UCF STIG Viewer Logo

The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252593 ASP4-FA-050290 SV-252593r831507_rule Medium
Description
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
STIG Date
IBM Aspera Platform 4.2 Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56049r817947_chk )
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.

Verify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command:

$ sudo stat -c "%G" /opt/aspera/faspex/config/secret.yml

faspex

If "faspex" is not returned as a result, this is a finding.
Fix Text (F-55999r817948_fix)
Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command:

$ sudo chgrp faspex /opt/aspera/faspex/config/secret.yml