IBM Aspera Platform 4.2 STIG
IBM Aspera Platform 4.2 Security Technical Implementation Guide. Version v1 r2, released Aug. 24, 2022.
ASP4-TE-030220: The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.
Verify the Aspera High-Speed Transfer Endpoint restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the Aspera High-Speed Transfer Endpoint to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040200: IBM Aspera Console passwords must be prohibited from reuse for a minimum of five generations.
Verify IBM Aspera Console passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Reuse Limit" option is set to "5" or more. If the "Password Expiration" option is not checked, this is a finding. If the "Password Reuse Limit" is set to less than "5" or is set to "0", this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
Fix
Configure IBM Aspera Console passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Reuse Limit" option to "5" or more. Note: "0" disables the "Password Reuse Limit" option. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020110: The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
The IBM Aspera High-Speed Transfer Server is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTS with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Fix
Configure the IBM Aspera High-Speed Transfer Server to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-00-010100: The IBM Aspera Platform must be configured to support centralized management and configuration.
Verify the IBM Aspera Platform is configured to support centralized management and configuration. Navigate to the IBM Aspera Console webpage, login with an administrator account, and review the Nodes tab. If all nodes managed by the organization are not listed, this is a finding. If the IBM Aspera Platform implementation does not include IBM Aspera Console, this is a finding.
Discussion
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a delayed or incomplete analysis of an ongoing attack. The content captured in audit records must be managed from a central location (necessitating automation). Centralized management of audit records and logs provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Network components requiring centralized audit log management must have the capability to support centralized management. The DoD requires centralized management of all network component audit record content. This requirement does not apply to audit logs generated on behalf of the device itself (management). Support of centralized management of the IBM Aspera Platform is accomplished via use of IBM Aspera Console.
Fix
Configure the IBM Aspera Platform to support centralized management and configuration. Ensure the IBM Aspera Console server is installed and configured to manage all nodes within the organization. Navigate to the IBM Aspera Console webpage, log in with an administrator account, and select the "Nodes" tab. Select "New Managed Node" to add nodes to the IBM Aspera Console.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040150: The IBM Aspera Console feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
Verify IBM Aspera Console only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Console feature, the default configuration of Console has TLS 1.0 and 1.1 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097
Fix
Configure IBM Aspera Console to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-SH-060210: IBM Aspera Shares must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption at rest" option is set to "Required". If the "Encryption at rest" option is set to "Optional" or is not set, this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Fix
Configure the IBM Aspera Shares to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select the "Encryption at rest" option "Required". - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060120: IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Discussion
For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106
Fix
For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP that implements multi-factor authentication.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030190: The IBM Aspera High-Speed Transfer Endpoint must not store group content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Endpoint does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Endpoint to not store group content-protection secrets in plain text. For each group, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<groupname>; transfer_encryption_content_protection_secret,AS_NULL"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030140: The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Endpoint with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
For implementations using IBM Aspera High-Speed Transfer Endpoint, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-TE-030110: The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
The IBM Aspera High-Speed Transfer Endpoint is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the HSTE with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep port: transfer_protocol_options_bind_udp_port: "33001" trunk_mcast_port: "0" trunk_mcast_port: "0" port: "4406" port: "40001" mgmt_port: "0" http_port: "8080" https_port: "8443" http_port: "9091" https_port: "9092" ssh_port: "33001" db_port: "31415" scalekv_sstore_port: "31415" scalekv_baseport: "43001" aej_port: "0" rproxy_rules_rule_proxy_port: "33001" initd_db_port: "31416" wss_port: "9093" Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Fix
Configure the IBM Aspera High-Speed Transfer Endpoint to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/etc/aspera.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020270: The IBM Aspera High-Speed Transfer Server must restrict users from using transfer services by default.
