View STIG - IBM Aspera Platform 4.2 Security Technical Implementation Guide V1R2

b

The IBM Aspera Platform must be configured to support centralized management and configuration.

AU-3 - Medium - CCI-001844 - V-252556 - SV-252556r831490_rule

RMF Control

AU-3

Severity

Medium

CCI

CCI-001844

Version

ASP4-00-010100

Vuln IDs

V-252556

Rule IDs

SV-252556r831490_rule

Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. The DoD requires centralized management of all network component audit record content. This requirement does not apply to audit logs generated on behalf of the device itself (management). Support of centralized management of the IBM Aspera Platform is accomplished via use of IBM Aspera Console.

Checks: C-56012r817836_chk

Verify the IBM Aspera Platform is configured to support centralized management and configuration. Navigate to the IBM Aspera Console webpage, login with an administrator account, and review the Nodes tab. If all nodes managed by the organization are not listed, this is a finding. If the IBM Aspera Platform implementation does not include IBM Aspera Console, this is a finding.

Fix: F-55962r817837_fix

Configure the IBM Aspera Platform to support centralized management and configuration. Ensure the IBM Aspera Console server is installed and configured to manage all nodes within the organization. Navigate to the IBM Aspera Console webpage, log in with an administrator account, and select the "Nodes" tab. Select "New Managed Node" to add nodes to the IBM Aspera Console.

b

The IBM Aspera Platform must not have unnecessary services and functions enabled.

CM-7 - Medium - CCI-000381 - V-252557 - SV-252557r817841_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000381

Version

ASP4-00-010110

Vuln IDs

V-252557

Rule IDs

SV-252557r817841_rule

Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server). Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.

Checks: C-56013r817839_chk

Verify that only mission essential features are in use. Interview the systems administrator to determine if the following Aspera features are in use: Aspera Shares Aspera Faspex If either Aspera Shares or Aspera Faspex are in use and are not documented with the ISSM as a mission requirement, this is a finding.

Fix: F-55963r817840_fix

Ensure all mission required features of Aspera are documented with the ISSM.

b

IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

IA-2 - Medium - CCI-001948 - V-252558 - SV-252558r831491_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001948

Version

ASP4-CS-040110

Vuln IDs

V-252558

Rule IDs

SV-252558r831491_rule

For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106

Checks: C-56014r817842_chk

Using a web browser, navigate to the default IBM Aspera Console web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.

Fix: F-55964r817843_fix

For implementations using the IBM Aspera Console feature, configure SAML to use an existing IdP that implements multi-factor authentication.

b

The IBM Aspera Console must protect audit information from unauthorized read access.

AU-9 - Medium - CCI-000162 - V-252559 - SV-252559r817847_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

ASP4-CS-040120

Vuln IDs

V-252559

Rule IDs

SV-252559r817847_rule

Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058

Checks: C-56015r817845_chk

Verify the log files for IBM Aspera Console do not have world access with the following command: $ sudo find /opt/aspera/console/log/ $ -perm -0001 -o -perm -0002 -o -perm -0004 $ -print If results are returned from the above command, this is a finding.

Fix: F-55965r817846_fix

Remove world access from any IBM Aspera Console log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>

b

The IBM Aspera Console must protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-252560 - SV-252560r817850_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001493

Version

ASP4-CS-040130

Vuln IDs

V-252560

Rule IDs

SV-252560r817850_rule

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management). Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion.

Checks: C-56016r817848_chk

Using a web browser, navigate to the IBM Aspera Console web page. The IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.

Fix: F-55966r817849_fix

Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.

b

IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.

IA-2 - Medium - CCI-000764 - V-252561 - SV-252561r831492_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ASP4-CS-040140

Vuln IDs

V-252561

Rule IDs

SV-252561r831492_rule

User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. IBM Aspera Console must use an IdP for authentication for security best practices. The IdP must not be installed on the IBM Aspera Console virtual machine, particularly if it resides on the untrusted zone of the Enclave. Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion. For security best practices also ensure that the system hosting IBM Aspera Console uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Console server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Console. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095

Checks: C-56017r817851_chk

Using a web browser, navigate to the IBM Aspera Console web page. IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.

Fix: F-55967r817852_fix

Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.

c

The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.

AC-17 - High - CCI-000068 - V-252562 - SV-252562r817856_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-CS-040150

Vuln IDs

V-252562

Rule IDs

SV-252562r817856_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Console feature, the default configuration of Console has TLS 1.0 and 1.1 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097

Checks: C-56018r817854_chk

Verify IBM Aspera Console only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.

Fix: F-55968r817855_fix

Configure IBM Aspera Console to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart

b

IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.

SC-10 - Medium - CCI-001133 - V-252563 - SV-252563r831493_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ASP4-CS-040160

Vuln IDs

V-252563

Rule IDs

SV-252563r831493_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006

Checks: C-56019r817857_chk

Verify IBM Aspera Console interactive sessions are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session Timeout" option is set to more than "10" minutes, this is a finding.

Fix: F-55969r817858_fix

Configure IBM Aspera Console interactive sessions to terminate after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Session Timeout" option to "10" minutes or less. - Select "Save" at the bottom of the page.

b

IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.

IA-5 - Medium - CCI-000192 - V-252564 - SV-252564r817862_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

ASP4-CS-040170

Vuln IDs

V-252564

Rule IDs

SV-252564r817862_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-56020r817860_chk

Verify IBM Aspera Console enforces password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Requirement Regular Expression" has the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Verify the "Password Requirement Message" has the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". If the "Password Requirement Regular Expression" value is not "(?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}", this is a finding. If the "Password Requirement Message" value is not "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol", this is a finding.

Fix: F-55970r817861_fix

Configure IBM Aspera Console to enforce password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Edit the "Password Requirement Regular Expression" with the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Edit the "Password Requirement Message" with the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". - Select "Save" at the bottom of the page.

b

IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

AC-7 - Medium - CCI-000044 - V-252565 - SV-252565r831494_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

ASP4-CS-040180

Vuln IDs

V-252565

Rule IDs

SV-252565r831494_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-56021r817863_chk

Verify IBM Aspera Console locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Deactivate Users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Deactivate Users" section is set to more than "3" failed login attempts, this is a finding. If the "Deactivate Users" section is set to more than "15" minutes, this is a finding.

Fix: F-55971r817864_fix

Configure IBM Aspera Console to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Deactivate Users" section failed login attempts option to "3" or less. - Edit the "Deactivate Users" section attempts within minutes to "15" or less. - Select "Save" at the bottom of the page.

b

IBM Aspera Console must prevent concurrent logins for all accounts.

AC-10 - Medium - CCI-000054 - V-252566 - SV-252566r817868_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

ASP4-CS-040190

Vuln IDs

V-252566

Rule IDs

SV-252566r817868_rule

Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-56022r817866_chk

Verify IBM Aspera Console prevents concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Prevent concurrent login" option is checked. If the "Prevent concurrent login" option is not checked, this is a finding.

