acceptedIBM Aspera Platform 4.2 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 2 Benchmark Date: 24 Aug 20223.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-NET-000333-ALG-000049<GroupDescription></GroupDescription>ASP4-00-010100The IBM Aspera Platform must be configured to support centralized management and configuration.<VulnDiscussion>Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack.
The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records.
Network components requiring centralized audit log management must have the capability to support centralized management.
The DoD requires centralized management of all network component audit record content.
This requirement does not apply to audit logs generated on behalf of the device itself (management).
Support of centralized management of the IBM Aspera Platform is accomplished via use of IBM Aspera Console.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001844Configure the IBM Aspera Platform to support centralized management and configuration.
Ensure the IBM Aspera Console server is installed and configured to manage all nodes within the organization.
Navigate to the IBM Aspera Console webpage, log in with an administrator account, and select the "Nodes" tab.
Select "New Managed Node" to add nodes to the IBM Aspera Console.Verify the IBM Aspera Platform is configured to support centralized management and configuration.
Navigate to the IBM Aspera Console webpage, login with an administrator account, and review the Nodes tab.
If all nodes managed by the organization are not listed, this is a finding.
If the IBM Aspera Platform implementation does not include IBM Aspera Console, this is a finding.SRG-NET-000131-ALG-000085<GroupDescription></GroupDescription>ASP4-00-010110The IBM Aspera Platform must not have unnecessary services and functions enabled.<VulnDiscussion>Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
The primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server).
Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000381Ensure all mission required features of Aspera are documented with the ISSM.Verify that only mission essential features are in use. Interview the systems administrator to determine if the following Aspera features are in use:
Aspera Shares
Aspera Faspex
If either Aspera Shares or Aspera Faspex are in use and are not documented with the ISSM as a mission requirement, this is a finding.SRG-NET-000339-ALG-000090<GroupDescription></GroupDescription>ASP4-CS-040110IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card.
A privileged account is defined as an information system account with authorizations of a privileged user.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password.
Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001948CCI-001951CCI-002014For implementations using the IBM Aspera Console feature, configure SAML to use an existing IdP that implements multi-factor authentication.Using a web browser, navigate to the default IBM Aspera Console web page. Use the SAML link and authenticate using known working credentials.
If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.SRG-NET-000098-ALG-000056<GroupDescription></GroupDescription>ASP4-CS-040120The IBM Aspera Console must protect audit information from unauthorized read access.<VulnDiscussion>Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel.
This does not apply to audit logs generated on behalf of the device itself (management).
Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000162CCI-000163CCI-000164Remove world access from any IBM Aspera Console log file that has world permissions granted.
$ sudo chmod o-rwx <placefilenamehere>Verify the log files for IBM Aspera Console do not have world access with the following command:
$ sudo find /opt/aspera/console/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print
If results are returned from the above command, this is a finding.SRG-NET-000101-ALG-000059<GroupDescription></GroupDescription>ASP4-CS-040130The IBM Aspera Console must protect audit tools from unauthorized access.<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
This does not apply to audit logs generated on behalf of the device itself (management).
Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001493Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Accounts" tab.
- Select the "SAML" tab.
- Enter the IdP SSO Target (Redirect) URL.
- Enter the IdP Cert Fingerprint.
- Select from the dropdown menu the IdP Cert Fingerprint Algorithm.
- Select "Save" at the bottom of the page.Using a web browser, navigate to the IBM Aspera Console web page. The IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication.
If it does not redirect for authentication via the configured IdP, this is a finding.
If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.SRG-NET-000138-ALG-000063<GroupDescription></GroupDescription>ASP4-CS-040140IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.<VulnDiscussion>User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges.
IBM Aspera Console must use an IdP for authentication for security best practices. The IdP must not be installed on the IBM Aspera Console virtual machine, particularly if it resides on the untrusted zone of the Enclave. Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion. For security best practices also ensure that the system hosting IBM Aspera Console uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Console server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Console.
Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000764CCI-000766CCI-001942Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Accounts" tab.
- Select the "SAML" tab.
- Enter the IdP SSO Target (Redirect) URL.
- Enter the IdP Cert Fingerprint.
- Select from the dropdown menu the IdP Cert Fingerprint Algorithm.
- Select "Save" at the bottom of the page.Using a web browser, navigate to the IBM Aspera Console web page. IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication.
If it does not redirect for authentication via the configured IdP, this is a finding.
If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
If unable to log in using known working credentials, this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-CS-040150The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
For implementations using the IBM Aspera Console feature, the default configuration of Console has TLS 1.0 and 1.1 enabled to support older browsers.
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-000197Configure IBM Aspera Console to use TLS 1.2.
Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.
SSLProtocol TLSv1.2
Restart Apache for these changes to take effect.
$ sudo /opt/aspera/common/asctl/asctl apache:restartVerify IBM Aspera Console only uses TLS 1.2 or greater with the following command:
$ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf
SSLProtocol TLSv1.2
If the values for SSLProtocol vary from the above example, this is a finding.SRG-NET-000213-ALG-000107<GroupDescription></GroupDescription>ASP4-CS-040160IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001133CCI-002361Configure IBM Aspera Console interactive sessions to terminate after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Edit the "Session Timeout" option to "10" minutes or less.
- Select "Save" at the bottom of the page.Verify IBM Aspera Console interactive sessions are terminated after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Verify the "Session timeout" option is set to "10" minutes or less.
If the "Session Timeout" option is set to more than "10" minutes, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040170IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000192CCI-000193CCI-000194CCI-000205CCI-001619Configure IBM Aspera Console to enforce password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Edit the "Password Requirement Regular Expression" with the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}
- Edit the "Password Requirement Message" with the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol".
- Select "Save" at the bottom of the page.Verify IBM Aspera Console enforces password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Verify the "Password Requirement Regular Expression" has the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}
- Verify the "Password Requirement Message" has the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol".
If the "Password Requirement Regular Expression" value is not "(?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}", this is a finding.
If the "Password Requirement Message" value is not "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040180IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000044CCI-002236CCI-002238Configure IBM Aspera Console to lock accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Edit the "Deactivate Users" section failed login attempts option to "3" or less.
- Edit the "Deactivate Users" section attempts within minutes to "15" or less.
- Select "Save" at the bottom of the page.Verify IBM Aspera Console locks accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Verify the "Deactivate Users" section is set to "3" or less failed login attempts within "15" minutes or less.
If the "Deactivate Users" section is set to more than "3" failed login attempts, this is a finding.