Verify the Aspera High-Speed Transfer Server restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the Aspera High-Speed Transfer Server to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020210: The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Server does not store group content-protection secrets in plain text. For each group, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -g <groupname> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Server to not store group content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_group_data; group_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050260: IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Encrypt transfers" option is checked. If the "Encrypt transfers" option is not checked, this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
Configure the system to require encryption for all transfers by the IBM Aspera Faspex: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Put a check in the "Encrypt transfers" check box. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-SH-060230: The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is group-owned by nobody with the following command: $ sudo stat -c "%G" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be group-owned by nobody with the following command: $ sudo chgrp nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030170: The IBM Aspera High-Speed Transfer Endpoint must have a master-key set to encrypt the dynamic token encryption key.
Verify the IBM High-Speed Transfer Endpoint has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key. Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
Configure the IBM High-Speed Transfer Endpoint to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060140: IBM Aspera Shares must require password complexity features to be enabled.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares requires password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Require strong passwords" option is checked. If the "Require strong passwords" option is not checked, this is a finding. If the "Require strong passwords" option is checked, downgrade this requirement to a CAT III.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Configure IBM Aspera Shares to require password complexity: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Put a check the "Require strong passwords" check box. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040240: The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
Verify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/console/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020190: The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.
Verify the IBM High-Speed Transfer Server has a master-key set to encrypt the dynamic token encryption key with the following commands: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 $ sudo /opt/aspera/bin/askmcli -u asperadaemon -H Redis-master-key v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If either command returns "No records found for Redis-master-key", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The master key must be a unique random 256-bit key. The example below uses openssl to generate the key. This Redis master key will be used to encrypt the dynamic token encryption key. Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
Configure the IBM High-Speed Transfer Server to set a master-key to encrypt the dynamic token encryption key with the following command: $ sudo echo -n "`openssl rand -base64 32`" | sudo /opt/aspera/bin/askmscli -s Redis-master-key For each transfer user with a token encryption key, initialize the user's keystore with the following command: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> Initialize the keystore for the asperadaemon user that runs asperanoded with the following command: $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020170: The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.
Verify the IBM High-Speed Transfer Server enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.
Fix
Configure the IBM High-Speed Transfer Server to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-00-010110: The IBM Aspera Platform must not have unnecessary services and functions enabled.
Verify that only mission essential features are in use. Interview the systems administrator to determine if the following Aspera features are in use: Aspera Shares Aspera Faspex If either Aspera Shares or Aspera Faspex are in use and are not documented with the ISSM as a mission requirement, this is a finding.
Discussion
Information systems are capable of providing a wide variety of functions (capabilities or processes) and services. Some of these functions and services are installed and enabled by default. The organization must determine which functions and services are required to perform the content filtering and other necessary core functionality for each component of the ALG. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. The primary function of an ALG is to provide application specific content filtering and/or proxy services. The ALG application suite may integrate related content filtering and analysis services and tools (e.g., IPS, proxy, malware inspection, black/white lists). Some gateways may also include email scanning, decryption, caching, and DLP services. However, services and capabilities which are unrelated to this primary functionality must not be installed (e.g., DNS, email client or server, FTP server, or web server). Next Generation ALGs (NGFW) and Unified Threat Management (UTM) ALGs integrate functions which have been traditionally separated. These products integrate content filtering features to provide more granular policy filtering. There may be operational drawbacks to combining these services into one device. Another issue is that NGFW and UTM products vary greatly with no current definitive industry standard.
