UCF STIG Viewer Logo

The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-252594 ASP4-FA-050300 SV-252594r831508_rule Medium
Description
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
STIG Date
IBM Aspera Platform 4.2 Security Technical Implementation Guide 2022-08-24

Details

Check Text ( C-56050r817950_chk )
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable.

Verify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command:

$ sudo stat -c "%U" /opt/aspera/faspex/config/secret.yml

faspex

If "faspex" is not returned as a result, this is a finding.
Fix Text (F-56000r817951_fix)
Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command:

$ sudo chown faspex /opt/aspera/faspex/config/secret.yml