If the "Deactivate Users" section is set to more than "15" minutes, this is a finding.SRG-NET-000053-ALG-000001<GroupDescription></GroupDescription>ASP4-CS-040190IBM Aspera Console must prevent concurrent logins for all accounts.<VulnDiscussion>Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.
This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000054Configure IBM Aspera Console to prevent concurrent logins for all accounts:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Put a check the "Prevent concurrent login" check box.
- Select "Save" at the bottom of the page.Verify IBM Aspera Console prevents concurrent logins for all accounts:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Security" section.
- Verify the "Prevent concurrent login" option is checked.
If the "Prevent concurrent login" option is not checked, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040200IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000200Configure IBM Aspera Console passwords to be prohibited from reuse for a minimum of five generations:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Put a check in the "Password Expiration" check box.
- Edit the "Password Reuse Limit" option to "5" or more.
Note: "0" disables the "Password Reuse Limit" option.
- Select "Save" at the bottom of the page.Verify IBM Aspera Console passwords are prohibited from reuse for a minimum of five generations:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Verify the "Password Expiration" option is checked.
- Verify the "Password Reuse Limit" option is set to "5" or more.
If the "Password Expiration" option is not checked, this is a finding.
If the "Password Reuse Limit" is set to less than "5" or is set to "0", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040210IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000199Configure IBM Aspera Console user account passwords to have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Put a check in the "Password Expiration" check box.
- Edit the "Password Duration" option to "60" days or less.
Note: "0" disables the "Password Duration" option.
- Select "Save" at the bottom of the page.Verify IBM Aspera Console user account passwords have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Console Password Options" section.
- Verify the "Password Expiration" option is checked.
- Verify the "Password Duration" option is set to "60" days or less.
If the "Password Expiration" option is not checked, this is a finding.
If the "Password Duration" is set to more than "60" days or is set to "0", this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-CS-040220The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.
The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the IBM Aspera Console to disable functions, ports, protocols, and services that are not approved.
Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
For the apache instance:
$ sudo /opt/aspera/common/asctl/asctl apache:http_port <number>
$ sudo /opt/aspera/common/asctl/asctl apache:https_port <number>
For the console:
$ sudo /opt/aspera/common/asctl/asctl console:base_port <number>
For the database:
$ sudo /opt/aspera/common/asctl/asctl mysql:port <number>The IBM Aspera Console is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Review the port configurations of the server with the following command:
$ sudo /opt/aspera/common/asctl/asctl all:info | grep port:
http_port: 80
https_port: 443
port: 4406
base_port: 3500
Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA).
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-NET-000063-ALG-000012<GroupDescription></GroupDescription>ASP4-CS-040230The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001453CCI-002450Configure the system to require encryption for all transfers by the IBM Aspera Console:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Transfer Defaults" section.
- Select the "Transport Encryption" option of "aes-128".
- Select "Save" at the bottom of the page.Ensure that encryption is required for all transfers by the IBM Aspera Console:
- Log in to the IBM Aspera Console web page as a user with administrative privilege.
- Select the "Configuration" tab.
- Select the "Defaults" tab.
- Scroll down to the "Transfer Defaults" section.
- Verify that the "Transport Encryption" option is set to "aes-128".
If the "Transport Encryption" option is set to "none", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040240The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command:
$ sudo chgrp root /opt/aspera/console/config/secret.ymlVerify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command:
$ sudo stat -c "%G" /opt/aspera/console/config/secret.yml
root
If "root" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040250The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command:
$ sudo chown root /opt/aspera/console/config/secret.ymlVerify the /opt/aspera/console/config/secret.yml file is owned by root with the following command:
$ sudo stat -c "%U" /opt/aspera/console/config/secret.yml
root
If "root" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-CS-040260The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/console/config/secret.yml file to have a mode of "0600" or less permissive with the following command:
$ sudo chmod 0600 /opt/aspera/console/config/secret.ymlVerify the /opt/aspera/console/config/secret.yml file has a mode of "0600" or less permissive with the following command:
$ sudo stat -c "%a %n" /opt/aspera/console/config/secret.yml
600 /opt/aspera/console/config/secret.yml
If the resulting mode is more permissive than "0600", this is a finding.SRG-NET-000102-ALG-000060<GroupDescription></GroupDescription>ASP4-CS-040270The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.<VulnDiscussion>Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data.
Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification of audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
This does not apply to audit logs generated on behalf of the device itself (management).
Satisfies: SRG-NET-000102-ALG-000060, SRG-NET-000103-ALG-000061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001494CCI-001495Remove the ability for world to write to any file that has been modified to world writeable.
$ sudo chmod o-w <placefilenamehere>Verify the world ownership of subdirectories within the /opt/aspera/console directory. Only the "public" subdirectory should have any access outside of the owner or group.
sudo find /opt/aspera/console -perm -0002 -exec ls -lLd {} \;
If any files or directories have world write permissions, this is a finding.SRG-NET-000213-ALG-000107<GroupDescription></GroupDescription>ASP4-FA-050100IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001133CCI-002361Configure IBM Aspera Faspex interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Edit the "Session timeout" option to "10" minutes or less.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Session timeout" option is set to "10" minutes or less.
If the "Session timeout" option is set to more than "10" minutes, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050110The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/faspex/config/secret.yml file to have a mode of "0600" or less permissive with the following command:
$ sudo chmod 0600 /opt/aspera/faspex/config/secret.ymlIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/faspex/config/secret.yml file has a mode of "0600" or less permissive with the following command:
$ sudo stat -c "%a %n" /opt/aspera/faspex/config/secret.yml
600 /opt/aspera/faspex/config/secret.yml
If the resulting mode is more permissive than "0600", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050120IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.<VulnDiscussion>Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login.
Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log in, yet force them to change the password once they have successfully authenticated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002041Configure IBM Aspera Faspex to allow the use of a temporary password for logins with an immediate change to a permanent password:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Put a check in the "Require new users to change password on first login" option check box.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex allows the use of a temporary password for logins with an immediate change to a permanent password:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Require new users to change password on first login" option is checked.
If the "Require new users to change password on first login" option is not checked, this is a finding.SRG-NET-000041-ALG-000022<GroupDescription></GroupDescription>ASP4-FA-050130IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element.
The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
"I've read & consent to terms in IS user agreem't."
This policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the IBM Aspera Faspex default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner.
- Log in to IBM Aspera Faspex as an administrative user.
- Go to Server >> Notifications >> Login Announcement and enter the approved language.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Faspex default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner.
