13:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"IBM Aspera Platform 4.2 Security Technical Implementation Guide"}],false,["$","$L1d",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","1","R","3"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"Dec 5, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"IBM_Aspera_Platform_4-2_STIG","children":"IBM_Aspera_Platform_4-2_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":95}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",11]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",82]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",2]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Aspera%20Platform%204.2%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Aspera%20Platform%204.2%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=IBM%20Aspera%20Platform%204.2%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_Aspera_Platform_4-2_V1R3_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L1e",null,{"checks":[{"id":"b613347f-da89-4485-adb6-91552d48859b","vulnId":"V-252556","severity":"medium","ruleTitle":"The IBM Aspera Platform must be configured to support centralized management and configuration.","description":"Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.\n\nThe content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.\n\nNetwork components requiring centralized audit log management must have the capability to support centralized management.\n\nThe DoD requires centralized management of all network component audit record content.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (management).\n\nSupport of centralized management of the IBM Aspera Platform is accomplished via use of IBM Aspera Console.","checkContent":"Verify the IBM Aspera Platform is configured to support centralized management and configuration. \n\nNavigate to the IBM Aspera Console webpage, login with an administrator account, and review the Nodes tab.\n\nIf all nodes managed by the organization are not listed, this is a finding.\n\nIf the IBM Aspera Platform implementation does not include IBM Aspera Console, this is a finding.","fixText":"Configure the IBM Aspera Platform to support centralized management and configuration.\n\nEnsure the IBM Aspera Console server is installed and configured to manage all nodes within the organization.\n\nNavigate to the IBM Aspera Console webpage, log in with an administrator account, and select the \"Nodes\" tab.\n\nSelect \"New Managed Node\" to add nodes to the IBM Aspera Console."},{"id":"847d4dc7-c548-4864-bccb-8dad37bc2683","vulnId":"V-252557","severity":"medium","ruleTitle":"The IBM Aspera Platform must not have unnecessary services and functions enabled.","description":"$1f","checkContent":"Verify that only mission essential features are in use. Interview the systems administrator to determine if the following Aspera features are in use:\n\nAspera Shares \nAspera Faspex \n\nIf either Aspera Shares or Aspera Faspex are in use and are not documented with the ISSM as a mission requirement, this is a finding.","fixText":"Ensure all mission required features of Aspera are documented with the ISSM."},{"id":"2b97454a-0e08-42bc-a018-4e5ea3caad93","vulnId":"V-252558","severity":"medium","ruleTitle":"IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"$20","checkContent":"Using a web browser, navigate to the default IBM Aspera Console web page. Use the SAML link and authenticate using known working credentials.\n\nIf entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.","fixText":"For implementations using the IBM Aspera Console feature, configure SAML to use an existing IdP that implements multi-factor authentication."},{"id":"a353ff6a-520b-4828-8ece-550abbd17868","vulnId":"V-252559","severity":"medium","ruleTitle":"The IBM Aspera Console must protect audit information from unauthorized read access.","description":"Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).\n\nSatisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058","checkContent":"Verify the log files for IBM Aspera Console do not have world access with the following command:\n\n$ sudo find /opt/aspera/console/log/ \$ -perm -0001 -o -perm -0002 -o -perm -0004 \$ -print\n\nIf results are returned from the above command, this is a finding.","fixText":"Remove world access from any IBM Aspera Console log file that has world permissions granted. \n\n$ sudo chmod o-rwx "},{"id":"d967612d-cfce-4e2c-8306-26d1332a469d","vulnId":"V-252560","severity":"medium","ruleTitle":"The IBM Aspera Console must protect audit tools from unauthorized access.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nNetwork elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).\n\nRefer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion.","checkContent":"Using a web browser, navigate to the IBM Aspera Console web page. The IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication.\n\nIf it does not redirect for authentication via the configured IdP, this is a finding.\n\nIf redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.","fixText":"Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps:\n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege.\n- Select the \"Accounts\" tab.\n- Select the \"SAML\" tab.\n- Enter the IdP SSO Target (Redirect) URL.\n- Enter the IdP Cert Fingerprint.\n- Select from the dropdown menu the IdP Cert Fingerprint Algorithm. \n- Select \"Save\" at the bottom of the page."},{"id":"e86a91bd-c307-4501-a120-3d81fb435ba0","vulnId":"V-252561","severity":"medium","ruleTitle":"IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.","description":"$21","checkContent":"Using a web browser, navigate to the IBM Aspera Console web page. IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication.\n\nIf it does not redirect for authentication via the configured IdP, this is a finding.\n\nIf redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.\n\nIf unable to log in using known working credentials, this is a finding.","fixText":"Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps:\n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege.\n- Select the \"Accounts\" tab.\n- Select the \"SAML\" tab.\n- Enter the IdP SSO Target (Redirect) URL.\n- Enter the IdP Cert Fingerprint.\n- Select from the dropdown menu the IdP Cert Fingerprint Algorithm. \n- Select \"Save\" at the bottom of the page."},{"id":"19faf49b-b8d4-44bb-920d-18818ca52e61","vulnId":"V-252562","severity":"high","ruleTitle":"The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.","description":"$22","checkContent":"Verify IBM Aspera Console only uses TLS 1.2 or greater with the following command:\n\n$ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf\nSSLProtocol TLSv1.2\n\nIf the values for SSLProtocol vary from the above example, this is a finding.","fixText":"Configure IBM Aspera Console to use TLS 1.2.\n\nAdd/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.\n\nSSLProtocol TLSv1.2\n\nRestart Apache for these changes to take effect.\n\n$ sudo /opt/aspera/common/asctl/asctl apache:restart"},{"id":"137c5ab8-9108-426b-adcc-fb22e4460815","vulnId":"V-252563","severity":"medium","ruleTitle":"IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nSatisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006","checkContent":"Verify IBM Aspera Console interactive sessions are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Verify the \"Session timeout\" option is set to \"10\" minutes or less.\n\nIf the \"Session Timeout\" option is set to more than \"10\" minutes, this is a finding.","fixText":"Configure IBM Aspera Console interactive sessions to terminate after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege.\n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Edit the \"Session Timeout\" option to \"10\" minutes or less.\n- Select \"Save\" at the bottom of the page."},{"id":"1f7fa5d5-8e40-4bc7-891b-3ed7b166dd9b","vulnId":"V-252564","severity":"medium","ruleTitle":"IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"$23","fixText":"Configure IBM Aspera Console to enforce password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Console Password Options\" section.\n- Edit the \"Password Requirement Regular Expression\" with the following value: (?=.*\\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\\W|_)).{15,}\n- Edit the \"Password Requirement Message\" with the following text: \"Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol\".\n- Select \"Save\" at the bottom of the page."},{"id":"b2a3f67d-27f3-4b9d-a681-17c98be590a5","vulnId":"V-252565","severity":"medium","ruleTitle":"IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.","checkContent":"Verify IBM Aspera Console locks accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Verify the \"Deactivate Users\" section is set to \"3\" or less failed login attempts within \"15\" minutes or less.\n\nIf the \"Deactivate Users\" section is set to more than \"3\" failed login attempts, this is a finding.\n\nIf the \"Deactivate Users\" section is set to more than \"15\" minutes, this is a finding.","fixText":"Configure IBM Aspera Console to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Edit the \"Deactivate Users\" section failed login attempts option to \"3\" or less.\n- Edit the \"Deactivate Users\" section attempts within minutes to \"15\" or less.\n- Select \"Save\" at the bottom of the page."},{"id":"99743367-a221-43a6-80d7-38a632e7c94e","vulnId":"V-252566","severity":"medium","ruleTitle":"IBM Aspera Console must prevent concurrent logins for all accounts.","description":"Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.\n\nThis policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.","checkContent":"Verify IBM Aspera Console prevents concurrent logins for all accounts: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Verify the \"Prevent concurrent login\" option is checked.