Rule ID
SV-260057r947423_rule
Version
V2R4
CCIs
Authentication alone must not be sufficient to assign APM resources to a connecting client. Access to APM resources (e.g., Portal, VPN, Webtop, Remote Desktop, etc.,) must be granted only after a successful authorization check occurs. Resource assignments can be configured using APM Access Policy Advanced Resource Assign VPE agents and Resource Assign VPE agents. These agents must be configured explicitly with an authorization list. If resources are assigned to these types of agents with empty expressions, that expression acts as the default authorization list.
If Advanced Resource Assign VPE agent is not used in any policy, this is not a finding.
From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click "Edit" under "Per-Session Policy" for the Access Profile.
5. Review each Resource.
- If the Advanced Resource Assign agent is used, verify that each Expression listed is explicitly configured to use an authorization list.
If the F5 BIG-IP appliance Access Policy has any assigned resources that are not configured with a specific authorization list, this is a finding.For each APM Access Policy, ensure that for each resource, all Advanced Resource Assign agents used in the configuration are explicitly configured to use an authorization list. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click "Edit" under "Per-Session Policy" for the Access Profile. 5. Click on any items that use the Advanced Resource Assign VPE object. 6. For each entry with an Expression that is "Empty", click "change". 7. Add an appropriate expression that validates the user's authorization to access the resource specified in the item. 8. Click "Finished". 9. Click "Save". 10. Click "Apply Access Policy".