on 29-Oct-2015 16:34
Problem this snippet solves:
This iApp template helps you configure BIG-IP to support security controls consonant with NIST Special Publication 800-53r4. This iApp focuses on management of the BIG-IP itself rather than control of application traffic through the BIG-IP. For more details on this iApp and how it supports NIST Special Publication 800-53r4, enable the Inline Help within the template. The Help tab in the GUI contains additional information.
The associated deployment guide is now available at http://www.f5.com/pdf/deployment-guides/nist-sp-800-53-r4-dg.pdf
Fully supported version
v1.0.0 - Supported release
Released the fully supported version of the NIST iApp on 02-08-17. There were no additional changes to the iApp template over RC-6, however the iApp now supports BIG-IP versions 11.5.3 - 12.1.2. See https://support.f5.com/csp/article/K09154349 for instructions on downloading, importing and using the iApp.
Release Candidate versions
v1.0.1rc3 and rc4
RC3 was released on downloads.f5.com with a single fix (corrected an issue where the iApp would incorrectly detect Appliance Mode). As a part of this fix, the iApp would not load on BIG-IP systems that had a previous version of the NIST iApp.
F5 released RC4 on DevCentral with a fix for this issue, and now the iApp loads properly on all devices. This version also contains a fix for multi-line banners and a fix for SNMP so the iApp catches any form of 127.0.0.0 and maps it.
Released 1.0.1rc4 of the NIST iApp on 06-18-2018.
Released 1.0.1rc1 of the NIST iApp on 08-18-2017.
Released RC-6 of the NIST iApp on 12-12-2016.
Released RC-5 of the NIST iApp on 12-16-2015.
Released RC-4 of the NIST iApp on 12-02-2015.
Released RC-3 of the NIST iApp on 11-12-2015.
Released RC-2 of the NIST iApp on 10-30-2015.
Approaching a year since the last RC release, new RC or final coming?
Storing passphrase for LDAP search account in plain text is not ideal. Will this be addressed in this template?
"storing passphrase for LDAP search account in plain text is not ideal"
You're right, and the same goes for RADIUS and TACACS+ secrets, etc. I will update f5 internal information to consider a suitable enhancement.
Official version has finally hit the SOL/KB channel --- https://support.f5.com/csp/article/K09154349 [link text]
Joe / Mark,
The newer 1.0.1RC3 in iApp bundle 512 fails to import on my 11.6.3 and 13.1.0.x appliances.
The all spit out near identical message
Loading configuration... /tmp/upload_template.tmpl Loading schema version: 11.5.0 Loading schema version: 11.6.3 01071485:3: CliShellScript (/Common/nist80053_1) content does not match the signature. Unexpected Error: Loading configuration process failed.
I do have a case already open on this. I'll peek at 1.0.1RC1 see what it has over my existing 1.0.0 while waiting on support.
Hi Brian, thanks for letting us know. We are looking into it. Could you please send the case number via email if you still have my address? Thanks Joe
Just added RC4 to this page which solves the template loading issue.
The "Remote Roles -- AC-3(7), CM-5" configuration section only allows a maximum of 5 group/roles to be managed from the NIST iApp.
Can this be bumped to 10, or such. We want to keep these roles controlled from iApp versus having to add the few extra roles we need outside it from "System ›› Users : Remote Role Groups" directly.