\n\nIf the \"Prevent concurrent login\" option is not checked, this is a finding.","fixText":"Configure IBM Aspera Console to prevent concurrent logins for all accounts: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Security\" section.\n- Put a check the \"Prevent concurrent login\" check box.\n- Select \"Save\" at the bottom of the page."},{"id":"f2d5924c-fc16-464c-92f2-dcaae425ce6b","vulnId":"V-252567","severity":"medium","ruleTitle":"IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.","checkContent":"Verify IBM Aspera Console passwords are prohibited from reuse for a minimum of five generations: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Console Password Options\" section.\n- Verify the \"Password Expiration\" option is checked.\n- Verify the \"Password Reuse Limit\" option is set to \"5\" or more.\n\nIf the \"Password Expiration\" option is not checked, this is a finding.\n\nIf the \"Password Reuse Limit\" is set to less than \"5\" or is set to \"0\", this is a finding.","fixText":"Configure IBM Aspera Console passwords to be prohibited from reuse for a minimum of five generations: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Console Password Options\" section.\n- Put a check in the \"Password Expiration\" check box.\n- Edit the \"Password Reuse Limit\" option to \"5\" or more.\n Note: \"0\" disables the \"Password Reuse Limit\" option.\n- Select \"Save\" at the bottom of the page."},{"id":"38b3bbc6-f37e-4e63-bfe8-ae1d3795b2ba","vulnId":"V-252568","severity":"medium","ruleTitle":"IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.","checkContent":"Verify IBM Aspera Console user account passwords have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Console Password Options\" section.\n- Verify the \"Password Expiration\" option is checked.\n- Verify the \"Password Duration\" option is set to \"60\" days or less.\n\nIf the \"Password Expiration\" option is not checked, this is a finding.\n\nIf the \"Password Duration\" is set to more than \"60\" days or is set to \"0\", this is a finding.","fixText":"Configure IBM Aspera Console user account passwords to have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Console Password Options\" section.\n- Put a check in the \"Password Expiration\" check box.\n- Edit the \"Password Duration\" option to \"60\" days or less.\n Note: \"0\" disables the \"Password Duration\" option.\n- Select \"Save\" at the bottom of the page."},{"id":"be69e2d8-3fe1-446c-a4a9-eb4050fb5d28","vulnId":"V-252569","severity":"medium","ruleTitle":"The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$24","checkContent":"The IBM Aspera Console is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.\n\nReview the port configurations of the server with the following command:\n\n$ sudo /opt/aspera/common/asctl/asctl all:info | grep port:\n\nhttp_port: 80\nhttps_port: 443\nport: 4406\nbase_port: 3500\n\nAsk the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). \n\nIf there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.","fixText":"Configure the IBM Aspera Console to disable functions, ports, protocols, and services that are not approved.\n\nUse the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.\n\nFor the apache instance:\n$ sudo /opt/aspera/common/asctl/asctl apache:http_port \n$ sudo /opt/aspera/common/asctl/asctl apache:https_port \n\nFor the console:\n$ sudo /opt/aspera/common/asctl/asctl console:base_port \n\nFor the database:\n$ sudo /opt/aspera/common/asctl/asctl mysql:port "},{"id":"393f002a-740a-4c08-916f-62ec4c467737","vulnId":"V-252570","severity":"high","ruleTitle":"The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.","description":"$25","checkContent":"Ensure that encryption is required for all transfers by the IBM Aspera Console:\n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Transfer Defaults\" section.\n- Verify that the \"Transport Encryption\" option is set to \"aes-128\".\n\nIf the \"Transport Encryption\" option is set to \"none\", this is a finding.","fixText":"Configure the system to require encryption for all transfers by the IBM Aspera Console:\n\n- Log in to the IBM Aspera Console web page as a user with administrative privilege. \n- Select the \"Configuration\" tab.\n- Select the \"Defaults\" tab.\n- Scroll down to the \"Transfer Defaults\" section.\n- Select the \"Transport Encryption\" option of \"aes-128\".\n- Select \"Save\" at the bottom of the page."},{"id":"22c302ee-336e-4a62-8874-9bffd3a04b93","vulnId":"V-252571","severity":"medium","ruleTitle":"The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"Verify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command:\n\n$ sudo stat -c \"%G\" /opt/aspera/console/config/secret.yml\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command:\n\n$ sudo chgrp root /opt/aspera/console/config/secret.yml"},{"id":"353e3a55-9535-43b1-ab43-2d05a0be5a75","vulnId":"V-252572","severity":"medium","ruleTitle":"The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"Verify the /opt/aspera/console/config/secret.yml file is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /opt/aspera/console/config/secret.yml\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command:\n\n$ sudo chown root /opt/aspera/console/config/secret.yml"},{"id":"8216d714-645e-4f97-a51c-c5c25f685f50","vulnId":"V-252573","severity":"medium","ruleTitle":"The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"Verify the /opt/aspera/console/config/secret.yml file has a mode of \"0600\" or less permissive with the following command:\n\n$ sudo stat -c \"%a %n\" /opt/aspera/console/config/secret.yml\n\n600 /opt/aspera/console/config/secret.yml\n\nIf the resulting mode is more permissive than \"0600\", this is a finding.","fixText":"Configure the /opt/aspera/console/config/secret.yml file to have a mode of \"0600\" or less permissive with the following command:\n\n$ sudo chmod 0600 /opt/aspera/console/config/secret.yml"},{"id":"4d0201ec-9223-4150-bb9f-e01bee8975e9","vulnId":"V-252574","severity":"medium","ruleTitle":"The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.","description":"Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.\n\nNetwork elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification of audit tools.\n\nAudit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).\n\nSatisfies: SRG-NET-000102-ALG-000060, SRG-NET-000103-ALG-000061","checkContent":"Verify the world ownership of subdirectories within the /opt/aspera/console directory. Only the \"public\" subdirectory should have any access outside of the owner or group.\n\nsudo find /opt/aspera/console -perm -0002 -exec ls -lLd {} \\;\n\nIf any files or directories have world write permissions, this is a finding.","fixText":"Remove the ability for world to write to any file that has been modified to world writeable. \n\n$ sudo chmod o-w "},{"id":"a84f58ae-d0e9-4fde-91f8-1fa668257d01","vulnId":"V-252575","severity":"medium","ruleTitle":"IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nSatisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Session timeout\" option is set to \"10\" minutes or less.\n\nIf the \"Session timeout\" option is set to more than \"10\" minutes, this is a finding.","fixText":"Configure IBM Aspera Faspex interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Edit the \"Session timeout\" option to \"10\" minutes or less.\n- Select \"Update\" at the bottom of the page."},{"id":"0657a0b5-8b2d-465e-bec3-277b99dfd9ee","vulnId":"V-252576","severity":"medium","ruleTitle":"The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/faspex/config/secret.yml file has a mode of \"0600\" or less permissive with the following command:\n\n$ sudo stat -c \"%a %n\" /opt/aspera/faspex/config/secret.yml\n\n600 /opt/aspera/faspex/config/secret.yml\n\nIf the resulting mode is more permissive than \"0600\", this is a finding.","fixText":"Configure the /opt/aspera/faspex/config/secret.yml file to have a mode of \"0600\" or less permissive with the following command:\n\n$ sudo chmod 0600 /opt/aspera/faspex/config/secret.yml"},{"id":"d234a2f3-a0e0-4477-92de-dbe52915dc23","vulnId":"V-252577","severity":"medium","ruleTitle":"IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.","description":"Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login.\n\nTemporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log in, yet force them to change the password once they have successfully authenticated.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex allows the use of a temporary password for logins with an immediate change to a permanent password: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Require new users to change password on first login\" option is checked.\n\nIf the \"Require new users to change password on first login\" option is not checked, this is a finding.","fixText":"Configure IBM Aspera Faspex to allow the use of a temporary password for logins with an immediate change to a permanent password: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Put a check in the \"Require new users to change password on first login\" option check box.\n- Select \"Update\" at the bottom of the page."},{"id":"5c65dbdc-e680-406a-b5f8-b4eac6a724f2","vulnId":"V-252578","severity":"low","ruleTitle":"IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.","description":"$26","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Faspex default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner.\n\nUsing a web browser, go to the default IBM Aspera Faspex website. \n\nIf the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.","fixText":"Configure the IBM Aspera Faspex default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner.\n\n- Log in to IBM Aspera Faspex as an administrative user.