Fix: F-55972r817867_fix

Configure IBM Aspera Console to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Put a check the "Prevent concurrent login" check box. - Select "Save" at the bottom of the page.

b

IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-252567 - SV-252567r817871_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000200

Version

ASP4-CS-040200

Vuln IDs

V-252567

Rule IDs

SV-252567r817871_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.

Checks: C-56023r817869_chk

Verify IBM Aspera Console passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Reuse Limit" option is set to "5" or more. If the "Password Expiration" option is not checked, this is a finding. If the "Password Reuse Limit" is set to less than "5" or is set to "0", this is a finding.

Fix: F-55973r817870_fix

Configure IBM Aspera Console passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Reuse Limit" option to "5" or more. Note: "0" disables the "Password Reuse Limit" option. - Select "Save" at the bottom of the page.

b

IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-252568 - SV-252568r817874_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000199

Version

ASP4-CS-040210

Vuln IDs

V-252568

Rule IDs

SV-252568r817874_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.

Checks: C-56024r817872_chk

Verify IBM Aspera Console user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Duration" option is set to "60" days or less. If the "Password Expiration" option is not checked, this is a finding. If the "Password Duration" is set to more than "60" days or is set to "0", this is a finding.

Fix: F-55974r817873_fix

Configure IBM Aspera Console user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Duration" option to "60" days or less. Note: "0" disables the "Password Duration" option. - Select "Save" at the bottom of the page.

b

The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-252569 - SV-252569r817877_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-CS-040220

Vuln IDs

V-252569

Rule IDs

SV-252569r817877_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-56025r817875_chk

The IBM Aspera Console is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3500 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-55975r817876_fix

Configure the IBM Aspera Console to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the console: $ sudo /opt/aspera/common/asctl/asctl console:base_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>

c

The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

AC-17 - High - CCI-001453 - V-252570 - SV-252570r831495_rule

RMF Control

AC-17

Severity

High

CCI

CCI-001453

Version

ASP4-CS-040230

Vuln IDs

V-252570

Rule IDs

SV-252570r831495_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56026r817878_chk

Ensure that encryption is required for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Verify that the "Transport Encryption" option is set to "aes-128". If the "Transport Encryption" option is set to "none", this is a finding.

Fix: F-55976r817879_fix

Configure the system to require encryption for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Select the "Transport Encryption" option of "aes-128". - Select "Save" at the bottom of the page.

b

The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252571 - SV-252571r831496_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-CS-040240

Vuln IDs

V-252571

Rule IDs

SV-252571r831496_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56027r817881_chk

Verify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.

Fix: F-55977r817882_fix

Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/console/config/secret.yml

b

The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252572 - SV-252572r831497_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-CS-040250

Vuln IDs

V-252572

Rule IDs

SV-252572r831497_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56028r817884_chk

Verify the /opt/aspera/console/config/secret.yml file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.

Fix: F-55978r817885_fix

Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command: $ sudo chown root /opt/aspera/console/config/secret.yml

b

The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252573 - SV-252573r831498_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-CS-040260

Vuln IDs

V-252573

Rule IDs

SV-252573r831498_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56029r817887_chk

Verify the /opt/aspera/console/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/console/config/secret.yml 600 /opt/aspera/console/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.

Fix: F-55979r817888_fix

Configure the /opt/aspera/console/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/console/config/secret.yml

b

The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.

AU-9 - Medium - CCI-001494 - V-252574 - SV-252574r817892_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-001494

Version

ASP4-CS-040270

Vuln IDs

V-252574

Rule IDs

SV-252574r817892_rule

Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000102-ALG-000060, SRG-NET-000103-ALG-000061

Checks: C-56030r817890_chk

Verify the world ownership of subdirectories within the /opt/aspera/console directory. Only the "public" subdirectory should have any access outside of the owner or group. sudo find /opt/aspera/console -perm -0002 -exec ls -lLd {} \; If any files or directories have world write permissions, this is a finding.

Fix: F-55980r817891_fix

Remove the ability for world to write to any file that has been modified to world writeable. $ sudo chmod o-w <placefilenamehere>

b

IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.

SC-10 - Medium - CCI-001133 - V-252575 - SV-252575r831499_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ASP4-FA-050100

Vuln IDs

V-252575

Rule IDs

SV-252575r831499_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006

Checks: C-56031r817893_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.

Fix: F-55981r817894_fix

Configure IBM Aspera Faspex interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Session timeout" option to "10" minutes or less. - Select "Update" at the bottom of the page.

b

The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252576 - SV-252576r831500_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-FA-050110

Vuln IDs

V-252576

Rule IDs

SV-252576r831500_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56032r817896_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/faspex/config/secret.yml 600 /opt/aspera/faspex/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.

Fix: F-55982r817897_fix

Configure the /opt/aspera/faspex/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/faspex/config/secret.yml

b

IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.

IA-5 - Medium - CCI-002041 - V-252577 - SV-252577r831501_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-002041

Version

ASP4-FA-050120

Vuln IDs

V-252577

Rule IDs

SV-252577r831501_rule

Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log in, yet force them to change the password once they have successfully authenticated.

Checks: C-56033r817899_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex allows the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Require new users to change password on first login" option is checked. If the "Require new users to change password on first login" option is not checked, this is a finding.

Fix: F-55983r817900_fix

Configure IBM Aspera Faspex to allow the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check in the "Require new users to change password on first login" option check box. - Select "Update" at the bottom of the page.

a

IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.

AC-8 - Low - CCI-000048 - V-252578 - SV-252578r817904_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

ASP4-FA-050130

Vuln IDs

V-252578

Rule IDs

SV-252578r817904_rule

Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024

Checks: C-56034r817902_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Faspex website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.

Fix: F-55984r817903_fix

Configure the IBM Aspera Faspex default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to IBM Aspera Faspex as an administrative user. - Go to Server >> Notifications >> Login Announcement and enter the approved language.

b

IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.

IA-4 - Medium - CCI-000795 - V-252579 - SV-252579r817907_rule

RMF Control

IA-4

Severity

Medium

CCI

CCI-000795

Version

ASP4-FA-050140

Vuln IDs

V-252579

Rule IDs

SV-252579r817907_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.

Checks: C-56035r817905_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex disables account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, verify the following: - Verify the "Local users" option is checked. - Verify the "Local users" options is set to "35" days or less. - Verify the "DS users" option is checked. - Verify the "DS users" options is set to "35" days or less. - Verify the "SAML users" option is checked. - Verify the "SAML users" options is set to "35" days or less. If the "Local users" options is set to more than "35" days or the option is not checked, this is a finding. If the "DS users" options is set to more than "35" days or the option is not checked, this is a finding. If the "SAML users" options is set to more than "35" days or the option is not checked, this is a finding.