Using a web browser, go to the default IBM Aspera Faspex website.
If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050140IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000795Configure IBM Aspera Faspex to disable account identifiers after 35 days of inactivity:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Under the "Faspex accounts" "Remove users" section, edit the following:
- Put a check in the "Local users" option check box.
- Edit the "Local users" option to "35" days or less.
- Put a check in the "DS users" option check box.
- Edit the "DS users" option to "35" days or less.
- Put a check in the "SAML users" option check box.
- Edit the "SAML users" option to "35" days or less.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex disables account identifiers after 35 days of inactivity:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Under the "Faspex accounts" "Remove users" section, verify the following:
- Verify the "Local users" option is checked.
- Verify the "Local users" options is set to "35" days or less.
- Verify the "DS users" option is checked.
- Verify the "DS users" options is set to "35" days or less.
- Verify the "SAML users" option is checked.
- Verify the "SAML users" options is set to "35" days or less.
If the "Local users" options is set to more than "35" days or the option is not checked, this is a finding.
If the "DS users" options is set to more than "35" days or the option is not checked, this is a finding.
If the "SAML users" options is set to more than "35" days or the option is not checked, this is a finding.SRG-NET-000339-ALG-000090<GroupDescription></GroupDescription>ASP4-FA-050150IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card.
A privileged account is defined as an information system account with authorizations of a privileged user.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password.
Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001948CCI-001951CCI-002014For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP that implements multi-factor authentication.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Using a web browser, navigate to the default IBM Aspera Faspex web page.
Use the SAML link and authenticate using known working credentials.
If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050170IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000044CCI-002236CCI-002238Configure IBM Aspera Faspex to lock accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Edit the "Faspex accounts" "Lock users" section failed login attempts option to "3" or less.
- Edit the "Lock users" section attempts within minutes to "15" or less.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex locks accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Faspex accounts" "Lock users" section is set to "3" or less failed login attempts within "15" minutes or less.
If the "Lock users" section is set to more than "3" failed login attempts, this is a finding.
If the "Lock users" section is set to more than "15" minutes, this is a finding.SRG-NET-000053-ALG-000001<GroupDescription></GroupDescription>ASP4-FA-050180IBM Aspera Faspex must prevent concurrent logins for all accounts.<VulnDiscussion>Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.
This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000054Configure IBM Aspera Faspex to prevent concurrent logins for all accounts:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Put a check the "Faspex accounts" "Prevent concurrent login" check box.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex prevents concurrent logins for all accounts:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Faspex accounts" "Prevent concurrent login" option is checked.
If the "Prevent concurrent login" is not checked, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050190IBM Aspera Faspex must require password complexity features to be enabled.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000192CCI-000193CCI-000194CCI-001620Configure IBM Aspera Faspex to require password complexity:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Put a check the "Faspex accounts" "Use strong passwords" check box.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex requires password complexity:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Faspex accounts" "Use strong passwords" option is checked.
If the "Use strong passwords" option is not checked, this is a finding.
If the "Use strong passwords" option is checked, downgrade this requirement to a CAT III.SRG-NET-000169-ALG-000102<GroupDescription></GroupDescription>ASP4-FA-050200IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).<VulnDiscussion>Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.
IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000804To configure Aspera Faspex to authenticate all external recipients of Faspex packages before they can download packages or files within packages:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" option from the left menu.
- Check the option "Require external users to register" under the "Registrations" heading.
- Select the "Moderated" option from the picklist for "Self registration" under the Registrations heading.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
To ensure that all external recipients of Faspex packages must register for an account before they can download packages or files within packages:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" option from the left menu.
- Verify that the option "Require external users to register" is checked.
If this option is not checked, this is a finding.
Also ensure IBM Aspera Faspex is configured for "Moderated" self-registration when permitting use by external users. To do this, verify the "Moderated" option is selected from the picklist for "Self registration" under the Registrations heading.
If this option is not checked, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050210IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000200Configure IBM Aspera Faspex passwords to be prohibited from reuse for a minimum of five generations:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Put a check the "Faspex accounts" "Prevent passwords reuse" check box.
- Edit the "Faspex accounts" "Prevent passwords reuse" option to "5" or more.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex passwords are prohibited from reuse for a minimum of five generations:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Faspex accounts" "Prevent passwords reuse" option is checked.
- Verify the "Faspex accounts" "Prevent passwords reuse" options is set to "5" or more.
If the "Prevent passwords reuse" options is less than "5" or the option is not checked, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050220IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000199Configure IBM Aspera Faspex user account passwords to have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Put a check the "Faspex accounts" "Passwords expire" check box.
- Edit the "Faspex accounts" "Passwords expire" option to "60" days or less.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex user account passwords have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section.
- Verify the "Faspex accounts" "Passwords expire" option is checked.
- Verify the "Faspex accounts" "Passwords expire" options is set to "60" days or less.
If the "Passwords expire" options is set to more than "60" days or the option is not checked, this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-FA-050230The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
For implementations using the IBM Aspera Faspex feature, the default configuration of Faspex has TLS 1.0, 1.1 and 1.2 enabled to support older browsers.
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-000197Configure IBM Aspera Faspex to use TLS 1.2.
Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.
SSLProtocol TLSv1.2
Restart Apache for these changes to take effect.
$ sudo /opt/aspera/common/asctl/asctl apache:restartIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Faspex only uses TLS 1.2 or greater with the following command:
$ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf
SSLProtocol TLSv1.2
If the values for SSLProtocol vary from the above example, this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-FA-050240IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.
The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the IBM Aspera Faspex to disable functions, ports, protocols, and services that are not approved.
Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
For the apache instance:
$ sudo /opt/aspera/common/asctl/asctl apache:http_port <number>
$ sudo /opt/aspera/common/asctl/asctl apache:https_port <number>
For the faspex instance:
$ sudo /opt/aspera/common/asctl/asctl faspex:base_port <number>
$ sudo /opt/aspera/common/asctl/asctl faspex:http_fallback_port <number>
For the database:
$ sudo /opt/aspera/common/asctl/asctl mysql:port <number>If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
The IBM Aspera Faspex is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Review the port configurations of the server with the following command:
$ sudo /opt/aspera/common/asctl/asctl all:info | grep port:
http_port: 80
https_port: 443
port: 4406
base_port: 3000
http_fallback_port:8080
Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA).
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-NET-000138-ALG-000063<GroupDescription></GroupDescription>ASP4-FA-050250IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.
1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication.
2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.
