UCF STIG Viewer Logo

IBM Aspera Platform 4.2 Security Technical Implementation Guide


Overview

Date Finding Count (94)
2022-08-24 CAT I (High): 10 CAT II (Med): 82 CAT III (Low): 2
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-252627 High The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.
V-252587 High The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-252630 High The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
V-252570 High The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
V-252604 High The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-252607 High IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
V-252562 High The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
V-252613 High The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
V-252616 High The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
V-252590 High IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
V-252626 Medium The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.
V-252624 Medium The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.
V-252625 Medium The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.
V-252622 Medium The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.
V-252623 Medium The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.
V-252620 Medium The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
V-252621 Medium The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.
V-252628 Medium The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-252629 Medium The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.
V-252583 Medium IBM Aspera Faspex must require password complexity features to be enabled.
V-252582 Medium IBM Aspera Faspex must prevent concurrent logins for all accounts.
V-252581 Medium IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
V-252580 Medium IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-252586 Medium IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction.
V-252585 Medium IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.
V-252584 Medium IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-252589 Medium IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-252588 Medium IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-252556 Medium The IBM Aspera Platform must be configured to support centralized management and configuration.
V-252557 Medium The IBM Aspera Platform must not have unnecessary services and functions enabled.
V-252558 Medium IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-252559 Medium The IBM Aspera Console must protect audit information from unauthorized read access.
V-252639 Medium The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.
V-252638 Medium The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.
V-252631 Medium The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".
V-252633 Medium The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.
V-252632 Medium The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).
V-252635 Medium The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.
V-252634 Medium The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.
V-252637 Medium The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.
V-252636 Medium The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
V-252648 Medium The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-252649 Medium The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.
V-252644 Medium The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.
V-252645 Medium The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.
V-252646 Medium The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
V-252647 Medium The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
V-252640 Medium The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.
V-252641 Medium The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.
V-252642 Medium The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".
V-252643 Medium The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.
V-252579 Medium IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.
V-252572 Medium The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
V-252573 Medium The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-252571 Medium The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
V-252576 Medium The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
V-252577 Medium IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.
V-252574 Medium The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.
V-252575 Medium IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
V-252600 Medium IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
V-252601 Medium IBM Aspera Shares must require password complexity features to be enabled.
V-252602 Medium IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
V-252603 Medium IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction.
V-252605 Medium IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-252606 Medium IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
V-252608 Medium IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-252609 Medium IBM Aspera Shares must protect audit information from unauthorized deletion.
V-252569 Medium The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-252568 Medium IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction.
V-252565 Medium IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
V-252564 Medium IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.
V-252567 Medium IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations.
V-252566 Medium IBM Aspera Console must prevent concurrent logins for all accounts.
V-252561 Medium IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
V-252560 Medium The IBM Aspera Console must protect audit tools from unauthorized access.
V-252563 Medium IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
V-252612 Medium The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.
V-252611 Medium The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.
V-252610 Medium The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.
V-252617 Medium The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).
V-252615 Medium The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.
V-252614 Medium The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-252619 Medium The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.
V-252618 Medium The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.
V-252591 Medium IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
V-252592 Medium IBM Aspera Faspex must protect audit information from unauthorized modification.
V-252593 Medium The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.
V-252594 Medium The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.
V-252595 Medium The IBM Aspera Faspex Server must restrict users from using transfer services by default.
V-252596 Medium The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.
V-252597 Medium The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
V-252599 Medium IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
V-252578 Low IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
V-252598 Low IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.