Fix: F-55985r817906_fix

Configure IBM Aspera Faspex to disable account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, edit the following: - Put a check in the "Local users" option check box. - Edit the "Local users" option to "35" days or less. - Put a check in the "DS users" option check box. - Edit the "DS users" option to "35" days or less. - Put a check in the "SAML users" option check box. - Edit the "SAML users" option to "35" days or less. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

IA-2 - Medium - CCI-001948 - V-252580 - SV-252580r831502_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001948

Version

ASP4-FA-050150

Vuln IDs

V-252580

Rule IDs

SV-252580r831502_rule

For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106

Checks: C-56036r817908_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.

Fix: F-55986r817909_fix

For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP that implements multi-factor authentication.

b

IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

AC-7 - Medium - CCI-000044 - V-252581 - SV-252581r831503_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

ASP4-FA-050170

Vuln IDs

V-252581

Rule IDs

SV-252581r831503_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-56037r817911_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Lock users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Lock users" section is set to more than "3" failed login attempts, this is a finding. If the "Lock users" section is set to more than "15" minutes, this is a finding.

Fix: F-55987r817912_fix

Configure IBM Aspera Faspex to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Faspex accounts" "Lock users" section failed login attempts option to "3" or less. - Edit the "Lock users" section attempts within minutes to "15" or less. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must prevent concurrent logins for all accounts.

AC-10 - Medium - CCI-000054 - V-252582 - SV-252582r817916_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

ASP4-FA-050180

Vuln IDs

V-252582

Rule IDs

SV-252582r817916_rule

Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.

Checks: C-56038r817914_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex prevents concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent concurrent login" option is checked. If the "Prevent concurrent login" is not checked, this is a finding.

Fix: F-55988r817915_fix

Configure IBM Aspera Faspex to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent concurrent login" check box. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must require password complexity features to be enabled.

IA-5 - Medium - CCI-000192 - V-252583 - SV-252583r818123_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

ASP4-FA-050190

Vuln IDs

V-252583

Rule IDs

SV-252583r818123_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-56039r817917_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex requires password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Use strong passwords" option is checked. If the "Use strong passwords" option is not checked, this is a finding. If the "Use strong passwords" option is checked, downgrade this requirement to a CAT III.

Fix: F-55989r817918_fix

Configure IBM Aspera Faspex to require password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Use strong passwords" check box. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

IA-8 - Medium - CCI-000804 - V-252584 - SV-252584r818985_rule

RMF Control

IA-8

Severity

Medium

CCI

CCI-000804

Version

ASP4-FA-050200

Vuln IDs

V-252584

Rule IDs

SV-252584r818985_rule

Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.

Checks: C-56040r817920_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Faspex packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Verify that the option "Require external users to register" is checked. If this option is not checked, this is a finding. Also ensure IBM Aspera Faspex is configured for "Moderated" self-registration when permitting use by external users. To do this, verify the "Moderated" option is selected from the picklist for "Self registration" under the Registrations heading. If this option is not checked, this is a finding.

Fix: F-55990r817921_fix

To configure Aspera Faspex to authenticate all external recipients of Faspex packages before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Check the option "Require external users to register" under the "Registrations" heading. - Select the "Moderated" option from the picklist for "Self registration" under the Registrations heading. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-252585 - SV-252585r817925_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000200

Version

ASP4-FA-050210

Vuln IDs

V-252585

Rule IDs

SV-252585r817925_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.

Checks: C-56041r817923_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent passwords reuse" option is checked. - Verify the "Faspex accounts" "Prevent passwords reuse" options is set to "5" or more. If the "Prevent passwords reuse" options is less than "5" or the option is not checked, this is a finding.

Fix: F-55991r817924_fix

Configure IBM Aspera Faspex passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent passwords reuse" check box. - Edit the "Faspex accounts" "Prevent passwords reuse" option to "5" or more. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-252586 - SV-252586r817928_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000199

Version

ASP4-FA-050220

Vuln IDs

V-252586

Rule IDs

SV-252586r817928_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.

Checks: C-56042r817926_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Passwords expire" option is checked. - Verify the "Faspex accounts" "Passwords expire" options is set to "60" days or less. If the "Passwords expire" options is set to more than "60" days or the option is not checked, this is a finding.

Fix: F-55992r817927_fix

Configure IBM Aspera Faspex user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Passwords expire" check box. - Edit the "Faspex accounts" "Passwords expire" option to "60" days or less. - Select "Update" at the bottom of the page.

c

The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.

AC-17 - High - CCI-000068 - V-252587 - SV-252587r817931_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-FA-050230

Vuln IDs

V-252587

Rule IDs

SV-252587r817931_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Faspex feature, the default configuration of Faspex has TLS 1.0, 1.1 and 1.2 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097

Checks: C-56043r817929_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.

Fix: F-55993r817930_fix

Configure IBM Aspera Faspex to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart

b

IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-252588 - SV-252588r817934_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-FA-050240

Vuln IDs

V-252588

Rule IDs

SV-252588r817934_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-56044r817932_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Faspex is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3000 http_fallback_port:8080 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-55994r817933_fix

Configure the IBM Aspera Faspex to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the faspex instance: $ sudo /opt/aspera/common/asctl/asctl faspex:base_port <number> $ sudo /opt/aspera/common/asctl/asctl faspex:http_fallback_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>

b

IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-252589 - SV-252589r831504_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ASP4-FA-050250

Vuln IDs

V-252589

Rule IDs

SV-252589r831504_rule

To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway. IBM Aspera Faspex will list preestablished trust relationships for IdPs on the default Faspex login page. This configuration supports the ability to have more than one preestablished trust relationship, and it requires the user to choose from the valid preestablished IdPs as listed on the default web page. If IBM Aspera Faspex is configured to automatically redirect to a single IdP, visiting the default webpage will do so. Refer to the IBM Aspera Faspex Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Faspex User Field, and required format within the assertion. For security best practices, also ensure that the system hosting Aspera Faspex uses Network Time Protocol or another system to keep times synchronized with the IdP server providing the SAML assertions. Clock drift between the IBM Aspera Faspex server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Faspex. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095

Checks: C-56045r817935_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. If you are neither redirected to an IdP nor provided with a list of one or more IdPs to choose from on the standard IBM Aspera Faspex webpage, this is a finding. If redirected to the IdP login, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding. If not redirected to a single IdP but provided a list of configured IdPs, choose one for authentication with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.