\n- Go to Server >> Notifications >> Login Announcement and enter the approved language."},{"id":"3ef6258f-1d74-42f8-8935-7ec6f0996f24","vulnId":"V-252579","severity":"medium","ruleTitle":"IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.","description":"Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.","checkContent":"$27","fixText":"Configure IBM Aspera Faspex to disable account identifiers after 35 days of inactivity: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Under the \"Faspex accounts\" \"Remove users\" section, edit the following:\n- Put a check in the \"Local users\" option check box.\n- Edit the \"Local users\" option to \"35\" days or less.\n- Put a check in the \"DS users\" option check box.\n- Edit the \"DS users\" option to \"35\" days or less.\n- Put a check in the \"SAML users\" option check box.\n- Edit the \"SAML users\" option to \"35\" days or less.\n- Select \"Update\" at the bottom of the page."},{"id":"fff1776c-abb8-4159-8f38-1520efa27951","vulnId":"V-252580","severity":"medium","ruleTitle":"IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"$28","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nUsing a web browser, navigate to the default IBM Aspera Faspex web page.\n\nUse the SAML link and authenticate using known working credentials.\n\nIf entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.","fixText":"For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP that implements multi-factor authentication."},{"id":"72c00f2e-528b-410d-9cee-7a5859c78209","vulnId":"V-252581","severity":"medium","ruleTitle":"IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex locks accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Faspex accounts\" \"Lock users\" section is set to \"3\" or less failed login attempts within \"15\" minutes or less.\n\nIf the \"Lock users\" section is set to more than \"3\" failed login attempts, this is a finding.\n\nIf the \"Lock users\" section is set to more than \"15\" minutes, this is a finding.","fixText":"Configure IBM Aspera Faspex to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Edit the \"Faspex accounts\" \"Lock users\" section failed login attempts option to \"3\" or less.\n- Edit the \"Lock users\" section attempts within minutes to \"15\" or less.\n- Select \"Update\" at the bottom of the page."},{"id":"93645489-ab12-47c4-81e2-e290d2005fe8","vulnId":"V-252582","severity":"medium","ruleTitle":"IBM Aspera Faspex must prevent concurrent logins for all accounts.","description":"Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.\n\nThis policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex prevents concurrent logins for all accounts: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Faspex accounts\" \"Prevent concurrent login\" option is checked.\n\nIf the \"Prevent concurrent login\" is not checked, this is a finding.","fixText":"Configure IBM Aspera Faspex to prevent concurrent logins for all accounts: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Put a check the \"Faspex accounts\" \"Prevent concurrent login\" check box.\n- Select \"Update\" at the bottom of the page."},{"id":"88d580e7-90af-4f5b-81cf-b229f1ffa9ab","vulnId":"V-252583","severity":"medium","ruleTitle":"IBM Aspera Faspex must require password complexity features to be enabled.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex requires password complexity: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Faspex accounts\" \"Use strong passwords\" option is checked.\n\nIf the \"Use strong passwords\" option is not checked, this is a finding.\n\nIf the \"Use strong passwords\" option is checked, downgrade this requirement to a CAT III.","fixText":"Configure IBM Aspera Faspex to require password complexity: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Put a check the \"Faspex accounts\" \"Use strong passwords\" check box.\n- Select \"Update\" at the bottom of the page."},{"id":"3a441a00-77f1-4e66-bcd9-e4ebfeb4add5","vulnId":"V-252584","severity":"medium","ruleTitle":"IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.\n\nIBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nTo ensure that all external recipients of Faspex packages must register for an account before they can download packages or files within packages: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" option from the left menu.\n- Verify that the option \"Require external users to register\" is checked.\n\nIf this option is not checked, this is a finding.\n\nAlso ensure IBM Aspera Faspex is configured for \"Moderated\" self-registration when permitting use by external users. To do this, verify the \"Moderated\" option is selected from the picklist for \"Self registration\" under the Registrations heading. \n\nIf this option is not checked, this is a finding.","fixText":"To configure Aspera Faspex to authenticate all external recipients of Faspex packages before they can download packages or files within packages: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" option from the left menu.\n- Check the option \"Require external users to register\" under the \"Registrations\" heading.\n- Select the \"Moderated\" option from the picklist for \"Self registration\" under the Registrations heading.\n- Select \"Update\" at the bottom of the page."},{"id":"d05a65d6-e000-45b8-9e74-08d0c8255782","vulnId":"V-252585","severity":"medium","ruleTitle":"IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex passwords are prohibited from reuse for a minimum of five generations: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Faspex accounts\" \"Prevent passwords reuse\" option is checked.\n- Verify the \"Faspex accounts\" \"Prevent passwords reuse\" options is set to \"5\" or more.\n\nIf the \"Prevent passwords reuse\" options is less than \"5\" or the option is not checked, this is a finding.","fixText":"Configure IBM Aspera Faspex passwords to be prohibited from reuse for a minimum of five generations: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Put a check the \"Faspex accounts\" \"Prevent passwords reuse\" check box.\n- Edit the \"Faspex accounts\" \"Prevent passwords reuse\" option to \"5\" or more.\n- Select \"Update\" at the bottom of the page."},{"id":"3f74adca-150c-49f3-9c59-81a1426819be","vulnId":"V-252586","severity":"medium","ruleTitle":"IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex user account passwords have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Verify the \"Faspex accounts\" \"Passwords expire\" option is checked.\n- Verify the \"Faspex accounts\" \"Passwords expire\" options is set to \"60\" days or less.\n\nIf the \"Passwords expire\" options is set to more than \"60\" days or the option is not checked, this is a finding.","fixText":"Configure IBM Aspera Faspex user account passwords to have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege. \n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section.\n- Put a check the \"Faspex accounts\" \"Passwords expire\" check box.\n- Edit the \"Faspex accounts\" \"Passwords expire\" option to \"60\" days or less.\n- Select \"Update\" at the bottom of the page."},{"id":"88b78f68-e3e1-4838-930f-3e15b93d5353","vulnId":"V-252587","severity":"high","ruleTitle":"The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.","description":"$29","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Faspex only uses TLS 1.2 or greater with the following command:\n\n$ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf\nSSLProtocol TLSv1.2\n\nIf the values for SSLProtocol vary from the above example, this is a finding.","fixText":"Configure IBM Aspera Faspex to use TLS 1.2.\n\nAdd/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.\n\nSSLProtocol TLSv1.2\n\nRestart Apache for these changes to take effect.\n\n$ sudo /opt/aspera/common/asctl/asctl apache:restart"},{"id":"b6b93392-529c-47d6-8961-129683c239da","vulnId":"V-252588","severity":"medium","ruleTitle":"IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$2a","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nThe IBM Aspera Faspex is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.\n\nReview the port configurations of the server with the following command:\n\n$ sudo /opt/aspera/common/asctl/asctl all:info | grep port:\n\nhttp_port: 80\nhttps_port: 443\nport: 4406\nbase_port: 3000\nhttp_fallback_port:8080\n\nAsk the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). \n\nIf there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.","fixText":"Configure the IBM Aspera Faspex to disable functions, ports, protocols, and services that are not approved.\n\nUse the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.\n\nFor the apache instance:\n$ sudo /opt/aspera/common/asctl/asctl apache:http_port \n$ sudo /opt/aspera/common/asctl/asctl apache:https_port \n\nFor the faspex instance:\n$ sudo /opt/aspera/common/asctl/asctl faspex:base_port \n$ sudo /opt/aspera/common/asctl/asctl faspex:http_fallback_port \n\nFor the database:\n$ sudo /opt/aspera/common/asctl/asctl mysql:port "},{"id":"4ae495bc-524d-4fc5-bb80-854008d548b3","vulnId":"V-252589","severity":"medium","ruleTitle":"IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"$2b","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nUsing a web browser, navigate to the default IBM Aspera Faspex web page.\n\nIf you are neither redirected to an IdP nor provided with a list of one or more IdPs to choose from on the standard IBM Aspera Faspex webpage, this is a finding.\n\nIf redirected to the IdP login, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.\n\nIf unable to log in using known working credentials, this is a finding.\n\nIf not redirected to a single IdP but provided a list of configured IdPs, choose one for authentication with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.