IBM Aspera Platform 4.2 Security Technical Implementation Guide
- Version/Release: V1R3
- Published: 2024-12-05
- Released: 2025-01-30
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-001844
- Version
- ASP4-00-010100
- Vuln IDs
-
- V-252556
- Rule IDs
-
- SV-252556r981636_rule
Checks: C-56012r817836_chk
Verify the IBM Aspera Platform is configured to support centralized management and configuration. Navigate to the IBM Aspera Console webpage, login with an administrator account, and review the Nodes tab. If all nodes managed by the organization are not listed, this is a finding. If the IBM Aspera Platform implementation does not include IBM Aspera Console, this is a finding.
Fix: F-55962r817837_fix
Configure the IBM Aspera Platform to support centralized management and configuration. Ensure the IBM Aspera Console server is installed and configured to manage all nodes within the organization. Navigate to the IBM Aspera Console webpage, log in with an administrator account, and select the "Nodes" tab. Select "New Managed Node" to add nodes to the IBM Aspera Console.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- ASP4-00-010110
- Vuln IDs
-
- V-252557
- Rule IDs
-
- SV-252557r817841_rule
Checks: C-56013r817839_chk
Verify that only mission essential features are in use. Interview the systems administrator to determine if the following Aspera features are in use: Aspera Shares Aspera Faspex If either Aspera Shares or Aspera Faspex are in use and are not documented with the ISSM as a mission requirement, this is a finding.
Fix: F-55963r817840_fix
Ensure all mission required features of Aspera are documented with the ISSM.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001948
- Version
- ASP4-CS-040110
- Vuln IDs
-
- V-252558
- Rule IDs
-
- SV-252558r981642_rule
Checks: C-56014r817842_chk
Using a web browser, navigate to the default IBM Aspera Console web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Fix: F-55964r817843_fix
For implementations using the IBM Aspera Console feature, configure SAML to use an existing IdP that implements multi-factor authentication.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- ASP4-CS-040120
- Vuln IDs
-
- V-252559
- Rule IDs
-
- SV-252559r817847_rule
Checks: C-56015r817845_chk
Verify the log files for IBM Aspera Console do not have world access with the following command: $ sudo find /opt/aspera/console/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above command, this is a finding.
Fix: F-55965r817846_fix
Remove world access from any IBM Aspera Console log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- ASP4-CS-040130
- Vuln IDs
-
- V-252560
- Rule IDs
-
- SV-252560r817850_rule
Checks: C-56016r817848_chk
Using a web browser, navigate to the IBM Aspera Console web page. The IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
Fix: F-55966r817849_fix
Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- ASP4-CS-040140
- Vuln IDs
-
- V-252561
- Rule IDs
-
- SV-252561r831492_rule
Checks: C-56017r817851_chk
Using a web browser, navigate to the IBM Aspera Console web page. IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Fix: F-55967r817852_fix
Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-CS-040150
- Vuln IDs
-
- V-252562
- Rule IDs
-
- SV-252562r817856_rule
Checks: C-56018r817854_chk
Verify IBM Aspera Console only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.
Fix: F-55968r817855_fix
Configure IBM Aspera Console to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ASP4-CS-040160
- Vuln IDs
-
- V-252563
- Rule IDs
-
- SV-252563r971530_rule
Checks: C-56019r817857_chk
Verify IBM Aspera Console interactive sessions are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session Timeout" option is set to more than "10" minutes, this is a finding.
Fix: F-55969r817858_fix
Configure IBM Aspera Console interactive sessions to terminate after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Session Timeout" option to "10" minutes or less. - Select "Save" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- ASP4-CS-040170
- Vuln IDs
-
- V-252564
- Rule IDs
-
- SV-252564r817862_rule
Checks: C-56020r817860_chk
Verify IBM Aspera Console enforces password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Requirement Regular Expression" has the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Verify the "Password Requirement Message" has the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". If the "Password Requirement Regular Expression" value is not "(?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}", this is a finding. If the "Password Requirement Message" value is not "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol", this is a finding.
Fix: F-55970r817861_fix
Configure IBM Aspera Console to enforce password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Edit the "Password Requirement Regular Expression" with the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Edit the "Password Requirement Message" with the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". - Select "Save" at the bottom of the page.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- ASP4-CS-040180
- Vuln IDs
-
- V-252565
- Rule IDs
-
- SV-252565r831494_rule
Checks: C-56021r817863_chk
Verify IBM Aspera Console locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Deactivate Users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Deactivate Users" section is set to more than "3" failed login attempts, this is a finding. If the "Deactivate Users" section is set to more than "15" minutes, this is a finding.
Fix: F-55971r817864_fix
Configure IBM Aspera Console to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Deactivate Users" section failed login attempts option to "3" or less. - Edit the "Deactivate Users" section attempts within minutes to "15" or less. - Select "Save" at the bottom of the page.
- RMF Control
- AC-10
- Severity
- Medium
- CCI
- CCI-000054
- Version
- ASP4-CS-040190
- Vuln IDs
-
- V-252566
- Rule IDs
-
- SV-252566r817868_rule
Checks: C-56022r817866_chk
Verify IBM Aspera Console prevents concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Prevent concurrent login" option is checked. If the "Prevent concurrent login" option is not checked, this is a finding.