Fix: F-55995r817936_fix

For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP. To configure SAML within IBM Aspera Faspex, perform the following: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Authentication" tab. - Select the SAML Integration menu. - Select "Add New SAML Configuration". - Choose one action from these: 1) Enter the SAML server's metadata URL in "Import from URL" and click "Import Setting From Metadata URL". 2) Click "Browse" and locate the file containing the SAML server's metadata. 3) Paste the SAML server metadata into the box labeled "Import from Text" and click the "Import Settings From Text". - Select "Create SAML Configuration" at the bottom of the page.

c

IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

AC-17 - High - CCI-001453 - V-252590 - SV-252590r831505_rule

RMF Control

AC-17

Severity

High

CCI

CCI-001453

Version

ASP4-FA-050260

Vuln IDs

V-252590

Rule IDs

SV-252590r831505_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56046r817938_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Encrypt transfers" option is checked. If the "Encrypt transfers" option is not checked, this is a finding.

Fix: F-55996r817939_fix

Configure the system to require encryption for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Put a check in the "Encrypt transfers" check box. - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

SC-28 - Medium - CCI-001199 - V-252591 - SV-252591r831506_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-001199

Version

ASP4-FA-050270

Vuln IDs

V-252591

Rule IDs

SV-252591r831506_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).

Checks: C-56047r817941_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Use encryption-at-rest" radio button is set to "Always". If the "Use encryption-at-rest" radio button is set to "Never" or "Optional", this is a finding.

Fix: F-55997r817942_fix

Configure the IBM Aspera Faspex to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Select the "Use encryption-at-rest" radio button "Always". - Select "Update" at the bottom of the page.

b

IBM Aspera Faspex must protect audit information from unauthorized modification.

AU-9 - Medium - CCI-000162 - V-252592 - SV-252592r817946_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

ASP4-FA-050280

Vuln IDs

V-252592

Rule IDs

SV-252592r817946_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058

Checks: C-56048r817944_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Faspex have no world access. $ sudo find /opt/aspera/faspex/log/ $ -perm -0001 -o -perm -0002 -o -perm -0004 $ -print If results are returned from the above command, this is a finding.

Fix: F-55998r817945_fix

Remove world access from any IBM Aspera Faspex log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>

b

The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252593 - SV-252593r831507_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-FA-050290

Vuln IDs

V-252593

Rule IDs

SV-252593r831507_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56049r817947_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command: $ sudo stat -c "%G" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.

Fix: F-55999r817948_fix

Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command: $ sudo chgrp faspex /opt/aspera/faspex/config/secret.yml

b

The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252594 - SV-252594r831508_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-FA-050300

Vuln IDs

V-252594

Rule IDs

SV-252594r831508_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56050r817950_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command: $ sudo stat -c "%U" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.

Fix: F-56000r817951_fix

Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command: $ sudo chown faspex /opt/aspera/faspex/config/secret.yml

b

The IBM Aspera Faspex Server must restrict users from using transfer services by default.

AC-3 - Medium - CCI-000213 - V-252595 - SV-252595r817955_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-FA-050310

Vuln IDs

V-252595

Rule IDs

SV-252595r817955_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56051r817953_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.

Fix: F-56001r817954_fix

Configure the IBM Aspera Faspex to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.

AC-3 - Medium - CCI-000213 - V-252596 - SV-252596r817958_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-FA-050320

Vuln IDs

V-252596

Rule IDs

SV-252596r817958_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56052r817956_chk

If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.

Fix: F-56002r817957_fix

Configure the IBM Aspera Faspex to restrict users' read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.

SC-10 - Medium - CCI-001133 - V-252597 - SV-252597r831509_rule

RMF Control

SC-10

Severity

Medium

CCI

CCI-001133

Version

ASP4-SH-060100

Vuln IDs

V-252597

Rule IDs

SV-252597r831509_rule

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006

Checks: C-56053r817959_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.

Fix: F-56003r817960_fix

Configure IBM Aspera Shares interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the User Security option. - Edit the "Session timeout" option is set to "10" minutes or less. - Select "Save" at the bottom of the page.

a

IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.

AC-8 - Low - CCI-000048 - V-252598 - SV-252598r817964_rule

RMF Control

AC-8

Severity

Low

CCI

CCI-000048

Version

ASP4-SH-060110

Vuln IDs

V-252598

Rule IDs

SV-252598r817964_rule

Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services offloaded from the application. Publicly access systems are used in DoD to provide benefit information, pay information, or public services. There may also be self-registration and authorization services provided by these gateways. Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024

Checks: C-56054r817962_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Shares website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.

Fix: F-56004r817963_fix

Configure the IBM Aspera Shares default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Messages" option. - Enter the Standard Mandatory DoD-approved Notice and Consent Banner in the Login page message box. - Select "Save" at the bottom of the page.

b

IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

IA-2 - Medium - CCI-001948 - V-252599 - SV-252599r831510_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-001948

Version

ASP4-SH-060120

Vuln IDs

V-252599

Rule IDs

SV-252599r831510_rule

For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106

Checks: C-56055r817965_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.

Fix: F-56005r817966_fix

For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP that implements multi-factor authentication.

b

IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.

AC-7 - Medium - CCI-000044 - V-252600 - SV-252600r831511_rule

RMF Control

AC-7

Severity

Medium

CCI

CCI-000044

Version

ASP4-SH-060130

Vuln IDs

V-252600

Rule IDs

SV-252600r831511_rule

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Checks: C-56056r817968_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Failed login count" is set to "3" or less. - Verify the "Failed login interval" is set to "15" or less. If the "Failed login count" is set to more than "3", this is a finding. If the "Failed login interval" is set to more than "15" minutes, this is a finding.

Fix: F-56006r817969_fix

Configure IBM Aspera Shares to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Failed login count" option to "3" or less. - Edit the "Failed login interval" option to "15" minutes or less. - Select "Save" at the bottom of the page.

b

IBM Aspera Shares must require password complexity features to be enabled.

IA-5 - Medium - CCI-000192 - V-252601 - SV-252601r817973_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000192

Version

ASP4-SH-060140

Vuln IDs

V-252601

Rule IDs

SV-252601r817973_rule

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Checks: C-56057r817971_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares requires password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Require strong passwords" option is checked. If the "Require strong passwords" option is not checked, this is a finding. If the "Require strong passwords" option is checked, downgrade this requirement to a CAT III.

Fix: F-56007r817972_fix

Configure IBM Aspera Shares to require password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Put a check the "Require strong passwords" check box. - Select "Save" at the bottom of the page.

b

IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).

IA-8 - Medium - CCI-000804 - V-252602 - SV-252602r817976_rule

RMF Control

IA-8

Severity

Medium

CCI

CCI-000804

Version

ASP4-SH-060150

Vuln IDs

V-252602

Rule IDs

SV-252602r817976_rule

Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.

Checks: C-56058r817974_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Verify that the "Self Registration" option is set to "Moderated" or "None". If the "Self Registration" option is set to "Unmoderated", this is a finding.