\n\nIf unable to log in using known working credentials, this is a finding.","fixText":"For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP.\n\nTo configure SAML within IBM Aspera Faspex, perform the following:\n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.\n- Select the \"Server\" tab.\n- Select the \"Authentication\" tab.\n- Select the SAML Integration menu.\n- Select \"Add New SAML Configuration\".\n- Choose one action from these: 1) Enter the SAML server's metadata URL in \"Import from URL\" and click \"Import Setting From Metadata URL\". 2) Click \"Browse\" and locate the file containing the SAML server's metadata. 3) Paste the SAML server metadata into the box labeled \"Import from Text\" and click the \"Import Settings From Text\".\n- Select \"Create SAML Configuration\" at the bottom of the page."},{"id":"8924dbfd-d599-4fe6-ace5-80b924332ee1","vulnId":"V-252590","severity":"high","ruleTitle":"IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.","description":"$2c","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nEnsure that encryption is required for all transfers by the IBM Aspera Faspex:\n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.\n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section from the left menu.\n- Scroll down to the \"Encryption\" section.\n- Verify that the \"Encrypt transfers\" option is checked.\n\nIf the \"Encrypt transfers\" option is not checked, this is a finding.","fixText":"Configure the system to require encryption for all transfers by the IBM Aspera Faspex:\n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.\n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section from the left menu.\n- Scroll down to the \"Encryption\" section.\n- Put a check in the \"Encrypt transfers\" check box.\n- Select \"Update\" at the bottom of the page."},{"id":"4797f939-8293-4cf7-93e2-a86706dea4fb","vulnId":"V-252591","severity":"medium","ruleTitle":"IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nThis requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Faspex implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.\n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.\n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section from the left menu.\n- Scroll down to the \"Encryption\" section.\n- Verify that the \"Use encryption-at-rest\" radio button is set to \"Always\".\n\nIf the \"Use encryption-at-rest\" radio button is set to \"Never\" or \"Optional\", this is a finding.","fixText":"Configure the IBM Aspera Faspex to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.\n\n- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.\n- Select the \"Server\" tab.\n- Select the \"Configuration\" tab.\n- Select the \"Security\" section from the left menu.\n- Scroll down to the \"Encryption\" section.\n- Select the \"Use encryption-at-rest\" radio button \"Always\".\n- Select \"Update\" at the bottom of the page."},{"id":"0d98cfe7-585b-41ff-871f-2eb3dabe01db","vulnId":"V-252592","severity":"medium","ruleTitle":"IBM Aspera Faspex must protect audit information from unauthorized modification.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.\n\nThis requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nThis does not apply to audit logs generated on behalf of the device itself (management).\n\nSatisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify that the log files for IBM Aspera Faspex have no world access. \n\n$ sudo find /opt/aspera/faspex/log/ \$ -perm -0001 -o -perm -0002 -o -perm -0004 \$ -print\n\nIf results are returned from the above command, this is a finding.","fixText":"Remove world access from any IBM Aspera Faspex log file that has world permissions granted. \n\n$ sudo chmod o-rwx "},{"id":"c5dea813-2dfa-4a33-b17d-8317f943d067","vulnId":"V-252593","severity":"medium","ruleTitle":"The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command:\n\n$ sudo stat -c \"%G\" /opt/aspera/faspex/config/secret.yml\n\nfaspex\n\nIf \"faspex\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command:\n\n$ sudo chgrp faspex /opt/aspera/faspex/config/secret.yml"},{"id":"11b152fe-b7b6-4524-9bdc-c7ece0247e42","vulnId":"V-252594","severity":"medium","ruleTitle":"The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command:\n\n$ sudo stat -c \"%U\" /opt/aspera/faspex/config/secret.yml\n\nfaspex\n\nIf \"faspex\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command:\n\n$ sudo chown faspex /opt/aspera/faspex/config/secret.yml"},{"id":"71f614bb-0d18-4dba-93ce-a40b1d4e1577","vulnId":"V-252595","severity":"medium","ruleTitle":"The IBM Aspera Faspex Server must restrict users from using transfer services by default.","description":"$2d","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Faspex restricts users from using transfer services by default with the following commands:\n\nCheck that the aspera.conf file is configured to deny transfer in and out by default.\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value\n\nauthorization_transfer_in_value: \"deny\"\nauthorization_transfer_out_value: \"deny\"\n\nIf the results produce an \"allow\" value, this is a finding.","fixText":"Configure the IBM Aspera Faspex to restrict users from using transfer services by default with the following commands:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_in_value,deny\"\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_out_value,deny\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"8adb9bd4-0791-4d2f-bfd4-88cb38851d49","vulnId":"V-252596","severity":"medium","ruleTitle":"The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.","description":"$2e","checkContent":"If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Faspex restricts users read, write, and browse permissions by default with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\\|write_allowed\\|dir_allowed'\n\nread_allowed: \"false\"\nwrite_allowed: \"false\"\ndir_allowed: \"false\"\n\nIf no results are returned or if the results produce a \"true\" value, this is a finding.","fixText":"Configure the IBM Aspera Faspex to restrict users' read, write, and browse permissions by default with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"33738f65-df0f-4e0e-b35b-2d4a975f197b","vulnId":"V-252597","severity":"medium","ruleTitle":"The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.","description":"Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.\n\nSatisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Shares interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Verify the \"Session timeout\" option is set to \"10\" minutes or less.\n\nIf the \"Session timeout\" option is set to more than \"10\" minutes, this is a finding.","fixText":"Configure IBM Aspera Shares interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the User Security option.\n- Edit the \"Session timeout\" option is set to \"10\" minutes or less.\n- Select \"Save\" at the bottom of the page."},{"id":"ff0a5f93-797e-4891-8a85-f7ad28cb2516","vulnId":"V-252598","severity":"low","ruleTitle":"IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.","description":"$2f","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Shares default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner.\n\nUsing a web browser, go to the default IBM Aspera Shares website. \n\nIf the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.","fixText":"Configure the IBM Aspera Shares default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner.\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"System Settings\" section.\n- Select the \"Messages\" option.\n- Enter the Standard Mandatory DoD-approved Notice and Consent Banner in the Login page message box.\n- Select \"Save\" at the bottom of the page."},{"id":"5802df5f-f5fe-4fbc-ae4a-72ccf863af15","vulnId":"V-252599","severity":"medium","ruleTitle":"IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.","description":"$30","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nUsing a web browser, navigate to the default IBM Aspera Shares web page.\n\nUse the SAML link and authenticate using known working credentials.\n\nIf entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.","fixText":"For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP that implements multi-factor authentication."},{"id":"318ce598-5953-4078-83f1-ad8e15a71d72","vulnId":"V-252600","severity":"medium","ruleTitle":"IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Shares locks accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Verify the \"Failed login count\" is set to \"3\" or less.\n- Verify the \"Failed login interval\" is set to \"15\" or less.\n\nIf the \"Failed login count\" is set to more than \"3\", this is a finding.\n\nIf the \"Failed login interval\" is set to more than \"15\" minutes, this is a finding.","fixText":"Configure IBM Aspera Shares to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Edit the \"Failed login count\" option to \"3\" or less.\n- Edit the \"Failed login interval\" option to \"15\" minutes or less.\n- Select \"Save\" at the bottom of the page."},{"id":"91aa957a-d3f3-49eb-90aa-1d43deb60da3","vulnId":"V-252601","severity":"medium","ruleTitle":"IBM Aspera Shares must require password complexity features to be enabled.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Shares requires password complexity: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Verify the \"Require strong passwords\" option is checked.\n\nIf the \"Require strong passwords\" option is not checked, this is a finding.\n\nIf the \"Require strong passwords\" option is checked, downgrade this requirement to a CAT III.","fixText":"Configure IBM Aspera Shares to require password complexity: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Put a check the \"Require strong passwords\" check box.