Fix: F-55972r817867_fix
Configure IBM Aspera Console to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Put a check the "Prevent concurrent login" check box. - Select "Save" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- ASP4-CS-040200
- Vuln IDs
-
- V-252567
- Rule IDs
-
- SV-252567r817871_rule
Checks: C-56023r817869_chk
Verify IBM Aspera Console passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Reuse Limit" option is set to "5" or more. If the "Password Expiration" option is not checked, this is a finding. If the "Password Reuse Limit" is set to less than "5" or is set to "0", this is a finding.
Fix: F-55973r817870_fix
Configure IBM Aspera Console passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Reuse Limit" option to "5" or more. Note: "0" disables the "Password Reuse Limit" option. - Select "Save" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- ASP4-CS-040210
- Vuln IDs
-
- V-252568
- Rule IDs
-
- SV-252568r817874_rule
Checks: C-56024r817872_chk
Verify IBM Aspera Console user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Duration" option is set to "60" days or less. If the "Password Expiration" option is not checked, this is a finding. If the "Password Duration" is set to more than "60" days or is set to "0", this is a finding.
Fix: F-55974r817873_fix
Configure IBM Aspera Console user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Duration" option to "60" days or less. Note: "0" disables the "Password Duration" option. - Select "Save" at the bottom of the page.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-CS-040220
- Vuln IDs
-
- V-252569
- Rule IDs
-
- SV-252569r817877_rule
Checks: C-56025r817875_chk
The IBM Aspera Console is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3500 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-55975r817876_fix
Configure the IBM Aspera Console to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the console: $ sudo /opt/aspera/common/asctl/asctl console:base_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-001453
- Version
- ASP4-CS-040230
- Vuln IDs
-
- V-252570
- Rule IDs
-
- SV-252570r831495_rule
Checks: C-56026r817878_chk
Ensure that encryption is required for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Verify that the "Transport Encryption" option is set to "aes-128". If the "Transport Encryption" option is set to "none", this is a finding.
Fix: F-55976r817879_fix
Configure the system to require encryption for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Select the "Transport Encryption" option of "aes-128". - Select "Save" at the bottom of the page.
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-CS-040240
- Vuln IDs
-
- V-252571
- Rule IDs
-
- SV-252571r831496_rule
Checks: C-56027r817881_chk
Verify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Fix: F-55977r817882_fix
Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/console/config/secret.yml
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-CS-040250
- Vuln IDs
-
- V-252572
- Rule IDs
-
- SV-252572r831497_rule
Checks: C-56028r817884_chk
Verify the /opt/aspera/console/config/secret.yml file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Fix: F-55978r817885_fix
Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command: $ sudo chown root /opt/aspera/console/config/secret.yml
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-CS-040260
- Vuln IDs
-
- V-252573
- Rule IDs
-
- SV-252573r831498_rule
Checks: C-56029r817887_chk
Verify the /opt/aspera/console/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/console/config/secret.yml 600 /opt/aspera/console/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.
Fix: F-55979r817888_fix
Configure the /opt/aspera/console/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/console/config/secret.yml
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001494
- Version
- ASP4-CS-040270
- Vuln IDs
-
- V-252574
- Rule IDs
-
- SV-252574r817892_rule
Checks: C-56030r817890_chk
Verify the world ownership of subdirectories within the /opt/aspera/console directory. Only the "public" subdirectory should have any access outside of the owner or group. sudo find /opt/aspera/console -perm -0002 -exec ls -lLd {} \; If any files or directories have world write permissions, this is a finding.
Fix: F-55980r817891_fix
Remove the ability for world to write to any file that has been modified to world writeable. $ sudo chmod o-w <placefilenamehere>
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ASP4-FA-050100
- Vuln IDs
-
- V-252575
- Rule IDs
-
- SV-252575r971530_rule
Checks: C-56031r817893_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.
Fix: F-55981r817894_fix
Configure IBM Aspera Faspex interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Session timeout" option to "10" minutes or less. - Select "Update" at the bottom of the page.
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-FA-050110
- Vuln IDs
-
- V-252576
- Rule IDs
-
- SV-252576r831500_rule
Checks: C-56032r817896_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/faspex/config/secret.yml 600 /opt/aspera/faspex/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.
Fix: F-55982r817897_fix
Configure the /opt/aspera/faspex/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/faspex/config/secret.yml
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002041
- Version
- ASP4-FA-050120
- Vuln IDs
-
- V-252577
- Rule IDs
-
- SV-252577r831501_rule
Checks: C-56033r817899_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex allows the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Require new users to change password on first login" option is checked. If the "Require new users to change password on first login" option is not checked, this is a finding.
Fix: F-55983r817900_fix
Configure IBM Aspera Faspex to allow the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check in the "Require new users to change password on first login" option check box. - Select "Update" at the bottom of the page.
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- ASP4-FA-050130
- Vuln IDs
-
- V-252578
- Rule IDs
-
- SV-252578r817904_rule
Checks: C-56034r817902_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Faspex website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.
Fix: F-55984r817903_fix
Configure the IBM Aspera Faspex default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to IBM Aspera Faspex as an administrative user. - Go to Server >> Notifications >> Login Announcement and enter the approved language.