Fix
Ensure all mission required features of Aspera are documented with the ISSM.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060200: IBM Aspera Shares feature must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Ensure that encryption is required for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Verify the "Encryption" option is set to at least "AES-128". If the "Encryption" option is set to "optional" or not set, this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
Configure the system to require encryption for all transfers by the IBM Aspera Shares: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Transfers" option. - Select an encryption level from the dropdown menu of "Encryption" of "AES-128" or greater. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-SH-060190: IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Shares web page. Attempt to authenticate using the IdP provided under "SAML" heading of login page with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Discussion
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway. Refer to the IBM Aspera Shares Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Shares User Field, and required format within the assertion. For security best practices, also ensure that the system hosting IBM Aspera Shares uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Shares server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Shares. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095
Fix
For implementations using the IBM Aspera Shares feature, configure SAML to use an existing IdP. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Go to "Accounts". - Select the "Directories" option from the left menu. - Beside the SAML IdP entry, click "Edit". - To enable SAML, select the check box "Log in using the SAML Identity Provider". - Enter the SAML entry-point address provided by the IdP in the "IdP Single Sign-On URL" text box. - Enter the "Identity Provider Certificate Fingerprint" and specify the algorithm type in the dropdown menu. - Enter the "Identity Provider Certificate". - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030160: The IBM Aspera High-Speed Transfer Endpoint must enable password protection of the node database.
Verify the IBM High-Speed Transfer Endpoint enables password protection of the node database with the following commands: Initiate a cli connection to the node database. $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415> Type "info" in the cli to attempt to query the database. 127.0.0.1:31415>info NOAUTH Authentication required. If the command results do not state "Authentication required", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. System administrators can set a secure password for clients to authenticate with a Redis database. When the authorization layer is enabled, Redis refuses any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password.
Fix
Configure the IBM High-Speed Transfer Endpoint to enable password protection of the node database. Temporarily change the ownership of the Redis configuration file aspera_31415.conf to the user asperadaemon with the following command: $ sudo chown asperadaemon /opt/aspera/etc/Redis/aspera_31415.conf Update the configuration file to save the password across reboots with the following commands: $ sudo /opt/aspera/bin/asredis -p 31415 127.0.0.1:31415>CONFIG SET REQUIREPASS <password> OK 127.0.0.1:31415>AUTH <password> OK 127.0.0.1:31415>CONFIG REWRITE OK 127.0.0.1:31415>quit Restore aspera_31415.conf ownership to root with the following command: $ sudo chown root /opt/aspera/etc/Redis/aspera_31415.conf Create the node database password with the following command: $ sudo /opt/aspera/bin/askmscli -s Redis-password Store the node database password in the transfer user and asperadaemon keystores with the following commands: $ sudo /opt/aspera/bin/askmscli -i -u <transferuser> $ sudo /opt/aspera/bin/askmscli -i -u asperadaemon
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040190: IBM Aspera Console must prevent concurrent logins for all accounts.
Verify IBM Aspera Console prevents concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Prevent concurrent login" option is checked. If the "Prevent concurrent login" option is not checked, this is a finding.
Discussion
Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
Fix
Configure IBM Aspera Console to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Put a check the "Prevent concurrent login" check box. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030100: The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
Verify IBM Aspera High-Speed Transfer Endpoint only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.
Discussion
SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.
Fix
Configure the IBM Aspera High-Speed Endpoint SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-SH-060250: The IBM Aspera Shares private/secret cryptographic keys file must have a mode of 0400 or less permissive to prevent unauthorized read access.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file has a mode of "0400" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/shares/u/shares/config/aspera/secret.rb 400 /opt/aspera/shares/u/shares/config/aspera/secret.rb If the resulting mode is more permissive than "0400", this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to have a mode of "0400" or less permissive with the following command: $ sudo chmod 0400 /opt/aspera/shares/u/shares/config/aspera/secret.rb
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060220: IBM Aspera Shares must protect audit information from unauthorized deletion.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Shares have no world access. $ sudo find /opt/aspera/shares/u/stats-collector/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print $ sudo find /opt/aspera/shares/u/shares/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print $ sudo find /opt/aspera/shares/var/log \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above commands, this is a finding.
Discussion
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This requirement does not apply to audit logs generated on behalf of the device itself (device management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058
Fix
Remove world access from any IBM Aspera Shares log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030150: The IBM Aspera High-Speed Transfer Endpoint must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).
Verify the IBM High-Speed Transfer Endpoint enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.