Fix: F-56008r817975_fix

To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Use the dropdown menu to set the "Self Registration" option to "Moderated" or "None". - Select "Save" at the bottom of the page.

b

IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-252603 - SV-252603r817979_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-000199

Version

ASP4-SH-060160

Vuln IDs

V-252603

Rule IDs

SV-252603r817979_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.

Checks: C-56059r817977_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Password expiration interval" is set to "60" or less. If the "Password expiration interval" is greater than "60" or is blank, this is a finding.

Fix: F-56009r817978_fix

Configure IBM Aspera Shares user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Password expiration interval" to "60" days or less. - Select "Save" at the bottom of the page.

c

The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.

AC-17 - High - CCI-000068 - V-252604 - SV-252604r817982_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-SH-060170

Vuln IDs

V-252604

Rule IDs

SV-252604r817982_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Shares feature, the default nginx configuration of Shares has TLS 1.0, 1.1 and 1.2 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097

Checks: C-56060r817980_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares only uses TLS 1.2 or greater with the following command: $ sudo grep ssl_protocols /opt/aspera/shares/etc/nginx/nginx.conf ssl_protocols TLSv1.2; If the results of the command display versions below "TLSv1.2", this is a finding.

Fix: F-56010r817981_fix

Configure IBM Aspera Shares to use TLS 1.2. Add/Edit the following line in the nginx.conf file located at /opt/aspera/shares/etc/nginx/nginx.conf. ssl_protocols TLSv1.2; Restart nginx for these changes to take effect. $ sudo /opt/aspera/shares/sbin/sv restart nginix

b

IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-252605 - SV-252605r817985_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-SH-060180

Vuln IDs

V-252605

Rule IDs

SV-252605r817985_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-56061r817983_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Shares is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo cat /opt/aspera/shares/etc/nginx/nginx.conf | grep listen listen 80; listen [::]:80; listen 443; listen [::]:443; Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-56011r817984_fix

Configure the IBM Aspera Shares to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/shares/etc/nginx/nginx.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.

b

IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

IA-2 - Medium - CCI-000764 - V-252606 - SV-252606r831512_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ASP4-SH-060190

Vuln IDs

V-252606

Rule IDs

SV-252606r831512_rule

To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway. Refer to the IBM Aspera Shares Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Shares User Field, and required format within the assertion. For security best practices, also ensure that the system hosting IBM Aspera Shares uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Shares server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Shares. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095

Checks: C-56062r817986_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Attempt to authenticate using the IdP provided under "SAML" heading of login page with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.

Fix: F-56012r817987_fix

For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Go to "Accounts". - Select the "Directories" option from the left menu. - Beside the SAML IdP entry, click "Edit". - To enable SAML, select the check box "Log in using the SAML Identity Provider". - Enter the SAML entry-point address provided by the IdP in the "IdP Single Sign-On URL" text box. - Enter the "Identity Provider Certificate Fingerprint" and specify the algorithm type in the dropdown menu. - Enter the "Identity Provider Certificate". - Select "Save" at the bottom of the page.

c

IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.

AC-17 - High - CCI-001453 - V-252607 - SV-252607r831513_rule

RMF Control

AC-17

Severity

High

CCI

CCI-001453

Version

ASP4-SH-060200

Vuln IDs

V-252607

Rule IDs

SV-252607r831513_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56063r817989_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption" option is set to at least "AES-128". If the "Encryption" option is set to "optional" or not set, this is a finding.

Fix: F-56013r817990_fix

Configure the system to require encryption for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select an encryption level from the dropdown menu of "Encryption" of "AES-128" or greater. - Select "Save" at the bottom of the page.

b

IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.

SC-28 - Medium - CCI-001199 - V-252608 - SV-252608r831514_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-001199

Version

ASP4-SH-060210

Vuln IDs

V-252608

Rule IDs

SV-252608r831514_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).

Checks: C-56064r817992_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption at rest" option is set to "Required". If the "Encryption at rest" option is set to "Optional" or is not set, this is a finding.

Fix: F-56014r817993_fix

Configure the IBM Aspera Shares to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select the "Encryption at rest" option "Required". - Select "Save" at the bottom of the page.

b

IBM Aspera Shares must protect audit information from unauthorized deletion.

AU-9 - Medium - CCI-000162 - V-252609 - SV-252609r817997_rule

RMF Control

AU-9

Severity

Medium

CCI

CCI-000162

Version

ASP4-SH-060220

Vuln IDs

V-252609

Rule IDs

SV-252609r817997_rule

If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This requirement does not apply to audit logs generated on behalf of the device itself (device management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058

Checks: C-56065r817995_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Shares have no world access. $ sudo find /opt/aspera/shares/u/stats-collector/var/log $ -perm -0001 -o -perm -0002 -o -perm -0004 $ -print $ sudo find /opt/aspera/shares/u/shares/log $ -perm -0001 -o -perm -0002 -o -perm -0004 $ -print $ sudo find /opt/aspera/shares/var/log $ -perm -0001 -o -perm -0002 -o -perm -0004 $ -print If results are returned from the above commands, this is a finding.

Fix: F-56015r817996_fix

Remove world access from any IBM Aspera Shares log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>

b

The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252610 - SV-252610r831515_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-SH-060230

Vuln IDs

V-252610

Rule IDs

SV-252610r831515_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56066r817998_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is group-owned by nobody with the following command: $ sudo stat -c "%G" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.

Fix: F-56016r817999_fix

Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be group-owned by nobody with the following command: $ sudo chgrp nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb

b

The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252611 - SV-252611r831516_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-SH-060240

Vuln IDs

V-252611

Rule IDs

SV-252611r831516_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56067r818001_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is owned by nobody with the following command: $ sudo stat -c "%U" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.

Fix: F-56017r818002_fix

Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be owned by nobody with the following command: $ sudo chown nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb

b

The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252612 - SV-252612r831517_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-SH-060250

Vuln IDs

V-252612

Rule IDs

SV-252612r831517_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.

Checks: C-56068r818004_chk

If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file has a mode of "0400" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/shares/u/shares/config/aspera/secret.rb 400 /opt/aspera/shares/u/shares/config/aspera/secret.rb If the resulting mode is more permissive than "0400", this is a finding.

Fix: F-56018r818005_fix

Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to have a mode of "0400" or less permissive with the following command: $ sudo chmod 0400 /opt/aspera/shares/u/shares/config/aspera/secret.rb

c

The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.

AC-17 - High - CCI-000068 - V-252613 - SV-252613r818009_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-TE-030100

Vuln IDs

V-252613

Rule IDs

SV-252613r818009_rule

SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-56069r818007_chk

Verify IBM Aspera High-Speed Transfer Endpoint only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.