- RMF Control
- IA-4
- Severity
- Medium
- CCI
- CCI-000795
- Version
- ASP4-FA-050140
- Vuln IDs
-
- V-252579
- Rule IDs
-
- SV-252579r817907_rule
Checks: C-56035r817905_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex disables account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, verify the following: - Verify the "Local users" option is checked. - Verify the "Local users" options is set to "35" days or less. - Verify the "DS users" option is checked. - Verify the "DS users" options is set to "35" days or less. - Verify the "SAML users" option is checked. - Verify the "SAML users" options is set to "35" days or less. If the "Local users" options is set to more than "35" days or the option is not checked, this is a finding. If the "DS users" options is set to more than "35" days or the option is not checked, this is a finding. If the "SAML users" options is set to more than "35" days or the option is not checked, this is a finding.
Fix: F-55985r817906_fix
Configure IBM Aspera Faspex to disable account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, edit the following: - Put a check in the "Local users" option check box. - Edit the "Local users" option to "35" days or less. - Put a check in the "DS users" option check box. - Edit the "DS users" option to "35" days or less. - Put a check in the "SAML users" option check box. - Edit the "SAML users" option to "35" days or less. - Select "Update" at the bottom of the page.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001948
- Version
- ASP4-FA-050150
- Vuln IDs
-
- V-252580
- Rule IDs
-
- SV-252580r981642_rule
Checks: C-56036r817908_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Fix: F-55986r817909_fix
For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP that implements multi-factor authentication.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- ASP4-FA-050170
- Vuln IDs
-
- V-252581
- Rule IDs
-
- SV-252581r831503_rule
Checks: C-56037r817911_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Lock users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Lock users" section is set to more than "3" failed login attempts, this is a finding. If the "Lock users" section is set to more than "15" minutes, this is a finding.
Fix: F-55987r817912_fix
Configure IBM Aspera Faspex to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Faspex accounts" "Lock users" section failed login attempts option to "3" or less. - Edit the "Lock users" section attempts within minutes to "15" or less. - Select "Update" at the bottom of the page.
- RMF Control
- AC-10
- Severity
- Medium
- CCI
- CCI-000054
- Version
- ASP4-FA-050180
- Vuln IDs
-
- V-252582
- Rule IDs
-
- SV-252582r817916_rule
Checks: C-56038r817914_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex prevents concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent concurrent login" option is checked. If the "Prevent concurrent login" is not checked, this is a finding.
Fix: F-55988r817915_fix
Configure IBM Aspera Faspex to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent concurrent login" check box. - Select "Update" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- ASP4-FA-050190
- Vuln IDs
-
- V-252583
- Rule IDs
-
- SV-252583r818123_rule
Checks: C-56039r817917_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex requires password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Use strong passwords" option is checked. If the "Use strong passwords" option is not checked, this is a finding. If the "Use strong passwords" option is checked, downgrade this requirement to a CAT III.
Fix: F-55989r817918_fix
Configure IBM Aspera Faspex to require password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Use strong passwords" check box. - Select "Update" at the bottom of the page.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- ASP4-FA-050200
- Vuln IDs
-
- V-252584
- Rule IDs
-
- SV-252584r818985_rule
Checks: C-56040r817920_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Faspex packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Verify that the option "Require external users to register" is checked. If this option is not checked, this is a finding. Also ensure IBM Aspera Faspex is configured for "Moderated" self-registration when permitting use by external users. To do this, verify the "Moderated" option is selected from the picklist for "Self registration" under the Registrations heading. If this option is not checked, this is a finding.
Fix: F-55990r817921_fix
To configure Aspera Faspex to authenticate all external recipients of Faspex packages before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Check the option "Require external users to register" under the "Registrations" heading. - Select the "Moderated" option from the picklist for "Self registration" under the Registrations heading. - Select "Update" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- ASP4-FA-050210
- Vuln IDs
-
- V-252585
- Rule IDs
-
- SV-252585r817925_rule
Checks: C-56041r817923_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent passwords reuse" option is checked. - Verify the "Faspex accounts" "Prevent passwords reuse" options is set to "5" or more. If the "Prevent passwords reuse" options is less than "5" or the option is not checked, this is a finding.
Fix: F-55991r817924_fix
Configure IBM Aspera Faspex passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent passwords reuse" check box. - Edit the "Faspex accounts" "Prevent passwords reuse" option to "5" or more. - Select "Update" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- ASP4-FA-050220
- Vuln IDs
-
- V-252586
- Rule IDs
-
- SV-252586r817928_rule
Checks: C-56042r817926_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Passwords expire" option is checked. - Verify the "Faspex accounts" "Passwords expire" options is set to "60" days or less. If the "Passwords expire" options is set to more than "60" days or the option is not checked, this is a finding.
Fix: F-55992r817927_fix
Configure IBM Aspera Faspex user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Passwords expire" check box. - Edit the "Faspex accounts" "Passwords expire" option to "60" days or less. - Select "Update" at the bottom of the page.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-FA-050230
- Vuln IDs
-
- V-252587
- Rule IDs
-
- SV-252587r817931_rule
Checks: C-56043r817929_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.