Fix
Configure the IBM High-Speed Transfer Endpoint to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050250: IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. If you are neither redirected to an IdP nor provided with a list of one or more IdPs to choose from on the standard IBM Aspera Faspex webpage, this is a finding. If redirected to the IdP login, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding. If not redirected to a single IdP but provided a list of configured IdPs, choose one for authentication with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Discussion
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway. IBM Aspera Faspex will list preestablished trust relationships for IdPs on the default Faspex login page. This configuration supports the ability to have more than one preestablished trust relationship, and it requires the user to choose from the valid preestablished IdPs as listed on the default web page. If IBM Aspera Faspex is configured to automatically redirect to a single IdP, visiting the default webpage will do so. Refer to the IBM Aspera Faspex Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Faspex User Field, and required format within the assertion. For security best practices, also ensure that the system hosting Aspera Faspex uses Network Time Protocol or another system to keep times synchronized with the IdP server providing the SAML assertions. Clock drift between the IBM Aspera Faspex server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Faspex. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095
Fix
For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP. To configure SAML within IBM Aspera Faspex, perform the following: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Authentication" tab. - Select the SAML Integration menu. - Select "Add New SAML Configuration". - Choose one action from these: 1) Enter the SAML server's metadata URL in "Import from URL" and click "Import Setting From Metadata URL". 2) Click "Browse" and locate the file containing the SAML server's metadata. 3) Paste the SAML server metadata into the box labeled "Import from Text" and click the "Import Settings From Text". - Select "Create SAML Configuration" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020200: The IBM Aspera High-Speed Transfer Server must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
Verify the IBM Aspera High-Speed Transfer Server limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not the organization-defined number, this is a finding.
Discussion
Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Server permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.
Fix
Configure the IBM Aspera High-Speed Transfer Server to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050310: The IBM Aspera Faspex Server must restrict users from using transfer services by default.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users from using transfer services by default with the following commands: Check that the aspera.conf file is configured to deny transfer in and out by default. $ sudo /opt/aspera/bin/asuserdata -a | grep authorization | grep value authorization_transfer_in_value: "deny" authorization_transfer_out_value: "deny" If the results produce an "allow" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the IBM Aspera Faspex to restrict users from using transfer services by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_in_value,deny" $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;authorization_transfer_out_value,deny" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030240: The IBM Aspera High-Speed Transfer Endpoint must prohibit the use of cached authenticators after an organization-defined time period.
Verify the IBM Aspera High-Speed Transfer Endpoint prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.
Discussion
If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).
Fix
Configure the IBM Aspera High-Speed Transfer Endpoint to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020260: The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".
Verify the Aspera High-Speed Transfer Server restricts the transfer user(s) to the "aspshell" with the following command: $ sudo grep <username> /etc/passwd <username>:x:1001:1001:...:/home/<username>:/bin/aspshell If the transfer user is not limited to the "aspshell", this is a finding.
Discussion
By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only the following operations: Running Aspera uploads and downloads to or from this computer. Establishing connections in the application. Browsing, listing, creating, renaming, or deleting contents. To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and any processes acting on behalf of users) must be uniquely identified and authenticated for all accesses except the following. 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication. 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. This requirement applies to ALGs that provide user proxy services, including identification and authentication. This service must use the site's directory service (e.g., Active Directory). Directory services must not be installed onto the gateway.
Fix
Configure the Aspera High-Speed Transfer Server to restrict the transfer user(s) to the "aspshell" with the following command: $ sudo usermod -s /bin/aspshell <username>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020300: The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
Verify the rootkeystore.db file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.
Fix
Configure the rootkeystore.db file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/etc/rootkeystore.db
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020100: The IBM Aspera High-Speed Transfer Server must be configured to comply with the required TLS settings in NIST SP 800-52.
Verify IBM Aspera High-Speed Transfer Server only uses TLS 1.2 or greater with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep ssl_protocol ssl_protocol: "tlsv1.2" ssl_protocol: "tlsv1.2" If both entries do not return "tlsv1.2" or greater , this is a finding.