\n- Select \"Save\" at the bottom of the page."},{"id":"43ee07cc-b2c8-44ba-b9fd-333e3e874461","vulnId":"V-252602","severity":"medium","ruleTitle":"IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).","description":"Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.\n\nIBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nTo ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option from the left menu.\n- Verify that the \"Self Registration\" option is set to \"Moderated\" or \"None\".\n\nIf the \"Self Registration\" option is set to \"Unmoderated\", this is a finding.","fixText":"To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option from the left menu.\n- Use the dropdown menu to set the \"Self Registration\" option to \"Moderated\" or \"None\".\n- Select \"Save\" at the bottom of the page."},{"id":"ac0ad2f4-5815-49c0-8547-1a6f2a471b64","vulnId":"V-252603","severity":"medium","ruleTitle":"IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Shares user account passwords have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Verify the \"Password expiration interval\" is set to \"60\" or less.\n\nIf the \"Password expiration interval\" is greater than \"60\" or is blank, this is a finding.","fixText":"Configure IBM Aspera Shares user account passwords to have a 60-day maximum password lifetime restriction: \n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"Security\" section.\n- Select the \"User Security\" option.\n- Edit the \"Password expiration interval\" to \"60\" days or less.\n- Select \"Save\" at the bottom of the page."},{"id":"fca50387-ed1b-4e51-ad5f-7e87330a8fd1","vulnId":"V-252604","severity":"high","ruleTitle":"The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.","description":"$31","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify IBM Aspera Shares only uses TLS 1.2 or greater with the following command:\n\n$ sudo grep ssl_protocols /opt/aspera/shares/etc/nginx/nginx.conf\n ssl_protocols TLSv1.2;\n\nIf the results of the command display versions below \"TLSv1.2\", this is a finding.","fixText":"Configure IBM Aspera Shares to use TLS 1.2.\n\nAdd/Edit the following line in the nginx.conf file located at /opt/aspera/shares/etc/nginx/nginx.conf. \n\nssl_protocols TLSv1.2; \n\nRestart nginx for these changes to take effect.\n\n$ sudo /opt/aspera/shares/sbin/sv restart nginix"},{"id":"cc5263ec-dc07-4b0d-a0ba-bcbaa0453cc6","vulnId":"V-252605","severity":"medium","ruleTitle":"IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$32","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nThe IBM Aspera Shares is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.\n\nReview the port configurations of the server with the following command:\n\n$ sudo cat /opt/aspera/shares/etc/nginx/nginx.conf | grep listen\n\n listen 80;\n listen [::]:80;\n listen 443;\n listen [::]:443;\n\nAsk the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). \n\nIf there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.\n\nIf there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.","fixText":"Configure the IBM Aspera Shares to disable functions, ports, protocols, and services that are not approved.\n\nEdit the /opt/aspera/shares/etc/nginx/nginx.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port."},{"id":"3763a3a4-4e11-4d1c-92f3-fff4d3ebb4c6","vulnId":"V-252606","severity":"medium","ruleTitle":"IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).","description":"$33","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nUsing a web browser, navigate to the default IBM Aspera Shares web page. Attempt to authenticate using the IdP provided under \"SAML\" heading of login page with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.\n\nIf unable to log in using known working credentials, this is a finding.","fixText":"For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP.\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Go to \"Accounts\".\n- Select the \"Directories\" option from the left menu.\n- Beside the SAML IdP entry, click \"Edit\".\n- To enable SAML, select the check box \"Log in using the SAML Identity Provider\".\n- Enter the SAML entry-point address provided by the IdP in the \"IdP Single Sign-On URL\" text box.\n- Enter the \"Identity Provider Certificate Fingerprint\" and specify the algorithm type in the dropdown menu.\n- Enter the \"Identity Provider Certificate\".\n- Select \"Save\" at the bottom of the page."},{"id":"fe058047-a3a5-4436-ab5d-f5e6daae1d7a","vulnId":"V-252607","severity":"high","ruleTitle":"IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.","description":"$34","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nEnsure that encryption is required for all transfers by the IBM Aspera Shares:\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"System Settings\" section.\n- Select the \"Transfers\" option.\n- Verify the \"Encryption\" option is set to at least \"AES-128\".\n\nIf the \"Encryption\" option is set to \"optional\" or not set, this is a finding.","fixText":"Configure the system to require encryption for all transfers by the IBM Aspera Shares:\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"System Settings\" section.\n- Select the \"Transfers\" option.\n- Select an encryption level from the dropdown menu of \"Encryption\" of \"AES-128\" or greater.\n- Select \"Save\" at the bottom of the page."},{"id":"5587cb67-ed62-4206-9b4a-9b36f10543dc","vulnId":"V-252608","severity":"medium","ruleTitle":"IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.","description":"Without cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nRemote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).\n\nCryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.\n\nThis requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the IBM Aspera Shares implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"System Settings\" section.\n- Select the \"Transfers\" option.\n- Verify the \"Encryption at rest\" option is set to \"Required\".\n\nIf the \"Encryption at rest\" option is set to \"Optional\" or is not set, this is a finding.","fixText":"Configure the IBM Aspera Shares to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.\n\n- Log in to the IBM Aspera Shares web page as a user with administrative privilege. \n- Select the \"Admin\" tab.\n- Scroll down to the \"System Settings\" section.\n- Select the \"Transfers\" option.\n- Select the \"Encryption at rest\" option \"Required\".\n- Select \"Save\" at the bottom of the page."},{"id":"04e94b1f-274a-4b88-ae9c-77869f325fe4","vulnId":"V-252609","severity":"medium","ruleTitle":"IBM Aspera Shares must protect audit information from unauthorized deletion.","description":"If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.\n\nTo ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.\n\nAudit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.\n\nThis requirement does not apply to audit logs generated on behalf of the device itself (device management).\n\nSatisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify that the log files for IBM Aspera Shares have no world access. \n\n$ sudo find /opt/aspera/shares/u/stats-collector/var/log \$ -perm -0001 -o -perm -0002 -o -perm -0004 \$ -print\n\n$ sudo find /opt/aspera/shares/u/shares/log \$ -perm -0001 -o -perm -0002 -o -perm -0004 \$ -print\n\n$ sudo find /opt/aspera/shares/var/log \$ -perm -0001 -o -perm -0002 -o -perm -0004 \$ -print\n\nIf results are returned from the above commands, this is a finding.","fixText":"Remove world access from any IBM Aspera Shares log file that has world permissions granted. \n\n$ sudo chmod o-rwx "},{"id":"35528661-902b-43e7-a95e-7d5fa79a40e6","vulnId":"V-252610","severity":"medium","ruleTitle":"The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is group-owned by nobody with the following command:\n\n$ sudo stat -c \"%G\" /opt/aspera/shares/u/shares/config/aspera/secret.rb\n\nnobody\n\nIf \"nobody\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be group-owned by nobody with the following command:\n\n$ sudo chgrp nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb"},{"id":"1f2aa429-29d9-44d0-9468-79ae26dbaad5","vulnId":"V-252611","severity":"medium","ruleTitle":"The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is owned by nobody with the following command:\n\n$ sudo stat -c \"%U\" /opt/aspera/shares/u/shares/config/aspera/secret.rb\n\nnobody\n\nIf \"nobody\" is not returned as a result, this is a finding.","fixText":"Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be owned by nobody with the following command:\n\n$ sudo chown nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb"},{"id":"61a77b18-49fd-41ba-b7bb-c076a820884e","vulnId":"V-252612","severity":"medium","ruleTitle":"The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.","checkContent":"If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.\n\nVerify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file has a mode of \"0400\" or less permissive with the following command:\n\n$ sudo stat -c \"%a %n\" /opt/aspera/shares/u/shares/config/aspera/secret.rb\n\n400 /opt/aspera/shares/u/shares/config/aspera/secret.rb\n\nIf the resulting mode is more permissive than \"0400\", this is a finding.","fixText":"Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to have a mode of \"0400\" or less permissive with the following command:\n\n$ sudo chmod 0400 /opt/aspera/shares/u/shares/config/aspera/secret.rb"},{"id":"805e5d77-019d-4094-bd90-a8e927dbeb80","vulnId":"V-252613","severity":"high","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.","description":"SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.","checkContent":"Verify IBM Aspera High-Speed Transfer Endpoint only uses TLS 1.2 or greater with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol\n ssl_protocol: \"tlsv1.2\" \n ssl_protocol: \"tlsv1.2\" \n\nIf both entries do not return \"tlsv1.2\" or greater , this is a finding.","fixText":"Configure the IBM Aspera High-Speed Endpoint SSL security protocol to TLS version 1.2 or higher:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_server_data;ssl_protocol,tlsv1.2\"\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_client_data;ssl_protocol,tlsv1.2\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"fb31d38e-2e41-4b8c-9df3-d94d2e9198e6","vulnId":"V-252614","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$35","checkContent":"$36","fixText":"Configure the IBM Aspera High-Speed Transfer Endpoint to disable functions, ports, protocols, and services that are not approved.