Fix: F-55993r817930_fix
Configure IBM Aspera Faspex to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-FA-050240
- Vuln IDs
-
- V-252588
- Rule IDs
-
- SV-252588r817934_rule
Checks: C-56044r817932_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Faspex is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3000 http_fallback_port:8080 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-55994r817933_fix
Configure the IBM Aspera Faspex to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the faspex instance: $ sudo /opt/aspera/common/asctl/asctl faspex:base_port <number> $ sudo /opt/aspera/common/asctl/asctl faspex:http_fallback_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- ASP4-FA-050250
- Vuln IDs
-
- V-252589
- Rule IDs
-
- SV-252589r831504_rule
Checks: C-56045r817935_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. If you are neither redirected to an IdP nor provided with a list of one or more IdPs to choose from on the standard IBM Aspera Faspex webpage, this is a finding. If redirected to the IdP login, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding. If not redirected to a single IdP but provided a list of configured IdPs, choose one for authentication with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Fix: F-55995r817936_fix
For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP. To configure SAML within IBM Aspera Faspex, perform the following: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Authentication" tab. - Select the SAML Integration menu. - Select "Add New SAML Configuration". - Choose one action from these: 1) Enter the SAML server's metadata URL in "Import from URL" and click "Import Setting From Metadata URL". 2) Click "Browse" and locate the file containing the SAML server's metadata. 3) Paste the SAML server metadata into the box labeled "Import from Text" and click the "Import Settings From Text". - Select "Create SAML Configuration" at the bottom of the page.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-001453
- Version
- ASP4-FA-050260
- Vuln IDs
-
- V-252590
- Rule IDs
-
- SV-252590r831505_rule
Checks: C-56046r817938_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Encrypt transfers" option is checked. If the "Encrypt transfers" option is not checked, this is a finding.
Fix: F-55996r817939_fix
Configure the system to require encryption for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Put a check in the "Encrypt transfers" check box. - Select "Update" at the bottom of the page.
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-001199
- Version
- ASP4-FA-050270
- Vuln IDs
-
- V-252591
- Rule IDs
-
- SV-252591r831506_rule
Checks: C-56047r817941_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Use encryption-at-rest" radio button is set to "Always". If the "Use encryption-at-rest" radio button is set to "Never" or "Optional", this is a finding.
Fix: F-55997r817942_fix
Configure the IBM Aspera Faspex to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Select the "Use encryption-at-rest" radio button "Always". - Select "Update" at the bottom of the page.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- ASP4-FA-050280
- Vuln IDs
-
- V-252592
- Rule IDs
-
- SV-252592r817946_rule
Checks: C-56048r817944_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Faspex have no world access. $ sudo find /opt/aspera/faspex/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above command, this is a finding.
Fix: F-55998r817945_fix
Remove world access from any IBM Aspera Faspex log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-FA-050290
- Vuln IDs
-
- V-252593
- Rule IDs
-
- SV-252593r831507_rule
Checks: C-56049r817947_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command: $ sudo stat -c "%G" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.
Fix: F-55999r817948_fix
Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command: $ sudo chgrp faspex /opt/aspera/faspex/config/secret.yml
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-FA-050300
- Vuln IDs
-
- V-252594
- Rule IDs
-
- SV-252594r831508_rule
Checks: C-56050r817950_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command: $ sudo stat -c "%U" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.
Fix: F-56000r817951_fix
Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command: $ sudo chown faspex /opt/aspera/faspex/config/secret.yml
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-FA-050310
- Vuln IDs
-
- V-252595
- Rule IDs
-
- SV-252595r817955_rule
Checks: C-56051r817953_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Fix: F-56001r817954_fix
Configure the IBM Aspera Faspex to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-FA-050320
- Vuln IDs
-
- V-252596
- Rule IDs
-
- SV-252596r817958_rule
Checks: C-56052r817956_chk
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Fix: F-56002r817957_fix
Configure the IBM Aspera Faspex to restrict users' read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- ASP4-SH-060100
- Vuln IDs
-
- V-252597
- Rule IDs
-
- SV-252597r971530_rule
Checks: C-56053r817959_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.
Fix: F-56003r817960_fix
Configure IBM Aspera Shares interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the User Security option. - Edit the "Session timeout" option is set to "10" minutes or less. - Select "Save" at the bottom of the page.
- RMF Control
- AC-8
- Severity
- Low
- CCI
- CCI-000048
- Version
- ASP4-SH-060110
- Vuln IDs
-
- V-252598
- Rule IDs
-
- SV-252598r817964_rule
Checks: C-56054r817962_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Shares website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.
Fix: F-56004r817963_fix
Configure the IBM Aspera Shares default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Messages" option. - Enter the Standard Mandatory DoD-approved Notice and Consent Banner in the Login page message box. - Select "Save" at the bottom of the page.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001948
- Version
- ASP4-SH-060120
- Vuln IDs
-
- V-252599
- Rule IDs
-
- SV-252599r981642_rule
Checks: C-56055r817965_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Fix: F-56005r817966_fix
For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP that implements multi-factor authentication.
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- ASP4-SH-060130
- Vuln IDs
-
- V-252600
- Rule IDs
-
- SV-252600r831511_rule
Checks: C-56056r817968_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Failed login count" is set to "3" or less. - Verify the "Failed login interval" is set to "15" or less. If the "Failed login count" is set to more than "3", this is a finding. If the "Failed login interval" is set to more than "15" minutes, this is a finding.