Fix: F-56019r818008_fix

Configure the IBM Aspera High-Speed Endpoint SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-252614 - SV-252614r818012_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-TE-030110

Vuln IDs

V-252614

Rule IDs

SV-252614r818012_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-56070r818010_chk

The IBM Aspera High-Speed Transfer Endpoint is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTE with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-56020r818011_fix

Configure the IBM Aspera High-Speed Transfer Endpoint to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.

b

The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.

SC-23 - Medium - CCI-001184 - V-252615 - SV-252615r818015_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001184

Version

ASP4-TE-030120

Vuln IDs

V-252615

Rule IDs

SV-252615r818015_rule

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).

Checks: C-56071r818013_chk

For implementations using IBM Aspera High-Speed Transfer Endpoint, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Endpoint installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.

Fix: F-56021r818014_fix

For implementations using the IBM Aspera High Speed Transfer Endpoint, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Endpoint according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service

c

The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

AC-17 - High - CCI-000068 - V-252616 - SV-252616r831518_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-TE-030140

Vuln IDs

V-252616

Rule IDs

SV-252616r831518_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56072r818016_chk

Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Endpoint with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.

Fix: F-56022r818017_fix

For implementations using IBM Aspera High-Speed Transfer Endpoint, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).

SC-28 - Medium - CCI-002475 - V-252617 - SV-252617r831519_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TE-030150

Vuln IDs

V-252617

Rule IDs

SV-252617r831519_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.

Checks: C-56073r818019_chk

Verify the IBM High-Speed Transfer Endpoint enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.

Fix: F-56023r818020_fix

Configure the IBM High-Speed Transfer Endpoint to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear

b

The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.

AC-3 - Medium - CCI-000213 - V-252618 - SV-252618r818024_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TE-030160

Vuln IDs

V-252618

Rule IDs

SV-252618r818024_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.

Checks: C-56074r818022_chk

Verify the IBM High-Speed Transfer Endpoint enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.

Fix: F-56024r818023_fix

Configure the IBM High-Speed Transfer Endpoint to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon

b

The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.

AC-17 - Medium - CCI-001453 - V-252619 - SV-252619r831520_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-001453

Version

ASP4-TE-030170

Vuln IDs

V-252619

Rule IDs

SV-252619r831520_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key. Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56075r818025_chk

Verify the IBM High-Speed Transfer Endpoint has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.

Fix: F-56025r818026_fix

Configure the IBM High-Speed Transfer Endpoint to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

AC-10 - Medium - CCI-000054 - V-252620 - SV-252620r818030_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

ASP4-TE-030180

Vuln IDs

V-252620

Rule IDs

SV-252620r818030_rule

Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Endpoints permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.

Checks: C-56076r818028_chk

Verify the IBM Aspera High-Speed Transfer Endpoint limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not an organization-defined number, this is a finding.

Fix: F-56026r818029_fix

Configure the IBM Aspera High-Speed Transfer Endpoint to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252621 - SV-252621r831521_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TE-030190

Vuln IDs

V-252621

Rule IDs

SV-252621r831521_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.

Checks: C-56077r818031_chk

Verify the IBM High-Speed Transfer Endpoint does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56027r818032_fix

Configure the IBM High-Speed Transfer Endpoint to not store group content-protection secrets in plain text. For each group, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<groupname>; transfer_encryption_content_protection_secret,AS_NULL"

b

The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252622 - SV-252622r831522_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TE-030200

Vuln IDs

V-252622

Rule IDs

SV-252622r831522_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.

Checks: C-56078r818034_chk

Verify the IBM High-Speed Transfer Endpoint does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56028r818035_fix

Configure the IBM High-Speed Transfer Endpoint to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252623 - SV-252623r831523_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TE-030210

Vuln IDs

V-252623

Rule IDs

SV-252623r831523_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.

Checks: C-56079r818037_chk

Verify the IBM High-Speed Transfer Endpoint does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56029r818038_fix

Configure the IBM High-Speed Transfer Endpoint to not store user content-protection secrets in plain text. For each user, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.

AC-3 - Medium - CCI-000213 - V-252624 - SV-252624r818042_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TE-030220

Vuln IDs

V-252624

Rule IDs

SV-252624r818042_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56080r818040_chk

Verify the Aspera High-Speed Transfer Endpoint restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.

Fix: F-56030r818041_fix

Configure the Aspera High-Speed Transfer Endpoint to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.

AC-3 - Medium - CCI-000213 - V-252625 - SV-252625r818045_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TE-030230

Vuln IDs

V-252625

Rule IDs

SV-252625r818045_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56081r818043_chk

Verify the IBM Aspera High-Speed Transfer Endpoint restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.

Fix: F-56031r818044_fix

Configure the IBM Aspera High-Speed Transfer Endpoint to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-252626 - SV-252626r831524_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-002007

Version

ASP4-TE-030240

Vuln IDs

V-252626

Rule IDs

SV-252626r831524_rule

If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Checks: C-56082r818046_chk

Verify the IBM Aspera High-Speed Transfer Endpoint prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.

Fix: F-56032r818047_fix

Configure the IBM Aspera High-Speed Transfer Endpoint to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

c

The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.

AC-17 - High - CCI-000068 - V-252627 - SV-252627r818051_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-TS-020100

Vuln IDs

V-252627

Rule IDs

SV-252627r818051_rule

SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.

Checks: C-56083r818049_chk

Verify IBM Aspera High-Speed Transfer Server only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.

Fix: F-56033r818050_fix

Configure the IBM Aspera High-Speed Transfer Server SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-252628 - SV-252628r818054_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-TS-020110

Vuln IDs

V-252628

Rule IDs

SV-252628r818054_rule

In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.

Checks: C-56084r818052_chk

The IBM Aspera High-Speed Transfer Server is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTS with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-56034r818053_fix

Configure the IBM Aspera High-Speed Transfer Server to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.

b

The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.

SC-23 - Medium - CCI-001184 - V-252629 - SV-252629r818057_rule

RMF Control

SC-23

Severity

Medium

CCI

CCI-001184

Version

ASP4-TS-020120

Vuln IDs

V-252629

Rule IDs

SV-252629r818057_rule

Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).

Checks: C-56085r818055_chk

For implementations using IBM Aspera High-Speed Transfer Server, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.

Fix: F-56035r818056_fix

For implementations using the IBM Aspera High Speed Transfer Server, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Server according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service

c

The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.

AC-17 - High - CCI-000068 - V-252630 - SV-252630r831525_rule

RMF Control

AC-17

Severity

High

CCI

CCI-000068

Version

ASP4-TS-020140

Vuln IDs

V-252630

Rule IDs

SV-252630r831525_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56086r818058_chk

Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Server with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.

Fix: F-56036r818059_fix

For implementations using IBM Aspera High-Speed Transfer Server, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".