Discussion
SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. This requirement applies to TLS gateways (also known as SSL gateways) and is not applicable to VPN devices. Application protocols such as HTTPS and DNSSEC use TLS as the underlying security protocol thus are in scope for this requirement. NIST SP 800-52 specifies the preferred configurations for government systems.
Fix
Configure the IBM Aspera High-Speed Transfer Server SSL security protocol to TLS version 1.2 or higher: $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssl_protocol,tlsv1.2" $ sudo /opt/aspera/bin/asconfigurator -x "set_client_data;ssl_protocol,tlsv1.2" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-FA-050300: The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is owned by faspex with the following command: $ sudo stat -c "%U" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/faspex/config/secret.yml file to be owned by faspex with the following command: $ sudo chown faspex /opt/aspera/faspex/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020280: The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.
Verify the IBM Aspera High-Speed Transfer Server restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Server inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the IBM Aspera High-Speed Transfer Server to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020230: The IBM Aspera High-Speed Transfer Server must not store user content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Server does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that users do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Server to not store user content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040250: The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
Verify the /opt/aspera/console/config/secret.yml file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command: $ sudo chown root /opt/aspera/console/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060240: The IBM Aspera Shares private/secret cryptographic keys file must be owned by nobody to prevent unauthorized read access.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/shares/u/shares/config/aspera/secret.rb file is owned by nobody with the following command: $ sudo stat -c "%U" /opt/aspera/shares/u/shares/config/aspera/secret.rb nobody If "nobody" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/shares/u/shares/config/aspera/secret.rb file to be owned by nobody with the following command: $ sudo chown nobody /opt/aspera/shares/u/shares/config/aspera/secret.rb
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050240: IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Faspex is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3000 http_fallback_port:8080 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Fix
Configure the IBM Aspera Faspex to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the faspex instance: $ sudo /opt/aspera/common/asctl/asctl faspex:base_port <number> $ sudo /opt/aspera/common/asctl/asctl faspex:http_fallback_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020140: The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
Ensure that FIPS compliance is required for all transfers by the IBM Aspera High-Speed Transfer Server with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep fips transfer_encryption_fips_mode: "true" If results are blank or fips mode is reported as "false", this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
For implementations using IBM Aspera High-Speed Transfer Server, configure FIPS compliance criteria to all transfers by executing the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;transfer_encryption_fips_mode,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-FA-050100: IBM Aspera Faspex interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006
Fix
Configure IBM Aspera Faspex interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Session timeout" option to "10" minutes or less. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060110: IBM Aspera Shares must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Shares default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Shares website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.
Discussion
Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to gateways (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services offloaded from the application. Publicly access systems are used in DoD to provide benefit information, pay information, or public services. There may also be self-registration and authorization services provided by these gateways. Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024
Fix
Configure the IBM Aspera Shares default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "System Settings" section. - Select the "Messages" option. - Enter the Standard Mandatory DoD-approved Notice and Consent Banner in the Login page message box. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
ASP4-CS-040270: The IBM Aspera Console feature audit tools must be protected from unauthorized modification or deletion.
Verify the world ownership of subdirectories within the /opt/aspera/console directory. Only the "public" subdirectory should have any access outside of the owner or group. sudo find /opt/aspera/console -perm -0002 -exec ls -lLd {} \; If any files or directories have world write permissions, this is a finding.
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000102-ALG-000060, SRG-NET-000103-ALG-000061
Fix
Remove the ability for world to write to any file that has been modified to world writeable. $ sudo chmod o-w <placefilenamehere>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040130: The IBM Aspera Console must protect audit tools from unauthorized access.
Using a web browser, navigate to the IBM Aspera Console web page. The IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access.
Discussion
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit data. Network elements providing tools to interface with audit data will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. This does not apply to audit logs generated on behalf of the device itself (management). Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion.