Fix: F-56006r817969_fix
Configure IBM Aspera Shares to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Failed login count" option to "3" or less. - Edit the "Failed login interval" option to "15" minutes or less. - Select "Save" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- ASP4-SH-060140
- Vuln IDs
-
- V-252601
- Rule IDs
-
- SV-252601r817973_rule
Checks: C-56057r817971_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares requires password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Require strong passwords" option is checked. If the "Require strong passwords" option is not checked, this is a finding. If the "Require strong passwords" option is checked, downgrade this requirement to a CAT III.
Fix: F-56007r817972_fix
Configure IBM Aspera Shares to require password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Put a check the "Require strong passwords" check box. - Select "Save" at the bottom of the page.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- ASP4-SH-060150
- Vuln IDs
-
- V-252602
- Rule IDs
-
- SV-252602r817976_rule
Checks: C-56058r817974_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Verify that the "Self Registration" option is set to "Moderated" or "None". If the "Self Registration" option is set to "Unmoderated", this is a finding.
Fix: F-56008r817975_fix
To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Use the dropdown menu to set the "Self Registration" option to "Moderated" or "None". - Select "Save" at the bottom of the page.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- ASP4-SH-060160
- Vuln IDs
-
- V-252603
- Rule IDs
-
- SV-252603r817979_rule
Checks: C-56059r817977_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Password expiration interval" is set to "60" or less. If the "Password expiration interval" is greater than "60" or is blank, this is a finding.
Fix: F-56009r817978_fix
Configure IBM Aspera Shares user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Password expiration interval" to "60" days or less. - Select "Save" at the bottom of the page.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-SH-060170
- Vuln IDs
-
- V-252604
- Rule IDs
-
- SV-252604r817982_rule
Checks: C-56060r817980_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares only uses TLS 1.2 or greater with the following command: $ sudo grep ssl_protocols /opt/aspera/shares/etc/nginx/nginx.conf ssl_protocols TLSv1.2; If the results of the command display versions below "TLSv1.2", this is a finding.
Fix: F-56010r817981_fix
Configure IBM Aspera Shares to use TLS 1.2. Add/Edit the following line in the nginx.conf file located at /opt/aspera/shares/etc/nginx/nginx.conf. ssl_protocols TLSv1.2; Restart nginx for these changes to take effect. $ sudo /opt/aspera/shares/sbin/sv restart nginix
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-SH-060180
- Vuln IDs
-
- V-252605
- Rule IDs
-
- SV-252605r817985_rule
Checks: C-56061r817983_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Shares is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo cat /opt/aspera/shares/etc/nginx/nginx.conf | grep listen listen 80; listen [::]:80; listen 443; listen [::]:443; Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-56011r817984_fix
Configure the IBM Aspera Shares to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/shares/etc/nginx/nginx.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- ASP4-SH-060190
- Vuln IDs
-
- V-252606
- Rule IDs
-
- SV-252606r831512_rule
Checks: C-56062r817986_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Attempt to authenticate using the IdP provided under "SAML" heading of login page with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Fix: F-56012r817987_fix
For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Go to "Accounts". - Select the "Directories" option from the left menu. - Beside the SAML IdP entry, click "Edit". - To enable SAML, select the check box "Log in using the SAML Identity Provider". - Enter the SAML entry-point address provided by the IdP in the "IdP Single Sign-On URL" text box. - Enter the "Identity Provider Certificate Fingerprint" and specify the algorithm type in the dropdown menu. - Enter the "Identity Provider Certificate". - Select "Save" at the bottom of the page.
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-001453
- Version
- ASP4-SH-060200
- Vuln IDs
-
- V-252607
- Rule IDs
-
- SV-252607r831513_rule
Checks: C-56063r817989_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption" option is set to at least "AES-128". If the "Encryption" option is set to "optional" or not set, this is a finding.
Fix: F-56013r817990_fix
Configure the system to require encryption for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select an encryption level from the dropdown menu of "Encryption" of "AES-128" or greater. - Select "Save" at the bottom of the page.
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-001199
- Version
- ASP4-SH-060210
- Vuln IDs
-
- V-252608
- Rule IDs
-
- SV-252608r831514_rule
Checks: C-56064r817992_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption at rest" option is set to "Required". If the "Encryption at rest" option is set to "Optional" or is not set, this is a finding.
Fix: F-56014r817993_fix
Configure the IBM Aspera Shares to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select the "Encryption at rest" option "Required". - Select "Save" at the bottom of the page.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- ASP4-SH-060220
- Vuln IDs
-
- V-252609
- Rule IDs
-
- SV-252609r817997_rule
Checks: C-56065r817995_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Shares have no world access. $ sudo find /opt/aspera/shares/u/stats-collector/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print $ sudo find /opt/aspera/shares/u/shares/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print $ sudo find /opt/aspera/shares/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above commands, this is a finding.
Fix: F-56015r817996_fix
Remove world access from any IBM Aspera Shares log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-SH-060230
- Vuln IDs
-
- V-252610
- Rule IDs
-
- SV-252610r831515_rule
Checks: C-56066r817998_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is group-owned by nobody with the following command: $ sudo stat -c "%G" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.
Fix: F-56016r817999_fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be group-owned by nobody with the following command: $ sudo chgrp nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-SH-060240
- Vuln IDs
-
- V-252611
- Rule IDs
-
- SV-252611r831516_rule
Checks: C-56067r818001_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is owned by nobody with the following command: $ sudo stat -c "%U" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.