IBM Aspera Faspex will list preestablished trust relationships for IdPs on the default Faspex login page. This configuration supports the ability to have more than one preestablished trust relationship, and it requires the user to choose from the valid preestablished IdPs as listed on the default web page. If IBM Aspera Faspex is configured to automatically redirect to a single IdP, visiting the default webpage will do so. Refer to the IBM Aspera Faspex Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Faspex User Field, and required format within the assertion. For security best practices, also ensure that the system hosting Aspera Faspex uses Network Time Protocol or another system to keep times synchronized with the IdP server providing the SAML assertions. Clock drift between the IBM Aspera Faspex server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Faspex.
Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000764CCI-000766CCI-001942For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP.
To configure SAML within IBM Aspera Faspex, perform the following:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Authentication" tab.
- Select the SAML Integration menu.
- Select "Add New SAML Configuration".
- Choose one action from these: 1) Enter the SAML server's metadata URL in "Import from URL" and click "Import Setting From Metadata URL". 2) Click "Browse" and locate the file containing the SAML server's metadata. 3) Paste the SAML server metadata into the box labeled "Import from Text" and click the "Import Settings From Text".
- Select "Create SAML Configuration" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Using a web browser, navigate to the default IBM Aspera Faspex web page.
If you are neither redirected to an IdP nor provided with a list of one or more IdPs to choose from on the standard IBM Aspera Faspex webpage, this is a finding.
If redirected to the IdP login, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
If unable to log in using known working credentials, this is a finding.
If not redirected to a single IdP but provided a list of configured IdPs, choose one for authentication with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
If unable to log in using known working credentials, this is a finding.SRG-NET-000063-ALG-000012<GroupDescription></GroupDescription>ASP4-FA-050260IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001453CCI-002450Configure the system to require encryption for all transfers by the IBM Aspera Faspex:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section from the left menu.
- Scroll down to the "Encryption" section.
- Put a check in the "Encrypt transfers" check box.
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Ensure that encryption is required for all transfers by the IBM Aspera Faspex:
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section from the left menu.
- Scroll down to the "Encryption" section.
- Verify that the "Encrypt transfers" option is checked.
If the "Encrypt transfers" option is not checked, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050270IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001199CCI-002475CCI-002476Configure the IBM Aspera Faspex to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section from the left menu.
- Scroll down to the "Encryption" section.
- Select the "Use encryption-at-rest" radio button "Always".
- Select "Update" at the bottom of the page.If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Faspex implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
- Log in to the IBM Aspera Faspex web page as a user with administrative privilege.
- Select the "Server" tab.
- Select the "Configuration" tab.
- Select the "Security" section from the left menu.
- Scroll down to the "Encryption" section.
- Verify that the "Use encryption-at-rest" radio button is set to "Always".
If the "Use encryption-at-rest" radio button is set to "Never" or "Optional", this is a finding.SRG-NET-000098-ALG-000056<GroupDescription></GroupDescription>ASP4-FA-050280IBM Aspera Faspex must protect audit information from unauthorized modification.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification.
This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
This does not apply to audit logs generated on behalf of the device itself (management).
Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000162CCI-000163CCI-000164Remove world access from any IBM Aspera Faspex log file that has world permissions granted.
$ sudo chmod o-rwx <placefilenamehere>If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify that the log files for IBM Aspera Faspex have no world access.
$ sudo find /opt/aspera/faspex/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print
If results are returned from the above command, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050290The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command:
$ sudo chgrp faspex /opt/aspera/faspex/config/secret.ymlIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command:
$ sudo stat -c "%G" /opt/aspera/faspex/config/secret.yml
faspex
If "faspex" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-FA-050300The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command:
$ sudo chown faspex /opt/aspera/faspex/config/secret.ymlIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command:
$ sudo stat -c "%U" /opt/aspera/faspex/config/secret.yml
faspex
If "faspex" is not returned as a result, this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-FA-050310The IBM Aspera Faspex Server must restrict users from using transfer services by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM Aspera Faspex to restrict users from using transfer services by default with the following commands:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Faspex restricts users from using transfer services by default with the following commands:
Check that the aspera.conf file is configured to deny transfer in and out by default.
$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value
authorization_transfer_in_value: "deny"
authorization_transfer_out_value: "deny"
If the results produce an "allow" value, this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-FA-050320The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM Aspera Faspex to restrict users' read, write, and browse permissions by default with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceIf the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Faspex restricts users read, write, and browse permissions by default with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed'
read_allowed: "false"
write_allowed: "false"
dir_allowed: "false"
If no results are returned or if the results produce a "true" value, this is a finding.SRG-NET-000213-ALG-000107<GroupDescription></GroupDescription>ASP4-SH-060100The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element.
Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001133CCI-002361Configure IBM Aspera Shares interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the User Security option.
- Edit the "Session timeout" option is set to "10" minutes or less.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Shares interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Verify the "Session timeout" option is set to "10" minutes or less.
If the "Session timeout" option is set to more than "10" minutes, this is a finding.SRG-NET-000041-ALG-000022<GroupDescription></GroupDescription>ASP4-SH-060110IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element.
The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
"I've read & consent to terms in IS user agreem't."
This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services offloaded from the application. Publicly access systems are used in DoD to provide benefit information, pay information, or public services. There may also be self-registration and authorization services provided by these gateways.
Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the IBM Aspera Shares default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner.
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "System Settings" section.
- Select the "Messages" option.
- Enter the Standard Mandatory DoD-approved Notice and Consent Banner in the Login page message box.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Shares default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner.
Using a web browser, go to the default IBM Aspera Shares website.
If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.SRG-NET-000339-ALG-000090<GroupDescription></GroupDescription>ASP4-SH-060120IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card.
A privileged account is defined as an information system account with authorizations of a privileged user.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password.
Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001948CCI-001951CCI-002014For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP that implements multi-factor authentication.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Using a web browser, navigate to the default IBM Aspera Shares web page.
Use the SAML link and authenticate using known working credentials.
If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060130IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.<VulnDiscussion>By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000044CCI-002236CCI-002238Configure IBM Aspera Shares to lock accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Edit the "Failed login count" option to "3" or less.
- Edit the "Failed login interval" option to "15" minutes or less.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Shares locks accounts after three unsuccessful login attempts within a 15-minute timeframe:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Verify the "Failed login count" is set to "3" or less.
- Verify the "Failed login interval" is set to "15" or less.
If the "Failed login count" is set to more than "3", this is a finding.