\n\nEdit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port."},{"id":"15fda46e-6fa7-4b6e-bba3-930148fdea0d","vulnId":"V-252615","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.","description":"Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).","checkContent":"For implementations using IBM Aspera High-Speed Transfer Endpoint, check for a entry within the section within The IBM Aspera High-Speed Transfer Endpoint installation configuration file at /opt/aspera/etc/aspera.conf using the following command:\n\n$ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint\n\nIf the command does not return XML containing the fingerprint, this is a finding.\n\nTest that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for \"servername\":\n\n$ sudo /opt/aspera/bin/openssl s_client -connect servername:9092\n\nIf the certificate is not DoD issued, this is a finding.","fixText":"$37"},{"id":"caa3d92f-7249-416e-83fe-82b67f25d1f0","vulnId":"V-252616","severity":"high","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.","description":"$38","checkContent":"Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Endpoint with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep fips\n\n transfer_encryption_fips_mode: \"true\"\n\nIf results are blank or fips mode is reported as \"false\", this is a finding.","fixText":"For implementations using IBM Aspera High-Speed Transfer Endpoint, configure FIPS compliance criteria to all transfers by executing the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;transfer_encryption_fips_mode,true\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"45d1330b-5f67-4ffe-8d18-b8d2a85fb32f","vulnId":"V-252617","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nThe askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.","checkContent":"Verify the IBM High-Speed Transfer Endpoint enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:\n\n$ sudo /opt/aspera/bin/askmcli -u -H ssear\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\nIf the command returns \"No records found for ssear\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Endpoint to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -u -s ssear"},{"id":"325e78b6-6312-4213-9bef-fc6d93bc2463","vulnId":"V-252618","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.","description":"$39","checkContent":"Verify the IBM High-Speed Transfer Endpoint enables password protection of the node database with the following commands:\n\nInitiate a cli connection to the node database.\n$ sudo /opt/aspera/bin/asredis -p 31415\n127.0.0.1:31415>\n\nType \"info\" in the cli to attempt to query the database.\n127.0.0.1:31415>info\nNOAUTH Authentication required.\n\nIf the command results do not state \"Authentication required\", this is a finding.","fixText":"$3a"},{"id":"80c89672-88d4-4ae3-b680-b59697546208","vulnId":"V-252619","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.","description":"$3b","checkContent":"Verify the IBM High-Speed Transfer Endpoint has a master-key set to encrypt the dynamic token encryption key with the following commands:\n\n$ sudo /opt/aspera/bin/askmcli -u -H Redis-master-key\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\n$ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\nIf either command returns \"No records found for Redis-master-key\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Endpoint to set a master-key to encrypt the dynamic token encryption key with the following command:\n\n$ sudo echo -n \"`openssl rand -base64 32`\" | sudo /opt/aspera/bin/askmscli -s Redis-master-key\n\nFor each transfer user with a token encryption key, initialize the user's keystore with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -i -u \n\nInitialize the keystore for the asperadaemon user that runs asperanoded with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -i -u asperadaemon\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"960a4e9a-ff87-4182-9755-256d9e26d13f","vulnId":"V-252620","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.","description":"Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.\n\nThis policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.\n\nThe number of incoming transfer requests to the IBM Aspera High-Speed Transfer Endpoints permitted via a POST to the REST service can be limited by the setting of \"transfer_manager_max_concurrent_sessions\" in The IBM Aspera.conf.","checkContent":"Verify the IBM Aspera High-Speed Transfer Endpoint limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep concurrent\n\ntransfer_manager_max_concurrent_sessions: \"20\"\n\nIf the value returned (in this example 20 is the default) is not an organization-defined number, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Endpoint to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:\n\n$ sudo /opt/aspera/bin/asconfiguration -x \"set_server_data; transfer_manager_max_concurrent_sessions,\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"44b5b7eb-e45a-4c64-8dda-85ebe0e7fcd5","vulnId":"V-252621","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that you do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Endpoint does not store group content-protection secrets in plain text.\n\nFor each group, run the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -g | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Endpoint to not store group content-protection secrets in plain text.\n\nFor each group, remove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_group_data; group_name,; transfer_encryption_content_protection_secret,AS_NULL\""},{"id":"df3cb36a-9408-496f-b3ef-b1685df3509f","vulnId":"V-252622","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that you do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Endpoint does not store node content-protection secrets in plain text with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Endpoint to not store node content-protection secrets in plain text.\n\nRemove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data; transfer_encryption_content_protection_secret,AS_NULL\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"3f1fd5ee-11cd-4fc3-8175-e31e0f3abb03","vulnId":"V-252623","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that you do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Endpoint does not store user content-protection secrets in plain text.\n\nFor each user, run the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -u | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Endpoint to not store user content-protection secrets in plain text.\n\nFor each user, remove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_user_data; user_name,; transfer_encryption_content_protection_secret,AS_NULL\"\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"b6939b58-393e-48af-89cf-385606e21a7b","vulnId":"V-252624","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.","description":"$3c","checkContent":"Verify the Aspera High-Speed Transfer Endpoint restricts users from using transfer services by default with the following commands:\n\nCheck that the aspera.conf file is configured to deny transfer in and out by default.\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value\n\nauthorization_transfer_in_value: \"deny\"\nauthorization_transfer_out_value: \"deny\"\n\nIf the results produce an \"allow\" value, this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Endpoint to restrict users from using transfer services by default with the following commands:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_in_value,deny\"\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_out_value,deny\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"41801f9a-cf22-4e77-abf3-3aa2eeeacc34","vulnId":"V-252625","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.","description":"$3d","checkContent":"Verify the IBM Aspera High-Speed Transfer Endpoint restricts users read, write, and browse permissions by default with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\\|write_allowed\\|dir_allowed'\n\nread_allowed: \"false\"\nwrite_allowed: \"false\"\ndir_allowed: \"false\"\n\nIf no results are returned or if the results produce a \"true\" value, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Endpoint to restrict users read, write, and browse permissions by default with the following commands:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"57cbff0e-32b2-48fa-b1a4-4cc647bcdadf","vulnId":"V-252626","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.","description":"If the cached authenticator information is out of date, the validity of the authentication information may be questionable.\n\nThis requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"Verify the IBM Aspera High-Speed Transfer Endpoint prohibits the use of cached authenticators after an organization-defined time period with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life'\n\ntoken_life_seconds: \"86400\"\n\nNote: The example token life is for one day; this number must be defined by the organization.