Fix: F-56017r818002_fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be owned by nobody with the following command: $ sudo chown nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-SH-060250
- Vuln IDs
-
- V-252612
- Rule IDs
-
- SV-252612r831517_rule
Checks: C-56068r818004_chk
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file has a mode of "0400" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/shares/u/shares/config/aspera/secret.rb 400 /opt/aspera/shares/u/shares/config/aspera/secret.rb If the resulting mode is more permissive than "0400", this is a finding.
Fix: F-56018r818005_fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to have a mode of "0400" or less permissive with the following command: $ sudo chmod 0400 /opt/aspera/shares/u/shares/config/aspera/secret.rb
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-TE-030100
- Vuln IDs
-
- V-252613
- Rule IDs
-
- SV-252613r818009_rule
Checks: C-56069r818007_chk
Verify IBM Aspera High-Speed Transfer Endpoint only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.
Fix: F-56019r818008_fix
Configure the IBM Aspera High-Speed Endpoint SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-TE-030110
- Vuln IDs
-
- V-252614
- Rule IDs
-
- SV-252614r818012_rule
Checks: C-56070r818010_chk
The IBM Aspera High-Speed Transfer Endpoint is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTE with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-56020r818011_fix
Configure the IBM Aspera High-Speed Transfer Endpoint to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
- RMF Control
- SC-23
- Severity
- Medium
- CCI
- CCI-001184
- Version
- ASP4-TE-030120
- Vuln IDs
-
- V-252615
- Rule IDs
-
- SV-252615r818015_rule
Checks: C-56071r818013_chk
For implementations using IBM Aspera High-Speed Transfer Endpoint, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Endpoint installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.
Fix: F-56021r818014_fix
For implementations using the IBM Aspera High Speed Transfer Endpoint, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Endpoint according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-TE-030140
- Vuln IDs
-
- V-252616
- Rule IDs
-
- SV-252616r831518_rule
Checks: C-56072r818016_chk
Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Endpoint with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.
Fix: F-56022r818017_fix
For implementations using IBM Aspera High-Speed Transfer Endpoint, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TE-030150
- Vuln IDs
-
- V-252617
- Rule IDs
-
- SV-252617r831519_rule
Checks: C-56073r818019_chk
Verify the IBM High-Speed Transfer Endpoint enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.
Fix: F-56023r818020_fix
Configure the IBM High-Speed Transfer Endpoint to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TE-030160
- Vuln IDs
-
- V-252618
- Rule IDs
-
- SV-252618r818024_rule
Checks: C-56074r818022_chk
Verify the IBM High-Speed Transfer Endpoint enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.
Fix: F-56024r818023_fix
Configure the IBM High-Speed Transfer Endpoint to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- ASP4-TE-030170
- Vuln IDs
-
- V-252619
- Rule IDs
-
- SV-252619r831520_rule
Checks: C-56075r818025_chk
Verify the IBM High-Speed Transfer Endpoint has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.
Fix: F-56025r818026_fix
Configure the IBM High-Speed Transfer Endpoint to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-10
- Severity
- Medium
- CCI
- CCI-000054
- Version
- ASP4-TE-030180
- Vuln IDs
-
- V-252620
- Rule IDs
-
- SV-252620r818030_rule
Checks: C-56076r818028_chk
Verify the IBM Aspera High-Speed Transfer Endpoint limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not an organization-defined number, this is a finding.
Fix: F-56026r818029_fix
Configure the IBM Aspera High-Speed Transfer Endpoint to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TE-030190
- Vuln IDs
-
- V-252621
- Rule IDs
-
- SV-252621r831521_rule
Checks: C-56077r818031_chk
Verify the IBM High-Speed Transfer Endpoint does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56027r818032_fix
Configure the IBM High-Speed Transfer Endpoint to not store group content-protection secrets in plain text. For each group, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<groupname>; transfer_encryption_content_protection_secret,AS_NULL"
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TE-030200
- Vuln IDs
-
- V-252622
- Rule IDs
-
- SV-252622r831522_rule
Checks: C-56078r818034_chk
Verify the IBM High-Speed Transfer Endpoint does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56028r818035_fix
Configure the IBM High-Speed Transfer Endpoint to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TE-030210
- Vuln IDs
-
- V-252623
- Rule IDs
-
- SV-252623r831523_rule
Checks: C-56079r818037_chk
Verify the IBM High-Speed Transfer Endpoint does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56029r818038_fix
Configure the IBM High-Speed Transfer Endpoint to not store user content-protection secrets in plain text. For each user, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TE-030220
- Vuln IDs
-
- V-252624
- Rule IDs
-
- SV-252624r818042_rule
Checks: C-56080r818040_chk
Verify the Aspera High-Speed Transfer Endpoint restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Fix: F-56030r818041_fix
Configure the Aspera High-Speed Transfer Endpoint to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TE-030230
- Vuln IDs
-
- V-252625
- Rule IDs
-
- SV-252625r818045_rule
Checks: C-56081r818043_chk
Verify the IBM Aspera High-Speed Transfer Endpoint restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Fix: F-56031r818044_fix
Configure the IBM Aspera High-Speed Transfer Endpoint to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002007
- Version
- ASP4-TE-030240
- Vuln IDs
-
- V-252626
- Rule IDs
-
- SV-252626r831524_rule
Checks: C-56082r818046_chk
Verify the IBM Aspera High-Speed Transfer Endpoint prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.