Fix
Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060130: IBM Aspera Shares must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Failed login count" is set to "3" or less. - Verify the "Failed login interval" is set to "15" or less. If the "Failed login count" is set to more than "3", this is a finding. If the "Failed login interval" is set to more than "15" minutes, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Fix
Configure IBM Aspera Shares to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Failed login count" option to "3" or less. - Edit the "Failed login interval" option to "15" minutes or less. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030200: The IBM Aspera High-Speed Transfer Endpoint must not store node content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Endpoint does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Endpoint to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020160: The IBM Aspera High-Speed Transfer Server must enable content protection for each transfer user by encrypting passphrases used for server-side encryption at rest (SSEAR).
Verify the IBM High-Speed Transfer Server enables content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmcli -u <transferuser> -H ssear v0: (SHA-512) 6fcb5c284590f67af12334cf27f94a6dc5fb2f27627b9ba8dc20c210df3edd7a596cd3c9961a5c36bfd8e57a9ae15a6859559f8e11c3059704859cabb59d8340 If the command returns "No records found for ssear", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. The askmscli tool sets content-protection secrets only for each user, not for groups and not for all users on a node. Each transfer user requires their own content-protection secret for SSEAR.
Fix
Configure the IBM High-Speed Transfer Server to enable content protection for each transfer user by encrypting passphrases used for SSEAR with the following command: $ sudo /opt/aspera/bin/askmscli -u <transferuser> -s ssear
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040210: IBM Aspera Console user account passwords must have a 60-day maximum password lifetime restriction.
Verify IBM Aspera Console user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Expiration" option is checked. - Verify the "Password Duration" option is set to "60" days or less. If the "Password Expiration" option is not checked, this is a finding. If the "Password Duration" is set to more than "60" days or is set to "0", this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.
Fix
Configure IBM Aspera Console user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Put a check in the "Password Expiration" check box. - Edit the "Password Duration" option to "60" days or less. Note: "0" disables the "Password Duration" option. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060160: IBM Aspera Shares user account passwords must have a 60-day maximum password lifetime restriction.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Password expiration interval" is set to "60" or less. If the "Password expiration interval" is greater than "60" or is blank, this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.
Fix
Configure IBM Aspera Shares user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Edit the "Password expiration interval" to "60" days or less. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020180: The IBM Aspera High-Speed Transfer Server must enable the use of dynamic token encryption keys.
Verify the Aspera High-Speed Transfer Server enables the use of dynamic token encryption keys with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep dynamic token_dynamic_key: "true" If the "dynamic_key" setting is not set to "true", this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. The dynamic token encryption key is used for encrypting authorization tokens dynamically for improved security and time-limited validity which limits the chances of a key becoming compromised. NOTE: A dynamic token encryption key can be set for an individual user or a system group. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097
Fix
Configure the Aspera High-Speed Transfer Server to enable the use of dynamic token encryption keys with the following command: $ sudo asconfigurator -x "set_node_data; token_dynamic_key,true" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040170: IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.
Verify IBM Aspera Console enforces password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Verify the "Password Requirement Regular Expression" has the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Verify the "Password Requirement Message" has the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". If the "Password Requirement Regular Expression" value is not "(?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,}", this is a finding. If the "Password Requirement Message" value is not "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol", this is a finding.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Configure IBM Aspera Console to enforce password complexity by requiring at least 15 characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Console Password Options" section. - Edit the "Password Requirement Regular Expression" with the following value: (?=.*\d)(?=.*([a-z]))(?=.*([A-Z]))(?=.*(\W|_)).{15,} - Edit the "Password Requirement Message" with the following text: "Passwords must be at least fifteen characters long, with at least one upper case letter, one lower case letter, one number, and one symbol". - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020330: The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.
Verify the IBM Aspera High-Speed Transfer Server prohibits the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep 'token_life' token_life_seconds: "86400" Note: The example token life is for one day; this number must be defined by the organization. If no result is returned or if the result is not an organization-defined time period, this is a finding.
