Details
A session lock is a temporary network device- or administrator-initiated action taken when the administrator stops work but does not log out of the network device. Rather than relying on the user to manually lock their management session prior to vacating the vicinity, network devices need to be able to identify when a management session has idled and take action to initiate the session lock. Once invoked, the session lock shall remain in place until the administrator re-authenticates. No other system activity aside from re-authentication shall unlock the management session.
Note that CCI-001133 requires that administrative network sessions be disconnected after 10 minutes of idle time. So this requirement may only apply to local administrative sessions.
Solution
Configure the BIG-IP appliance to initiate a session lock after a 10-minute period of inactivity.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system F5.
References
- 800-53|AC-11a.
- CAT|II
- CCI|CCI-000057
- Rule-ID|SV-217382r557520_rule
- STIG-ID|F5BI-DM-000007
- STIG-Legacy|SV-74523
- STIG-Legacy|V-60093
- Vuln-ID|V-217382