Fix: F-56032r818047_fix
Configure the IBM Aspera High-Speed Transfer Endpoint to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-TS-020100
- Vuln IDs
-
- V-252627
- Rule IDs
-
- SV-252627r818051_rule
Checks: C-56083r818049_chk
Verify IBM Aspera High-Speed Transfer Server only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.
Fix: F-56033r818050_fix
Configure the IBM Aspera High-Speed Transfer Server SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-TS-020110
- Vuln IDs
-
- V-252628
- Rule IDs
-
- SV-252628r818054_rule
Checks: C-56084r818052_chk
The IBM Aspera High-Speed Transfer Server is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTS with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-56034r818053_fix
Configure the IBM Aspera High-Speed Transfer Server to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
- RMF Control
- SC-23
- Severity
- Medium
- CCI
- CCI-001184
- Version
- ASP4-TS-020120
- Vuln IDs
-
- V-252629
- Rule IDs
-
- SV-252629r818057_rule
Checks: C-56085r818055_chk
For implementations using IBM Aspera High-Speed Transfer Server, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.
Fix: F-56035r818056_fix
For implementations using the IBM Aspera High Speed Transfer Server, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Server according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-17
- Severity
- High
- CCI
- CCI-000068
- Version
- ASP4-TS-020140
- Vuln IDs
-
- V-252630
- Rule IDs
-
- SV-252630r831525_rule
Checks: C-56086r818058_chk
Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Server with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.
Fix: F-56036r818059_fix
For implementations using IBM Aspera High-Speed Transfer Server, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- ASP4-TS-020150
- Vuln IDs
-
- V-252631
- Rule IDs
-
- SV-252631r831526_rule
Checks: C-56087r818061_chk
Verify the IBM Aspera HSTS configures the SELinux context type for "aspshell" with the following commands: $ sudo ls -l /bin/aspshell lrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell If /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding. $ sudo ls -Z /opt/aspera/bin/aspshell -rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell If the context type of "/opt/aspera/bin/aspshell" is not "shell_exec_t", this is a finding.
Fix: F-56037r818062_fix
Configure the IBM Aspera HSTS SELinux context type for "aspshell" with the following commands: $ sudo echo /bin/aspshell >> /etc/shells $ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell $ sudo semanage fcontext -a -t shell_exec_t "/opt/aspera/bin/aspshell" $ sudo restorecon -v /opt/aspera/bin/aspshell
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TS-020160
- Vuln IDs
-
- V-252632
- Rule IDs
-
- SV-252632r831527_rule
Checks: C-56088r818064_chk
Verify the IBM High-Speed Transfer Server enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.
Fix: F-56038r818065_fix
Configure the IBM High-Speed Transfer Server to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TS-020170
- Vuln IDs
-
- V-252633
- Rule IDs
-
- SV-252633r818069_rule
Checks: C-56089r818067_chk
Verify the IBM High-Speed Transfer Server enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.
Fix: F-56039r818068_fix
Configure the IBM High-Speed Transfer Server to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- ASP4-TS-020180
- Vuln IDs
-
- V-252634
- Rule IDs
-
- SV-252634r818072_rule
Checks: C-56090r818070_chk
Verify the Aspera High-Speed Transfer Server enables the use of dynamic token encryption keys with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep dynamic token_dynamic_key: "true" If the "dynamic_key" setting is not set to "true", this is a finding.
Fix: F-56040r818071_fix
Configure the Aspera High-Speed Transfer Server to enable the use of dynamic token encryption keys with the following command: $ sudo asconfigurator -x "set_node_data; token_dynamic_key,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- ASP4-TS-020190
- Vuln IDs
-
- V-252635
- Rule IDs
-
- SV-252635r831528_rule
Checks: C-56091r818073_chk
Verify the IBM High-Speed Transfer Server has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.
Fix: F-56041r818074_fix
Configure the IBM High-Speed Transfer Server to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-10
- Severity
- Medium
- CCI
- CCI-000054
- Version
- ASP4-TS-020200
- Vuln IDs
-
- V-252636
- Rule IDs
-
- SV-252636r818078_rule
Checks: C-56092r818076_chk
Verify the IBM Aspera High-Speed Transfer Server limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not the organization-defined number, this is a finding.
Fix: F-56042r818077_fix
Configure the IBM Aspera High-Speed Transfer Server to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TS-020210
- Vuln IDs
-
- V-252637
- Rule IDs
-
- SV-252637r831529_rule
Checks: C-56093r818079_chk
Verify the IBM High-Speed Transfer Server does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56043r818080_fix
Configure the IBM High-Speed Transfer Server to not store group content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TS-020220
- Vuln IDs
-
- V-252638
- Rule IDs
-
- SV-252638r831530_rule
Checks: C-56094r818082_chk
Verify the IBM High-Speed Transfer Server does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56044r818083_fix
Configure the IBM High-Speed Transfer Server to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL"
- RMF Control
- SC-28
- Severity
- Medium
- CCI
- CCI-002475
- Version
- ASP4-TS-020230
- Vuln IDs
-
- V-252639
- Rule IDs
-
- SV-252639r831531_rule
Checks: C-56095r818085_chk
Verify the IBM High-Speed Transfer Server does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Fix: F-56045r818086_fix
Configure the IBM High-Speed Transfer Server to not store user content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-TS-020240
- Vuln IDs
-
- V-252640
- Rule IDs
-
- SV-252640r818090_rule
Checks: C-56096r818088_chk
Verify the Aspera High-Speed Transfer Server restricts the use of the root account for transfers with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u root | grep allowed | grep true If results are returned from the above command, this is a finding.