Discussion
If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators for use throughout a session. It also applies to ALGs that provide user authentication intermediary services (e.g., authentication gateway or TLS gateway). This does not apply to authentication for the purpose of configuring the device itself (device management).
Fix
Configure the IBM Aspera High-Speed Transfer Server to prohibit the use of cached authenticators after an organization-defined time period with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;token_life_seconds,86400" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020220: The IBM Aspera High-Speed Transfer Server must not store node content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Server does not store node content-protection secrets in plain text with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that users do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Server to not store node content-protection secrets in plain text. Remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data; transfer_encryption_content_protection_secret,AS_NULL"
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050140: IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex disables account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, verify the following: - Verify the "Local users" option is checked. - Verify the "Local users" options is set to "35" days or less. - Verify the "DS users" option is checked. - Verify the "DS users" options is set to "35" days or less. - Verify the "SAML users" option is checked. - Verify the "SAML users" options is set to "35" days or less. If the "Local users" options is set to more than "35" days or the option is not checked, this is a finding. If the "DS users" options is set to more than "35" days or the option is not checked, this is a finding. If the "SAML users" options is set to more than "35" days or the option is not checked, this is a finding.
Discussion
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
Fix
Configure IBM Aspera Faspex to disable account identifiers after 35 days of inactivity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Under the "Faspex accounts" "Remove users" section, edit the following: - Put a check in the "Local users" option check box. - Edit the "Local users" option to "35" days or less. - Put a check in the "DS users" option check box. - Edit the "DS users" option to "35" days or less. - Put a check in the "SAML users" option check box. - Edit the "SAML users" option to "35" days or less. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050180: IBM Aspera Faspex must prevent concurrent logins for all accounts.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex prevents concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent concurrent login" option is checked. If the "Prevent concurrent login" is not checked, this is a finding.
Discussion
Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
Fix
Configure IBM Aspera Faspex to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent concurrent login" check box. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040220: The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
The IBM Aspera Console is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo /opt/aspera/common/asctl/asctl all:info | grep port: http_port: 80 https_port: 443 port: 4406 base_port: 3500 Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Fix
Configure the IBM Aspera Console to disable functions, ports, protocols, and services that are not approved. Use the following commands to configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port. For the apache instance: $ sudo /opt/aspera/common/asctl/asctl apache:http_port <number> $ sudo /opt/aspera/common/asctl/asctl apache:https_port <number> For the console: $ sudo /opt/aspera/common/asctl/asctl console:base_port <number> For the database: $ sudo /opt/aspera/common/asctl/asctl mysql:port <number>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050110: The IBM Aspera Faspex private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/faspex/config/secret.yml 600 /opt/aspera/faspex/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/faspex/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/faspex/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050190: IBM Aspera Faspex must require password complexity features to be enabled.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex requires password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Use strong passwords" option is checked. If the "Use strong passwords" option is not checked, this is a finding. If the "Use strong passwords" option is checked, downgrade this requirement to a CAT III.
Discussion
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Fix
Configure IBM Aspera Faspex to require password complexity: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Use strong passwords" check box. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030120: The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.
For implementations using IBM Aspera High-Speed Transfer Endpoint, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Endpoint installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.
Discussion
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).
Fix
For implementations using the IBM Aspera High Speed Transfer Endpoint, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Endpoint according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040260: The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
Verify the /opt/aspera/console/config/secret.yml file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/console/config/secret.yml 600 /opt/aspera/console/config/secret.yml If the resulting mode is more permissive than "0600", this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/console/config/secret.yml file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/console/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030210: The IBM Aspera High-Speed Transfer Endpoint must not store user content-protection secrets in plain text.
Verify the IBM High-Speed Transfer Endpoint does not store user content-protection secrets in plain text. For each user, run the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep secret | grep transfer transfer_encryption_content_protection_secret: "AS_NULL" If the "transfer_encryption_content_protection_secret" is not "AS_NULL", this is a finding.