If the "Failed login interval" is set to more than "15" minutes, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060140IBM Aspera Shares must require password complexity features to be enabled.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000192CCI-000193CCI-000194Configure IBM Aspera Shares to require password complexity:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Put a check the "Require strong passwords" check box.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Shares requires password complexity:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Verify the "Require strong passwords" option is checked.
If the "Require strong passwords" option is not checked, this is a finding.
If the "Require strong passwords" option is checked, downgrade this requirement to a CAT III.SRG-NET-000169-ALG-000102<GroupDescription></GroupDescription>ASP4-SH-060150IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).<VulnDiscussion>Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly.
IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000804To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option from the left menu.
- Use the dropdown menu to set the "Self Registration" option to "Moderated" or "None".
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
To ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option from the left menu.
- Verify that the "Self Registration" option is set to "Moderated" or "None".
If the "Self Registration" option is set to "Unmoderated", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060160IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000199Configure IBM Aspera Shares user account passwords to have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Edit the "Password expiration interval" to "60" days or less.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Shares user account passwords have a 60-day maximum password lifetime restriction:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "Security" section.
- Select the "User Security" option.
- Verify the "Password expiration interval" is set to "60" or less.
If the "Password expiration interval" is greater than "60" or is blank, this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-SH-060170The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
For implementations using the IBM Aspera Shares feature, the default nginx configuration of Shares has TLS 1.0, 1.1 and 1.2 enabled to support older browsers.
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-000197Configure IBM Aspera Shares to use TLS 1.2.
Add/Edit the following line in the nginx.conf file located at /opt/aspera/shares/etc/nginx/nginx.conf.
ssl_protocols TLSv1.2;
Restart nginx for these changes to take effect.
$ sudo /opt/aspera/shares/sbin/sv restart nginixIf the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify IBM Aspera Shares only uses TLS 1.2 or greater with the following command:
$ sudo grep ssl_protocols /opt/aspera/shares/etc/nginx/nginx.conf
ssl_protocols TLSv1.2;
If the results of the command display versions below "TLSv1.2", this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-SH-060180IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.
The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the IBM Aspera Shares to disable functions, ports, protocols, and services that are not approved.
Edit the /opt/aspera/shares/etc/nginx/nginx.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
The IBM Aspera Shares is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Review the port configurations of the server with the following command:
$ sudo cat /opt/aspera/shares/etc/nginx/nginx.conf | grep listen
listen 80;
listen [::]:80;
listen 443;
listen [::]:443;
Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA).
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-NET-000138-ALG-000063<GroupDescription></GroupDescription>ASP4-SH-060190IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.
1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication.
2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.
Refer to the IBM Aspera Shares Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Shares User Field, and required format within the assertion. For security best practices, also ensure that the system hosting IBM Aspera Shares uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Shares server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Shares.
Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000764CCI-000766CCI-001942For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP.
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Go to "Accounts".
- Select the "Directories" option from the left menu.
- Beside the SAML IdP entry, click "Edit".
- To enable SAML, select the check box "Log in using the SAML Identity Provider".
- Enter the SAML entry-point address provided by the IdP in the "IdP Single Sign-On URL" text box.
- Enter the "Identity Provider Certificate Fingerprint" and specify the algorithm type in the dropdown menu.
- Enter the "Identity Provider Certificate".
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Using a web browser, navigate to the default IBM Aspera Shares web page. Attempt to authenticate using the IdP provided under "SAML" heading of login page with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
If unable to log in using known working credentials, this is a finding.SRG-NET-000063-ALG-000012<GroupDescription></GroupDescription>ASP4-SH-060200IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001453CCI-002450Configure the system to require encryption for all transfers by the IBM Aspera Shares:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "System Settings" section.
- Select the "Transfers" option.
- Select an encryption level from the dropdown menu of "Encryption" of "AES-128" or greater.
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Ensure that encryption is required for all transfers by the IBM Aspera Shares:
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "System Settings" section.
- Select the "Transfers" option.
- Verify the "Encryption" option is set to at least "AES-128".
If the "Encryption" option is set to "optional" or not set, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060210IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001199CCI-002475CCI-002476Configure the IBM Aspera Shares to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "System Settings" section.
- Select the "Transfers" option.
- Select the "Encryption at rest" option "Required".
- Select "Save" at the bottom of the page.If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the IBM Aspera Shares implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
- Log in to the IBM Aspera Shares web page as a user with administrative privilege.
- Select the "Admin" tab.
- Scroll down to the "System Settings" section.
- Select the "Transfers" option.
- Verify the "Encryption at rest" option is set to "Required".
If the "Encryption at rest" option is set to "Optional" or is not set, this is a finding.SRG-NET-000098-ALG-000056<GroupDescription></GroupDescription>ASP4-SH-060220IBM Aspera Shares must protect audit information from unauthorized deletion.<VulnDiscussion>If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity.
This requirement does not apply to audit logs generated on behalf of the device itself (device management).
Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000162CCI-000163CCI-000164Remove world access from any IBM Aspera Shares log file that has world permissions granted.
$ sudo chmod o-rwx <placefilenamehere>If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify that the log files for IBM Aspera Shares have no world access.
$ sudo find /opt/aspera/shares/u/stats-collector/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print
$ sudo find /opt/aspera/shares/u/shares/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print
$ sudo find /opt/aspera/shares/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print
If results are returned from the above commands, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060230The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be group-owned by nobody with the following command:
$ sudo chgrp nobody /opt/aspera/shares/u/shares/config/aspera/secret.rbIf the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is group-owned by nobody with the following command:
$ sudo stat -c "%G" /opt/aspera/shares/u/shares/config/aspera/secret.rb
nobody
If "nobody" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060240The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be owned by nobody with the following command:
$ sudo chown nobody /opt/aspera/shares/u/shares/config/aspera/secret.rbIf the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is owned by nobody with the following command:
$ sudo stat -c "%U" /opt/aspera/shares/u/shares/config/aspera/secret.rb
nobody
If "nobody" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-SH-060250The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to have a mode of "0400" or less permissive with the following command:
$ sudo chmod 0400 /opt/aspera/shares/u/shares/config/aspera/secret.rbIf the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable.
Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file has a mode of "0400" or less permissive with the following command:
$ sudo stat -c "%a %n" /opt/aspera/shares/u/shares/config/aspera/secret.rb
400 /opt/aspera/shares/u/shares/config/aspera/secret.rb
If the resulting mode is more permissive than "0400", this is a finding.SRG-NET-000062-ALG-000150<GroupDescription></GroupDescription>ASP4-TE-030100The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.<VulnDiscussion>SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068Configure the IBM Aspera High-Speed Endpoint SSL security protocol to TLS version 1.2 or higher:
$ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2"
$ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify IBM Aspera High-Speed Transfer Endpoint only uses TLS 1.2 or greater with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol
ssl_protocol: "tlsv1.2"
ssl_protocol: "tlsv1.2"
If both entries do not return "tlsv1.2" or greater , this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-TE-030110The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.
The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the IBM Aspera High-Speed Transfer Endpoint to disable functions, ports, protocols, and services that are not approved.
Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.The IBM Aspera High-Speed Transfer Endpoint is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Review the port configurations of the HSTE with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep port:
transfer_protocol_options_bind_udp_port: "33001"
trunk_mcast_port: "0"
trunk_mcast_port: "0"
port: "4406"
port: "40001"
mgmt_port: "0"
http_port: "8080"
https_port: "8443"
http_port: "9091"
https_port: "9092"
ssh_port: "33001"
db_port: "31415"
scalekv_sstore_port: "31415"
scalekv_baseport: "43001"
aej_port: "0"
rproxy_rules_rule_proxy_port: "33001"
initd_db_port: "31416"
wss_port: "9093"
Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA).
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-NET-000230-ALG-000113<GroupDescription></GroupDescription>ASP4-TE-030120The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.<VulnDiscussion>Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001184For implementations using the IBM Aspera High Speed Transfer Endpoint, configure the host key fingerprint using the following procedure:
1. Retrieve the server's SHA-1 fingerprint using the following command:
$ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum
2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE":
$ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE"
3. Restart the IBM Aspera Node service to activate the change using the following command:
$ sudo systemctl restart asperanoded.service
Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Endpoint according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide.
Restart the IBM Aspera Node service to activate the change to the certificate using the following command:
$ sudo systemctl restart asperanoded.serviceFor implementations using IBM Aspera High-Speed Transfer Endpoint, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Endpoint installation configuration file at /opt/aspera/etc/aspera.conf using the following command:
$ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint
If the command does not return XML containing the fingerprint, this is a finding.
Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername":
$ sudo /opt/aspera/bin/openssl s_client -connect servername:9092
If the certificate is not DoD issued, this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-TE-030140The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-001453CCI-002450For implementations using IBM Aspera High-Speed Transfer Endpoint, configure FIPS compliance criteria to all transfers by executing the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceEnsure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Endpoint with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep fips
transfer_encryption_fips_mode: "true"
If results are blank or fips mode is reported as "false", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TE-030150The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Endpoint to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:
$ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssearVerify the IBM High-Speed Transfer Endpoint enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:
$ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
If the command returns "No records found for ssear", this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TE-030160The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM High-Speed Transfer Endpoint to enable password protection of the node database.
Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command:
$ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf
Update the configuration file to save the password across reboots with the following commands:
$ sudo /opt/aspera/bin/asredis -p 31415
127.0.0.1:31415>CONFIG SET REQUIREPASS <password>
OK
127.0.0.1:31415>AUTH <password>
OK
127.0.0.1:31415>CONFIG REWRITE
OK
127.0.0.1:31415>quit
Restore aspera_31415.conf ownership to root with the following command:
$ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf
Create the node database password with the following command:
$ sudo /opt/aspera/bin/askmscli -s Redis-password
Store the node database password in the transfer user and asperadaemon keystores with the following commands:
$ sudo /opt/aspera/bin/askmscli -i -u <transferuser>
$ sudo /opt/aspera/bin/askmscli -i -u asperadaemonVerify the IBM High-Speed Transfer Endpoint enables password protection of the node database with the following commands:
Initiate a cli connection to the node database.
$ sudo /opt/aspera/bin/asredis -p 31415
127.0.0.1:31415>
Type "info" in the cli to attempt to query the database.
127.0.0.1:31415>info
NOAUTH Authentication required.
If the command results do not state "Authentication required", this is a finding.SRG-NET-000063-ALG-000012<GroupDescription></GroupDescription>ASP4-TE-030170The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key.
Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001453CCI-002450Configure the IBM High-Speed Transfer Endpoint to set a master-key to encrypt the dynamic token encryption key with the following command:
$ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key
For each transfer user with a token encryption key, initialize the user's keystore with the following command:
$ sudo /opt/aspera/bin/askmscli -i -u <transferuser>
Initialize the keystore for the asperadaemon user that runs asperanoded with the following command:
$ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM High-Speed Transfer Endpoint has a master-key set to encrypt the dynamic token encryption key with the following commands:
$ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
$ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
If either command returns "No records found for Redis-master-key", this is a finding.SRG-NET-000053-ALG-000001<GroupDescription></GroupDescription>ASP4-TE-030180The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.<VulnDiscussion>Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.
This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Endpoints permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000054Configure the IBM Aspera High-Speed Transfer Endpoint to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:
$ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Endpoint limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep concurrent
transfer_manager_max_concurrent_sessions: "20"
If the value returned (in this example 20 is the default) is not an organization-defined number, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TE-030190The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that you do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Endpoint to not store group content-protection secrets in plain text.
For each group, remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<groupname>; transfer_encryption_content_protection_secret,AS_NULL"Verify the IBM High-Speed Transfer Endpoint does not store group content-protection secrets in plain text.
For each group, run the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TE-030200The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that you do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Endpoint to not store node content-protection secrets in plain text.
Remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM High-Speed Transfer Endpoint does not store node content-protection secrets in plain text with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TE-030210The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that you do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Endpoint to not store user content-protection secrets in plain text.
For each user, remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM High-Speed Transfer Endpoint does not store user content-protection secrets in plain text.
For each user, run the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TE-030220The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the Aspera High-Speed Transfer Endpoint to restrict users from using transfer services by default with the following commands:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Endpoint restricts users from using transfer services by default with the following commands:
Check that the aspera.conf file is configured to deny transfer in and out by default.
$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value
authorization_transfer_in_value: "deny"
authorization_transfer_out_value: "deny"
If the results produce an "allow" value, this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TE-030230The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM Aspera High-Speed Transfer Endpoint to restrict users read, write, and browse permissions by default with the following commands:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Endpoint restricts users read, write, and browse permissions by default with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed'
read_allowed: "false"
write_allowed: "false"
dir_allowed: "false"
If no results are returned or if the results produce a "true" value, this is a finding.SRG-NET-000344-ALG-000098<GroupDescription></GroupDescription>ASP4-TE-030240The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.<VulnDiscussion>If the cached authenticator information is out of date, the validity of the authentication information may be questionable.