Fix: F-56046r818089_fix
Configure the Aspera High-Speed Transfer Server to restrict the use of the root account for transfers. For each privilege that is set to "true", run the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,root;<privilege>,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-TS-020250
- Vuln IDs
-
- V-252641
- Rule IDs
-
- SV-252641r818093_rule
Checks: C-56097r818091_chk
Verify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system. Check that each user is restricted to a specific transfer folder with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep absolute canonical_absolute: "<specifictranferfolder>" absolute: "<sepcifictransferfolder>" If the transfer user's docroot is set to "<Empty String>" or is blank, this is a finding.
Fix: F-56047r818092_fix
Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name, <username>;canonical_absolute,<transferfolder>; absolute,<transferfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- ASP4-TS-020260
- Vuln IDs
-
- V-252642
- Rule IDs
-
- SV-252642r818096_rule
Checks: C-56098r818094_chk
Verify the Aspera High-Speed Transfer Server restricts the transfer user(s) to the "aspshell" with the following command: $ sudo grep <username> /etc/passwd <username>:x:1001:1001:...:/home/<username>:/bin/aspshell If the transfer user is not limited to the "aspshell", this is a finding.
Fix: F-56048r818095_fix
Configure the Aspera High-Speed Transfer Server to restrict the transfer user(s) to the "aspshell" with the following command: $ sudo usermod -s /bin/aspshell <username>
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TS-020270
- Vuln IDs
-
- V-252643
- Rule IDs
-
- SV-252643r818099_rule
Checks: C-56099r818097_chk
Verify the Aspera High-Speed Transfer Server restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Fix: F-56049r818098_fix
Configure the Aspera High-Speed Transfer Server to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- ASP4-TS-020280
- Vuln IDs
-
- V-252644
- Rule IDs
-
- SV-252644r818102_rule
Checks: C-56100r818100_chk
Verify the IBM Aspera High-Speed Transfer Server restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Fix: F-56050r818101_fix
Configure the IBM Aspera High-Speed Transfer Server to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- ASP4-TS-020290
- Vuln IDs
-
- V-252645
- Rule IDs
-
- SV-252645r818105_rule
Checks: C-56101r818103_chk
Verify the Aspera High-Speed Transfer Server set the default docroot to an empty folder. Check that the default docroot points to an empty folder with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep absolute canonical_absolute: "<someemptyfolder>" absolute: "<someemptyfolder>" If the default docroot is set to "<Empty String>", this is a finding. Review the default docroot file path from the previous command to ensure it is empty. $ sudo find <somefilepath> -maxdepth 0 -empty -exec echo {} is empty. \; <somefilepath> is empty. If the command does not return "<somefilepath> is empty.", this is a finding.
Fix: F-56051r818104_fix
Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;canonical_absolute,<someemptyfolder>; absolute,<someemptyfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-TS-020300
- Vuln IDs
-
- V-252646
- Rule IDs
-
- SV-252646r831532_rule
Checks: C-56102r818106_chk
Verify the rootkeystore.db file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.
Fix: F-56052r818107_fix
Configure the rootkeystore.db file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/etc/rootkeystore.db
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-TS-020310
- Vuln IDs
-
- V-252647
- Rule IDs
-
- SV-252647r831533_rule
Checks: C-56103r818109_chk
Verify the rootkeystore.db file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.
Fix: F-56053r818110_fix
Configure the rootkeystore.db file to be owned by root with the following command: $ sudo chown root /opt/aspera/etc/rootkeystore.db
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- ASP4-TS-020320
- Vuln IDs
-
- V-252648
- Rule IDs
-
- SV-252648r831534_rule
Checks: C-56104r818112_chk
Verify the rootkeystore.db file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/etc/rootkeystore.db 600 /opt/aspera/etc/rootkeystore.db If the resulting mode is more permissive than "0600", this is a finding.
Fix: F-56054r818113_fix
Configure the rootkeystore.db file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/etc/rootkeystore.db
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002007
- Version
- ASP4-TS-020330
- Vuln IDs
-
- V-252649
- Rule IDs
-
- SV-252649r831535_rule
Checks: C-56105r818115_chk
Verify the IBM Aspera High-Speed Transfer Server prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.
Fix: F-56055r818116_fix
Configure the IBM Aspera High-Speed Transfer Server to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
- RMF Control
- SI-2
- Severity
- High
- CCI
- CCI-002605
- Version
- ASP4-00-999999
- Vuln IDs
-
- V-269982
- Rule IDs
-
- SV-269982r1038948_rule
Checks: C-74015r1038946_chk
This STIG is sunset and no longer updated. Compare the version running to the version supported by the vendor. If the system is using an unsupported version from the vendor, this is a finding.
Fix: F-73916r1038947_fix
Upgrade to a version supported by the vendor.