SI-6 - Medium - CCI-002696 - V-252631 - SV-252631r831526_rule

RMF Control

SI-6

Severity

Medium

CCI

CCI-002696

Version

ASP4-TS-020150

Vuln IDs

V-252631

Rule IDs

SV-252631r831526_rule

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.

Checks: C-56087r818061_chk

Verify the IBM Aspera HSTS configures the SELinux context type for "aspshell" with the following commands: $ sudo ls -l /bin/aspshell lrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell If /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding. $ sudo ls -Z /opt/aspera/bin/aspshell -rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell If the context type of "/opt/aspera/bin/aspshell" is not "shell_exec_t", this is a finding.

Fix: F-56037r818062_fix

Configure the IBM Aspera HSTS SELinux context type for "aspshell" with the following commands: $ sudo echo /bin/aspshell >> /etc/shells $ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell $ sudo semanage fcontext -a -t shell_exec_t "/opt/aspera/bin/aspshell" $ sudo restorecon -v /opt/aspera/bin/aspshell

b

The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).

SC-28 - Medium - CCI-002475 - V-252632 - SV-252632r831527_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TS-020160

Vuln IDs

V-252632

Rule IDs

SV-252632r831527_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.

Checks: C-56088r818064_chk

Verify the IBM High-Speed Transfer Server enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.

Fix: F-56038r818065_fix

Configure the IBM High-Speed Transfer Server to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear

b

The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.

AC-3 - Medium - CCI-000213 - V-252633 - SV-252633r818069_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TS-020170

Vuln IDs

V-252633

Rule IDs

SV-252633r818069_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.

Checks: C-56089r818067_chk

Verify the IBM High-Speed Transfer Server enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.

Fix: F-56039r818068_fix

Configure the IBM High-Speed Transfer Server to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon

b

The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.

AC-17 - Medium - CCI-000068 - V-252634 - SV-252634r818072_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-000068

Version

ASP4-TS-020180

Vuln IDs

V-252634

Rule IDs

SV-252634r818072_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security and time-limited validity which limits the chances of a key becoming compromised. NOTE: A dynamic token encryption key can be set for an individual user or a system group. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097

Checks: C-56090r818070_chk

Verify the Aspera High-Speed Transfer Server enables the use of dynamic token encryption keys with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep dynamic token_dynamic_key: "true" If the "dynamic_key" setting is not set to "true", this is a finding.

Fix: F-56040r818071_fix

Configure the Aspera High-Speed Transfer Server to enable the use of dynamic token encryption keys with the following command: $ sudo asconfigurator -x "set_node_data; token_dynamic_key,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.

AC-17 - Medium - CCI-001453 - V-252635 - SV-252635r831528_rule

RMF Control

AC-17

Severity

Medium

CCI

CCI-001453

Version

ASP4-TS-020190

Vuln IDs

V-252635

Rule IDs

SV-252635r831528_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key. Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111

Checks: C-56091r818073_chk

Verify the IBM High-Speed Transfer Server has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.

Fix: F-56041r818074_fix

Configure the IBM High-Speed Transfer Server to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.

AC-10 - Medium - CCI-000054 - V-252636 - SV-252636r818078_rule

RMF Control

AC-10

Severity

Medium

CCI

CCI-000054

Version

ASP4-TS-020200

Vuln IDs

V-252636

Rule IDs

SV-252636r818078_rule

Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Server permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.

Checks: C-56092r818076_chk

Verify the IBM Aspera High-Speed Transfer Server limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not the organization-defined number, this is a finding.

Fix: F-56042r818077_fix

Configure the IBM Aspera High-Speed Transfer Server to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252637 - SV-252637r831529_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TS-020210

Vuln IDs

V-252637

Rule IDs

SV-252637r831529_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.

Checks: C-56093r818079_chk

Verify the IBM High-Speed Transfer Server does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56043r818080_fix

Configure the IBM High-Speed Transfer Server to not store group content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"

b

The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252638 - SV-252638r831530_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TS-020220

Vuln IDs

V-252638

Rule IDs

SV-252638r831530_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that users do not store content-protection secrets in aspera.conf.

Checks: C-56094r818082_chk

Verify the IBM High-Speed Transfer Server does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56044r818083_fix

Configure the IBM High-Speed Transfer Server to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL"

b

The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.

SC-28 - Medium - CCI-002475 - V-252639 - SV-252639r831531_rule

RMF Control

SC-28

Severity

Medium

CCI

CCI-002475

Version

ASP4-TS-020230

Vuln IDs

V-252639

Rule IDs

SV-252639r831531_rule

Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that users do not store content-protection secrets in aspera.conf.

Checks: C-56095r818085_chk

Verify the IBM High-Speed Transfer Server does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.

Fix: F-56045r818086_fix

Configure the IBM High-Speed Transfer Server to not store user content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"

b

The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.

CM-7 - Medium - CCI-000382 - V-252640 - SV-252640r818090_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-TS-020240

Vuln IDs

V-252640

Rule IDs

SV-252640r818090_rule

By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts. By default, all system users can establish a FASP connection and are only restricted by file permissions.

Checks: C-56096r818088_chk

Verify the Aspera High-Speed Transfer Server restricts the use of the root account for transfers with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u root | grep allowed | grep true If results are returned from the above command, this is a finding.

Fix: F-56046r818089_fix

Configure the Aspera High-Speed Transfer Server to restrict the use of the root account for transfers. For each privilege that is set to "true", run the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,root;<privilege>,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.

CM-7 - Medium - CCI-000382 - V-252641 - SV-252641r818093_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-TS-020250

Vuln IDs

V-252641

Rule IDs

SV-252641r818093_rule

By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers. By default, all system users can establish a FASP connection and are only restricted by file permissions.

Checks: C-56097r818091_chk

Verify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system. Check that each user is restricted to a specific transfer folder with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep absolute canonical_absolute: "<specifictranferfolder>" absolute: "<sepcifictransferfolder>" If the transfer user's docroot is set to "<Empty String>" or is blank, this is a finding.

Fix: F-56047r818092_fix

Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name, <username>;canonical_absolute,<transferfolder>; absolute,<transferfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".

IA-2 - Medium - CCI-000764 - V-252642 - SV-252642r818096_rule

RMF Control

IA-2

Severity

Medium

CCI

CCI-000764

Version

ASP4-TS-020260

Vuln IDs

V-252642

Rule IDs

SV-252642r818096_rule

By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations: Running Aspera uploads and downloads to or from this computer. Establishing connections in the application. Browsing, listing, creating, renaming, or deleting contents. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.

Checks: C-56098r818094_chk

Verify the Aspera High-Speed Transfer Server restricts the transfer user(s) to the "aspshell" with the following command: $ sudo grep <username> /etc/passwd <username>:x:1001:1001:...:/home/<username>:/bin/aspshell If the transfer user is not limited to the "aspshell", this is a finding.