\n\nIf no result is returned or if the result is not an organization-defined time period, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Endpoint to prohibit the use of cached authenticators after an organization-defined time period with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;token_life_seconds,86400\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"5bc47d4b-450e-4055-afbd-2144650e10b1","vulnId":"V-252627","severity":"high","ruleTitle":"The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.","description":"SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nThis requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.","checkContent":"Verify IBM Aspera High-Speed Transfer Server only uses TLS 1.2 or greater with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol\n ssl_protocol: \"tlsv1.2\" \n ssl_protocol: \"tlsv1.2\" \n\nIf both entries do not return \"tlsv1.2\" or greater , this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Server SSL security protocol to TLS version 1.2 or higher:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_server_data;ssl_protocol,tlsv1.2\"\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_client_data;ssl_protocol,tlsv1.2\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"2850b375-f5bc-4a71-a775-61f1ce4ed3e6","vulnId":"V-252628","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.","description":"$3e","checkContent":"$3f","fixText":"Configure the IBM Aspera High-Speed Transfer Server to disable functions, ports, protocols, and services that are not approved.\n\nEdit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port."},{"id":"6f6f2cd2-1715-4013-9b73-ab201ef79255","vulnId":"V-252629","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.","description":"Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.\n\nThis requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).","checkContent":"For implementations using IBM Aspera High-Speed Transfer Server, check for a entry within the section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command:\n\n$ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint\n\nIf the command does not return XML containing the fingerprint, this is a finding.\n\nTest that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for \"servername\":\n\n$ sudo /opt/aspera/bin/openssl s_client -connect servername:9092\n\nIf the certificate is not DoD issued, this is a finding.","fixText":"$40"},{"id":"471020a2-f7cb-4e1c-bfec-1d4575da1bfa","vulnId":"V-252630","severity":"high","ruleTitle":"The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.","description":"$41","checkContent":"Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Server with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep fips\n\n transfer_encryption_fips_mode: \"true\"\n\nIf results are blank or fips mode is reported as \"false\", this is a finding.","fixText":"For implementations using IBM Aspera High-Speed Transfer Server, configure FIPS compliance criteria to all transfers by executing the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;transfer_encryption_fips_mode,true\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"3e52dff5-2af9-47bf-8b3e-bb31668d1188","vulnId":"V-252631","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the \"aspshell\".","description":"Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.","checkContent":"Verify the IBM Aspera HSTS configures the SELinux context type for \"aspshell\" with the following commands:\n\n$ sudo ls -l /bin/aspshell\n\nlrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell\n\nIf /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding.\n\n$ sudo ls -Z /opt/aspera/bin/aspshell\n\n-rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell\n\nIf the context type of \"/opt/aspera/bin/aspshell\" is not \"shell_exec_t\", this is a finding.","fixText":"Configure the IBM Aspera HSTS SELinux context type for \"aspshell\" with the following commands:\n\n$ sudo echo /bin/aspshell >> /etc/shells\n\n$ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell\n\n$ sudo semanage fcontext -a -t shell_exec_t \"/opt/aspera/bin/aspshell\"\n\n$ sudo restorecon -v /opt/aspera/bin/aspshell"},{"id":"5eab85b2-26a8-451d-bf31-6882dbf2678b","vulnId":"V-252632","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nThe askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.","checkContent":"Verify the IBM High-Speed Transfer Server enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:\n\n$ sudo /opt/aspera/bin/askmcli -u -H ssear\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\nIf the command returns \"No records found for ssear\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Server to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -u -s ssear"},{"id":"bc444282-0e9c-44ce-a5ab-9a1d2fddfb4c","vulnId":"V-252633","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.","description":"$42","checkContent":"Verify the IBM High-Speed Transfer Server enables password protection of the node database with the following commands:\n\nInitiate a cli connection to the node database.\n$ sudo /opt/aspera/bin/asredis -p 31415\n127.0.0.1:31415>\n\nType \"info\" in the cli to attempt to query the database.\n127.0.0.1:31415>info\nNOAUTH Authentication required.\n\nIf the command results do not state \"Authentication required\", this is a finding.","fixText":"$43"},{"id":"f0549610-a815-413e-83a0-5ab03d9c4000","vulnId":"V-252634","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.","description":"Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.\nThe dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security and time-limited validity which limits the chances of a key becoming compromised.\nNOTE: A dynamic token encryption key can be set for an individual user or a system group.\n\nSatisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097","checkContent":"Verify the Aspera High-Speed Transfer Server enables the use of dynamic token encryption keys with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep dynamic\n\ntoken_dynamic_key: \"true\"\n\nIf the \"dynamic_key\" setting is not set to \"true\", this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to enable the use of dynamic token encryption keys with the following command:\n\n$ sudo asconfigurator -x \"set_node_data; token_dynamic_key,true\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"679d5375-a228-4cfa-b397-0ca5e15ac1b8","vulnId":"V-252635","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.","description":"$44","checkContent":"Verify the IBM High-Speed Transfer Server has a master-key set to encrypt the dynamic token encryption key with the following commands:\n\n$ sudo /opt/aspera/bin/askmcli -u -H Redis-master-key\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\n$ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key\n\nv0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340\n\nIf either command returns \"No records found for Redis-master-key\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Server to set a master-key to encrypt the dynamic token encryption key with the following command:\n\n$ sudo echo -n \"`openssl rand -base64 32`\" | sudo /opt/aspera/bin/askmscli -s Redis-master-key\n\nFor each transfer user with a token encryption key, initialize the user's keystore with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -i -u \n\nInitialize the keystore for the asperadaemon user that runs asperanoded with the following command:\n\n$ sudo /opt/aspera/bin/askmscli -i -u asperadaemon\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"fbed6413-5383-4b42-9401-9d2429df5a0d","vulnId":"V-252636","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.","description":"Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.\n\nThis policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.\n\nThe number of incoming transfer requests to the IBM Aspera High-Speed Transfer Server permitted via a POST to the REST service can be limited by the setting of \"transfer_manager_max_concurrent_sessions\" in The IBM Aspera.conf.","checkContent":"Verify the IBM Aspera High-Speed Transfer Server limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep concurrent\n\ntransfer_manager_max_concurrent_sessions: \"20\"\n\nIf the value returned (in this example 20 is the default) is not the organization-defined number, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Server to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:\n\n$ sudo /opt/aspera/bin/asconfiguration -x \"set_server_data; transfer_manager_max_concurrent_sessions,\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"4474b3f7-c97b-4d44-b8af-ebfb57195150","vulnId":"V-252637","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that you do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Server does not store group content-protection secrets in plain text.\n\nFor each group, run the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -g | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Server to not store group content-protection secrets in plain text.\n\nRemove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_group_data; group_name,; transfer_encryption_content_protection_secret,AS_NULL\""},{"id":"0b6a93be-dfb6-4c73-a2fb-ff9168c568c3","vulnId":"V-252638","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that users do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Server does not store node content-protection secrets in plain text with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Server to not store node content-protection secrets in plain text.\n\nRemove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data; transfer_encryption_content_protection_secret,AS_NULL\""},{"id":"501402ac-9197-4cb9-926e-f44869eec50c","vulnId":"V-252639","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.","description":"Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.