This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002007Configure the IBM Aspera High-Speed Transfer Endpoint to prohibit the use of cached authenticators after an organization-defined time period with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Endpoint prohibits the use of cached authenticators after an organization-defined time period with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life'
token_life_seconds: "86400"
Note: The example token life is for one day; this number must be defined by the organization.
If no result is returned or if the result is not an organization-defined time period, this is a finding.SRG-NET-000062-ALG-000150<GroupDescription></GroupDescription>ASP4-TS-020100The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.<VulnDiscussion>SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068Configure the IBM Aspera High-Speed Transfer Server SSL security protocol to TLS version 1.2 or higher:
$ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2"
$ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify IBM Aspera High-Speed Transfer Server only uses TLS 1.2 or greater with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol
ssl_protocol: "tlsv1.2"
ssl_protocol: "tlsv1.2"
If both entries do not return "tlsv1.2" or greater , this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-TS-020110The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems.
The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the IBM Aspera High-Speed Transfer Server to disable functions, ports, protocols, and services that are not approved.
Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.The IBM Aspera High-Speed Transfer Server is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
Review the port configurations of the HSTS with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep port:
transfer_protocol_options_bind_udp_port: "33001"
trunk_mcast_port: "0"
trunk_mcast_port: "0"
port: "4406"
port: "40001"
mgmt_port: "0"
http_port: "8080"
https_port: "8443"
http_port: "9091"
https_port: "9092"
ssh_port: "33001"
db_port: "31415"
scalekv_sstore_port: "31415"
scalekv_baseport: "43001"
aej_port: "0"
rproxy_rules_rule_proxy_port: "33001"
initd_db_port: "31416"
wss_port: "9093"
Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA).
If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding.
If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-NET-000230-ALG-000113<GroupDescription></GroupDescription>ASP4-TS-020120The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.<VulnDiscussion>Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001184For implementations using the IBM Aspera High Speed Transfer Server, configure the host key fingerprint using the following procedure:
1. Retrieve the server's SHA-1 fingerprint using the following command:
$ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum
2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE":
$ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE"
3. Restart the IBM Aspera Node service to activate the change using the following command:
$ sudo systemctl restart asperanoded.service
Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Server according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide.
Restart the IBM Aspera Node service to activate the change to the certificate using the following command:
$ sudo systemctl restart asperanoded.serviceFor implementations using IBM Aspera High-Speed Transfer Server, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command:
$ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint
If the command does not return XML containing the fingerprint, this is a finding.
Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername":
$ sudo /opt/aspera/bin/openssl s_client -connect servername:9092
If the certificate is not DoD issued, this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-TS-020140The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies).
Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-001453CCI-002450For implementations using IBM Aspera High-Speed Transfer Server, configure FIPS compliance criteria to all transfers by executing the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceEnsure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Server with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep fips
transfer_encryption_fips_mode: "true"
If results are blank or fips mode is reported as "false", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020150The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002696Configure the IBM Aspera HSTS SELinux context type for "aspshell" with the following commands:
$ sudo echo /bin/aspshell >> /etc/shells
$ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell
$ sudo semanage fcontext -a -t shell_exec_t "/opt/aspera/bin/aspshell"
$ sudo restorecon -v /opt/aspera/bin/aspshellVerify the IBM Aspera HSTS configures the SELinux context type for "aspshell" with the following commands:
$ sudo ls -l /bin/aspshell
lrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell
If /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding.
$ sudo ls -Z /opt/aspera/bin/aspshell
-rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell
If the context type of "/opt/aspera/bin/aspshell" is not "shell_exec_t", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020160The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Server to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:
$ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssearVerify the IBM High-Speed Transfer Server enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command:
$ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
If the command returns "No records found for ssear", this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TS-020170The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM High-Speed Transfer Server to enable password protection of the node database.
Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command:
$ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf
Update the configuration file to save the password across reboots with the following commands:
$ sudo /opt/aspera/bin/asredis -p 31415
127.0.0.1:31415>CONFIG SET REQUIREPASS <password>
OK
127.0.0.1:31415>AUTH <password>
OK
127.0.0.1:31415>CONFIG REWRITE
OK
127.0.0.1:31415>quit
Restore aspera_31415.conf ownership to root with the following command:
$ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf
Create the node database password with the following command:
$ sudo /opt/aspera/bin/askmscli -s Redis-password
Store the node database password in the transfer user and asperadaemon keystores with the following commands:
$ sudo /opt/aspera/bin/askmscli -i -u <transferuser>
$ sudo /opt/aspera/bin/askmscli -i -u asperadaemonVerify the IBM High-Speed Transfer Server enables password protection of the node database with the following commands:
Initiate a cli connection to the node database.
$ sudo /opt/aspera/bin/asredis -p 31415
127.0.0.1:31415>
Type "info" in the cli to attempt to query the database.
127.0.0.1:31415>info
NOAUTH Authentication required.
If the command results do not state "Authentication required", this is a finding.SRG-NET-000062-ALG-000011<GroupDescription></GroupDescription>ASP4-TS-020180The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
The dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security and time-limited validity which limits the chances of a key becoming compromised.
NOTE: A dynamic token encryption key can be set for an individual user or a system group.
Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000068CCI-000197Configure the Aspera High-Speed Transfer Server to enable the use of dynamic token encryption keys with the following command:
$ sudo asconfigurator -x "set_node_data; token_dynamic_key,true"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Server enables the use of dynamic token encryption keys with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep dynamic
token_dynamic_key: "true"
If the "dynamic_key" setting is not set to "true", this is a finding.SRG-NET-000063-ALG-000012<GroupDescription></GroupDescription>ASP4-TS-020190The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key.
Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-001453CCI-002450Configure the IBM High-Speed Transfer Server to set a master-key to encrypt the dynamic token encryption key with the following command:
$ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key
For each transfer user with a token encryption key, initialize the user's keystore with the following command:
$ sudo /opt/aspera/bin/askmscli -i -u <transferuser>
Initialize the keystore for the asperadaemon user that runs asperanoded with the following command:
$ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM High-Speed Transfer Server has a master-key set to encrypt the dynamic token encryption key with the following commands:
$ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
$ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key
v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340
If either command returns "No records found for Redis-master-key", this is a finding.SRG-NET-000053-ALG-000001<GroupDescription></GroupDescription>ASP4-TS-020200The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.<VulnDiscussion>Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks.
This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary.