Fix: F-56048r818095_fix

Configure the Aspera High-Speed Transfer Server to restrict the transfer user(s) to the "aspshell" with the following command: $ sudo usermod -s /bin/aspshell <username>

b

The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.

AC-3 - Medium - CCI-000213 - V-252643 - SV-252643r818099_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TS-020270

Vuln IDs

V-252643

Rule IDs

SV-252643r818099_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56099r818097_chk

Verify the Aspera High-Speed Transfer Server restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.

Fix: F-56049r818098_fix

Configure the Aspera High-Speed Transfer Server to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.

AC-3 - Medium - CCI-000213 - V-252644 - SV-252644r818102_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-000213

Version

ASP4-TS-020280

Vuln IDs

V-252644

Rule IDs

SV-252644r818102_rule

Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.

Checks: C-56100r818100_chk

Verify the IBM Aspera High-Speed Transfer Server restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.

Fix: F-56050r818101_fix

Configure the IBM Aspera High-Speed Transfer Server to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.

CM-7 - Medium - CCI-000382 - V-252645 - SV-252645r818105_rule

RMF Control

CM-7

Severity

Medium

CCI

CCI-000382

Version

ASP4-TS-020290

Vuln IDs

V-252645

Rule IDs

SV-252645r818105_rule

By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis. By default, all system users can establish a FASP connection and are only restricted by file permissions.

Checks: C-56101r818103_chk

Verify the Aspera High-Speed Transfer Server set the default docroot to an empty folder. Check that the default docroot points to an empty folder with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep absolute canonical_absolute: "<someemptyfolder>" absolute: "<someemptyfolder>" If the default docroot is set to "<Empty String>", this is a finding. Review the default docroot file path from the previous command to ensure it is empty. $ sudo find <somefilepath> -maxdepth 0 -empty -exec echo {} is empty. \; <somefilepath> is empty. If the command does not return "<somefilepath> is empty.", this is a finding.

Fix: F-56051r818104_fix

Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;canonical_absolute,<someemptyfolder>; absolute,<someemptyfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

b

The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252646 - SV-252646r831532_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-TS-020300

Vuln IDs

V-252646

Rule IDs

SV-252646r831532_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.

Checks: C-56102r818106_chk

Verify the rootkeystore.db file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.

Fix: F-56052r818107_fix

Configure the rootkeystore.db file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/etc/rootkeystore.db

b

The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252647 - SV-252647r831533_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-TS-020310

Vuln IDs

V-252647

Rule IDs

SV-252647r831533_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.

Checks: C-56103r818109_chk

Verify the rootkeystore.db file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.

Fix: F-56053r818110_fix

Configure the rootkeystore.db file to be owned by root with the following command: $ sudo chown root /opt/aspera/etc/rootkeystore.db

b

The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.

AC-3 - Medium - CCI-002165 - V-252648 - SV-252648r831534_rule

RMF Control

AC-3

Severity

Medium

CCI

CCI-002165

Version

ASP4-TS-020320

Vuln IDs

V-252648

Rule IDs

SV-252648r831534_rule

Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.

Checks: C-56104r818112_chk

Verify the rootkeystore.db file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/etc/rootkeystore.db 600 /opt/aspera/etc/rootkeystore.db If the resulting mode is more permissive than "0600", this is a finding.

Fix: F-56054r818113_fix

Configure the rootkeystore.db file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/etc/rootkeystore.db

b

The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.

IA-5 - Medium - CCI-002007 - V-252649 - SV-252649r831535_rule

RMF Control

IA-5

Severity

Medium

CCI

CCI-002007

Version

ASP4-TS-020330

Vuln IDs

V-252649

Rule IDs

SV-252649r831535_rule

If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).

Checks: C-56105r818115_chk

Verify the IBM Aspera High-Speed Transfer Server prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.

Fix: F-56055r818116_fix

Configure the IBM Aspera High-Speed Transfer Server to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service

IBM Aspera Platform 4.2 Security Technical Implementation Guide

Compare

View

Checks: C-56012r817836_chk

Fix: F-55962r817837_fix

Checks: C-56013r817839_chk

Fix: F-55963r817840_fix

Checks: C-56014r817842_chk

Fix: F-55964r817843_fix

Checks: C-56015r817845_chk

Fix: F-55965r817846_fix

Checks: C-56016r817848_chk

Fix: F-55966r817849_fix

Checks: C-56017r817851_chk

Fix: F-55967r817852_fix

Checks: C-56018r817854_chk

Fix: F-55968r817855_fix

Checks: C-56019r817857_chk

Fix: F-55969r817858_fix

Checks: C-56020r817860_chk

Fix: F-55970r817861_fix

Checks: C-56021r817863_chk

Fix: F-55971r817864_fix

Checks: C-56022r817866_chk

Fix: F-55972r817867_fix

Checks: C-56023r817869_chk

Fix: F-55973r817870_fix

Checks: C-56024r817872_chk

Fix: F-55974r817873_fix

Checks: C-56025r817875_chk

Fix: F-55975r817876_fix

Checks: C-56026r817878_chk

Fix: F-55976r817879_fix

Checks: C-56027r817881_chk

Fix: F-55977r817882_fix

Checks: C-56028r817884_chk

Fix: F-55978r817885_fix

Checks: C-56029r817887_chk

Fix: F-55979r817888_fix

Checks: C-56030r817890_chk

Fix: F-55980r817891_fix

Checks: C-56031r817893_chk

Fix: F-55981r817894_fix

Checks: C-56032r817896_chk

Fix: F-55982r817897_fix

Checks: C-56033r817899_chk

Fix: F-55983r817900_fix

Checks: C-56034r817902_chk

Fix: F-55984r817903_fix

Checks: C-56035r817905_chk

Fix: F-55985r817906_fix

Checks: C-56036r817908_chk

Fix: F-55986r817909_fix

Checks: C-56037r817911_chk

Fix: F-55987r817912_fix

Checks: C-56038r817914_chk

Fix: F-55988r817915_fix

Checks: C-56039r817917_chk

Fix: F-55989r817918_fix

Checks: C-56040r817920_chk

Fix: F-55990r817921_fix

Checks: C-56041r817923_chk

Fix: F-55991r817924_fix

Checks: C-56042r817926_chk

Fix: F-55992r817927_fix

Checks: C-56043r817929_chk

Fix: F-55993r817930_fix

Checks: C-56044r817932_chk

Fix: F-55994r817933_fix

Checks: C-56045r817935_chk

Fix: F-55995r817936_fix

Checks: C-56046r817938_chk

Fix: F-55996r817939_fix

Checks: C-56047r817941_chk

Fix: F-55997r817942_fix

Checks: C-56048r817944_chk

Fix: F-55998r817945_fix

Checks: C-56049r817947_chk

Fix: F-55999r817948_fix

Checks: C-56050r817950_chk