\n\nConfiguration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.\n\nAspera recommends that users do not store content-protection secrets in aspera.conf.","checkContent":"Verify the IBM High-Speed Transfer Server does not store user content-protection secrets in plain text.\n\nFor each user, run the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -u | grep secret | grep transfer\n\ntransfer_encryption_content_protection_secret: \"AS_NULL\"\n\nIf the \"transfer_encryption_content_protection_secret\" is not \"AS_NULL\", this is a finding.","fixText":"Configure the IBM High-Speed Transfer Server to not store user content-protection secrets in plain text.\n\nRemove any secrets from the /opt/aspera/aspera.conf file with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_user_data; user_name,; transfer_encryption_content_protection_secret,AS_NULL\""},{"id":"f47df44e-bc58-41e7-acf8-ca29b9bea02a","vulnId":"V-252640","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.","description":"By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts.\nBy default, all system users can establish a FASP connection and are only restricted by file permissions.","checkContent":"Verify the Aspera High-Speed Transfer Server restricts the use of the root account for transfers with the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -u root | grep allowed | grep true\n\nIf results are returned from the above command, this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to restrict the use of the root account for transfers.\n\nFor each privilege that is set to \"true\", run the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_user_data;user_name,root;,false\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"d9067de8-81ef-4e44-87c3-02933fcdda8c","vulnId":"V-252641","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.","description":"By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers.\nBy default, all system users can establish a FASP connection and are only restricted by file permissions.","checkContent":"Verify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system.\n\nCheck that each user is restricted to a specific transfer folder with the following command:\n\nWarning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.\n\n$ sudo /opt/aspera/bin/asuserdata -u | grep absolute\n\ncanonical_absolute: \"\"\nabsolute: \"\"\n\nIf the transfer user's docroot is set to \"\" or is blank, this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_user_data; user_name, ;canonical_absolute,; absolute,\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"811f1fff-465e-4e5a-8013-c4102333455d","vulnId":"V-252642","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the \"aspshell\".","description":"$45","checkContent":"Verify the Aspera High-Speed Transfer Server restricts the transfer user(s) to the \"aspshell\" with the following command:\n\n$ sudo grep /etc/passwd\n\n:x:1001:1001:...:/home/:/bin/aspshell\n\nIf the transfer user is not limited to the \"aspshell\", this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to restrict the transfer user(s) to the \"aspshell\" with the following command:\n\n$ sudo usermod -s /bin/aspshell "},{"id":"215795c3-36e0-4d05-a5f4-976b2963fa6f","vulnId":"V-252643","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.","description":"$46","checkContent":"Verify the Aspera High-Speed Transfer Server restricts users from using transfer services by default with the following commands:\n\nCheck that the aspera.conf file is configured to deny transfer in and out by default.\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value\n\nauthorization_transfer_in_value: \"deny\"\nauthorization_transfer_out_value: \"deny\"\n\nIf the results produce an \"allow\" value, this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to restrict users from using transfer services by default with the following commands:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_in_value,deny\"\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;authorization_transfer_out_value,deny\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"ca5e7184-244a-4674-91ff-2d7aa6388ded","vulnId":"V-252644","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.","description":"$47","checkContent":"Verify the IBM Aspera High-Speed Transfer Server restricts users read, write, and browse permissions by default with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\\|write_allowed\\|dir_allowed'\n\nread_allowed: \"false\"\nwrite_allowed: \"false\"\ndir_allowed: \"false\"\n\nIf no results are returned or if the results produce a \"true\" value, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Server to restrict users read, write, and browse permissions by default with the following commands:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"c31089ea-ae5a-41eb-b4ca-1b277a43bfcd","vulnId":"V-252645","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.","description":"By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis.\nBy default, all system users can establish a FASP connection and are only restricted by file permissions.","checkContent":"Verify the Aspera High-Speed Transfer Server set the default docroot to an empty folder.\n\nCheck that the default docroot points to an empty folder with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep absolute\n\ncanonical_absolute: \"\"\nabsolute: \"\"\n\nIf the default docroot is set to \"\", this is a finding.\n\nReview the default docroot file path from the previous command to ensure it is empty.\n\n$ sudo find -maxdepth 0 -empty -exec echo {} is empty. \\;\n\n is empty.\n\nIf the command does not return \" is empty.\", this is a finding.","fixText":"Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;canonical_absolute,; absolute,\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"12c8303e-9432-446e-b6f8-2d0b34f02b28","vulnId":"V-252646","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. \n\nThe rootkeystore.db functions as a backup and main source of truth for encrypted secrets.","checkContent":"Verify the rootkeystore.db file is group-owned by root with the following command:\n\n$ sudo stat -c \"%G\" /opt/aspera/etc/rootkeystore.db\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.","fixText":"Configure the rootkeystore.db file to be group-owned by root with the following command:\n\n$ sudo chgrp root /opt/aspera/etc/rootkeystore.db"},{"id":"c585ba6c-4b27-4830-9c2c-8ab5a7f554a6","vulnId":"V-252647","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. \n\nThe rootkeystore.db functions as a backup and main source of truth for encrypted secrets.","checkContent":"Verify the rootkeystore.db file is owned by root with the following command:\n\n$ sudo stat -c \"%U\" /opt/aspera/etc/rootkeystore.db\n\nroot\n\nIf \"root\" is not returned as a result, this is a finding.","fixText":"Configure the rootkeystore.db file to be owned by root with the following command:\n\n$ sudo chown root /opt/aspera/etc/rootkeystore.db"},{"id":"05ef2dc5-ac46-4dff-bb66-a42f14e6d70f","vulnId":"V-252648","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.","description":"Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. \n\nThe rootkeystore.db functions as a backup and main source of truth for encrypted secrets.","checkContent":"Verify the rootkeystore.db file has a mode of \"0600\" or less permissive with the following command:\n\n$ sudo stat -c \"%a %n\" /opt/aspera/etc/rootkeystore.db\n\n600 /opt/aspera/etc/rootkeystore.db\n\nIf the resulting mode is more permissive than \"0600\", this is a finding.","fixText":"Configure the rootkeystore.db file to have a mode of \"0600\" or less permissive with the following command:\n\n$ sudo chmod 0600 /opt/aspera/etc/rootkeystore.db"},{"id":"7aa723fd-afe4-470b-ae8a-dcf47412453b","vulnId":"V-252649","severity":"medium","ruleTitle":"The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.","description":"If the cached authenticator information is out of date, the validity of the authentication information may be questionable.\n\nThis requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).","checkContent":"Verify the IBM Aspera High-Speed Transfer Server prohibits the use of cached authenticators after an organization-defined time period with the following command:\n\n$ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life'\n\ntoken_life_seconds: \"86400\"\n\nNote: The example token life is for one day; this number must be defined by the organization.\n\nIf no result is returned or if the result is not an organization-defined time period, this is a finding.","fixText":"Configure the IBM Aspera High-Speed Transfer Server to prohibit the use of cached authenticators after an organization-defined time period with the following command:\n\n$ sudo /opt/aspera/bin/asconfigurator -x \"set_node_data;token_life_seconds,86400\"\n\nRestart the IBM Aspera Node service to activate the changes.\n\n$ sudo systemctl restart asperanoded.service"},{"id":"116741c1-34f7-4d89-be88-4cf4da90a691","vulnId":"V-269982","severity":"high","ruleTitle":"The IBM Aspera Console feature must be a version supported by the vendor.","description":"Systems running an unsupported software/firmware version lack current security fixes required to mitigate the risks associated with recent vulnerabilities.","checkContent":"This STIG is sunset and no longer updated.\n\nCompare the version running to the version supported by the vendor.\n\nIf the system is using an unsupported version from the vendor, this is a finding.","fixText":"Upgrade to a version supported by the vendor."}]}]]}]

IBM Aspera Platform 4.2 Security Technical Implementation Guide

Checks (95)