulnerability Management (IAVM) process.\n\nThe application will be configured to check for and install security-relevant software updates within an identified period from the availability of the update. The specific period will be defined by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).","checkContent":"BIG-IP versions supported by this STIG (version 15.1x and earlier) are no longer supported by the vendor. If the system is running BIG-IP version 15.1x or earlier, this is a finding.","fixText":"Upgrade to a supported version.","ccis":["CCI-002605"]}]}