This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Server permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000054Configure the IBM Aspera High-Speed Transfer Server to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:
$ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Server limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep concurrent
transfer_manager_max_concurrent_sessions: "20"
If the value returned (in this example 20 is the default) is not the organization-defined number, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020210The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that you do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Server to not store group content-protection secrets in plain text.
Remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"Verify the IBM High-Speed Transfer Server does not store group content-protection secrets in plain text.
For each group, run the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020220The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that users do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Server to not store node content-protection secrets in plain text.
Remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL"Verify the IBM High-Speed Transfer Server does not store node content-protection secrets in plain text with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020230The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.<VulnDiscussion>Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations.
Aspera recommends that users do not store content-protection secrets in aspera.conf.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002475CCI-002476Configure the IBM High-Speed Transfer Server to not store user content-protection secrets in plain text.
Remove any secrets from the /opt/aspera/aspera.conf file with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"Verify the IBM High-Speed Transfer Server does not store user content-protection secrets in plain text.
For each user, run the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer
transfer_encryption_content_protection_secret: "AS_NULL"
If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-TS-020240The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.<VulnDiscussion>By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts.
By default, all system users can establish a FASP connection and are only restricted by file permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the Aspera High-Speed Transfer Server to restrict the use of the root account for transfers.
For each privilege that is set to "true", run the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,root;<privilege>,false"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Server restricts the use of the root account for transfers with the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -u root | grep allowed | grep true
If results are returned from the above command, this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-TS-020250The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.<VulnDiscussion>By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers.
By default, all system users can establish a FASP connection and are only restricted by file permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name, <username>;canonical_absolute,<transferfolder>; absolute,<transferfolder>"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system.
Check that each user is restricted to a specific transfer folder with the following command:
Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly.
$ sudo /opt/aspera/bin/asuserdata -u <username> | grep absolute
canonical_absolute: "<specifictranferfolder>"
absolute: "<sepcifictransferfolder>"
If the transfer user's docroot is set to "<Empty String>" or is blank, this is a finding.SRG-NET-000138-ALG-000063<GroupDescription></GroupDescription>ASP4-TS-020260The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".<VulnDiscussion>By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations:
Running Aspera uploads and downloads to or from this computer.
Establishing connections in the application.
Browsing, listing, creating, renaming, or deleting contents.
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following.
1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication.
2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000764Configure the Aspera High-Speed Transfer Server to restrict the transfer user(s) to the "aspshell" with the following command:
$ sudo usermod -s /bin/aspshell <username>Verify the Aspera High-Speed Transfer Server restricts the transfer user(s) to the "aspshell" with the following command:
$ sudo grep <username> /etc/passwd
<username>:x:1001:1001:...:/home/<username>:/bin/aspshell
If the transfer user is not limited to the "aspshell", this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TS-020270The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the Aspera High-Speed Transfer Server to restrict users from using transfer services by default with the following commands:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny"
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Server restricts users from using transfer services by default with the following commands:
Check that the aspera.conf file is configured to deny transfer in and out by default.
$ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value
authorization_transfer_in_value: "deny"
authorization_transfer_out_value: "deny"
If the results produce an "allow" value, this is a finding.SRG-NET-000015-ALG-000016<GroupDescription></GroupDescription>ASP4-TS-020280The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.<VulnDiscussion>Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access.
Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization.
Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary.
The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000213Configure the IBM Aspera High-Speed Transfer Server to restrict users read, write, and browse permissions by default with the following commands:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Server restricts users read, write, and browse permissions by default with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed'
read_allowed: "false"
write_allowed: "false"
dir_allowed: "false"
If no results are returned or if the results produce a "true" value, this is a finding.SRG-NET-000132-ALG-000087<GroupDescription></GroupDescription>ASP4-TS-020290The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.<VulnDiscussion>By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis.
By default, all system users can establish a FASP connection and are only restricted by file permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-000382Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;canonical_absolute,<someemptyfolder>; absolute,<someemptyfolder>"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the Aspera High-Speed Transfer Server set the default docroot to an empty folder.
Check that the default docroot points to an empty folder with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep absolute
canonical_absolute: "<someemptyfolder>"
absolute: "<someemptyfolder>"
If the default docroot is set to "<Empty String>", this is a finding.
Review the default docroot file path from the previous command to ensure it is empty.
$ sudo find <somefilepath> -maxdepth 0 -empty -exec echo {} is empty. \;
<somefilepath> is empty.
If the command does not return "<somefilepath> is empty.", this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020300The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the rootkeystore.db file to be group-owned by root with the following command:
$ sudo chgrp root /opt/aspera/etc/rootkeystore.dbVerify the rootkeystore.db file is group-owned by root with the following command:
$ sudo stat -c "%G" /opt/aspera/etc/rootkeystore.db
root
If "root" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020310The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the rootkeystore.db file to be owned by root with the following command:
$ sudo chown root /opt/aspera/etc/rootkeystore.dbVerify the rootkeystore.db file is owned by root with the following command:
$ sudo stat -c "%U" /opt/aspera/etc/rootkeystore.db
root
If "root" is not returned as a result, this is a finding.SRG-NET-000512-ALG-000062<GroupDescription></GroupDescription>ASP4-TS-020320The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.<VulnDiscussion>Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002165Configure the rootkeystore.db file to have a mode of "0600" or less permissive with the following command:
$ sudo chmod 0600 /opt/aspera/etc/rootkeystore.dbVerify the rootkeystore.db file has a mode of "0600" or less permissive with the following command:
$ sudo stat -c "%a %n" /opt/aspera/etc/rootkeystore.db
600 /opt/aspera/etc/rootkeystore.db
If the resulting mode is more permissive than "0600", this is a finding.SRG-NET-000344-ALG-000098<GroupDescription></GroupDescription>ASP4-TS-020330The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.<VulnDiscussion>If the cached authenticator information is out of date, the validity of the authentication information may be questionable.
This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target IBM Aspera Platform 4.2DISADPMS TargetIBM Aspera Platform 4.25464CCI-002007Configure the IBM Aspera High-Speed Transfer Server to prohibit the use of cached authenticators after an organization-defined time period with the following command:
$ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400"
Restart the IBM Aspera Node service to activate the changes.
$ sudo systemctl restart asperanoded.serviceVerify the IBM Aspera High-Speed Transfer Server prohibits the use of cached authenticators after an organization-defined time period with the following command:
$ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life'
token_life_seconds: "86400"
Note: The example token life is for one day; this number must be defined by the organization.
If no result is returned or if the result is not an organization-defined time period, this is a finding.