Discussion
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed that affect the security posture and/or functionality of the network element. Security-related parameters are those parameters impacting the security state of the network element, including the parameters required to satisfy other security control requirements. For the network element, security-related parameters include settings for network traffic management configurations. Aspera recommends that you do not store content-protection secrets in aspera.conf.
Fix
Configure the IBM High-Speed Transfer Endpoint to not store user content-protection secrets in plain text. For each user, remove any secrets from the /opt/aspera/aspera.conf file with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name,<name>; transfer_encryption_content_protection_secret,AS_NULL" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040110: IBM Aspera Console must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Using a web browser, navigate to the default IBM Aspera Console web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Discussion
For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106
Fix
For implementations using the IBM Aspera Console feature, configure SAML to use an existing IdP that implements multi-factor authentication.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060180: IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. The IBM Aspera Shares is configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. Review the port configurations of the server with the following command: $ sudo cat /opt/aspera/shares/etc/nginx/nginx.conf | grep listen listen 80; listen [::]:80; listen 443; listen [::]:443; Ask the system administrator for the site or program PPSM CLSA. Verify the services configured for use match the PPSM Component Local Services Assessment (CLSA). If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Discussion
In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types); organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. ALGs are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. DoD continually assesses the ports, protocols, and services that can be used for network communications. Some ports, protocols or services have known exploits or security weaknesses. Network traffic using these ports, protocols, and services must be prohibited or restricted in accordance with DoD policy. The ALG is a key network element for preventing these non-compliant ports, protocols, and services from causing harm to DoD information systems. The network ALG must be configured to prevent or restrict the use of prohibited ports, protocols, and services throughout the network by filtering the network traffic and disallowing or redirecting traffic as necessary. Default and updated policy filters from the vendors will disallow older version of protocols and applications and will address most known non-secure ports, protocols, and/or services. However, sources for further policy filters are the IAVMs and the PPSM requirements.
Fix
Configure the IBM Aspera Shares to disable functions, ports, protocols, and services that are not approved. Edit the /opt/aspera/shares/etc/nginx/nginx.conf file and configure only those services that are not prohibited and follow PPSM guidance for each service, protocol, and port.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040120: The IBM Aspera Console must protect audit information from unauthorized read access.
Verify the log files for IBM Aspera Console do not have world access with the following command: $ sudo find /opt/aspera/console/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above command, this is a finding.
Discussion
Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack, recognize resource utilization or capacity thresholds, or to simply identify an improperly configured network element. Thus, it is imperative that the collected log data from the various network elements, as well as the auditing tools, be secured and can only be accessed by authorized personnel. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058
Fix
Remove world access from any IBM Aspera Console log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050290: The IBM Aspera Faspex private/secret cryptographic keys file must be group-owned by faspex to prevent unauthorized read access.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the /opt/aspera/faspex/config/secret.yml file is group-owned by faspex with the following command: $ sudo stat -c "%G" /opt/aspera/faspex/config/secret.yml faspex If "faspex" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Fix
Configure the /opt/aspera/faspex/config/secret.yml file to be group-owned by faspex with the following command: $ sudo chgrp faspex /opt/aspera/faspex/config/secret.yml
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050210: IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex passwords are prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent passwords reuse" option is checked. - Verify the "Faspex accounts" "Prevent passwords reuse" options is set to "5" or more. If the "Prevent passwords reuse" options is less than "5" or the option is not checked, this is a finding.
Discussion
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to reuse their password consecutively when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.
Fix
Configure IBM Aspera Faspex passwords to be prohibited from reuse for a minimum of five generations: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent passwords reuse" check box. - Edit the "Faspex accounts" "Prevent passwords reuse" option to "5" or more. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020150: The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell".
Verify the IBM Aspera HSTS configures the SELinux context type for "aspshell" with the following commands: $ sudo ls -l /bin/aspshell lrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell If /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding. $ sudo ls -Z /opt/aspera/bin/aspshell -rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell If the context type of "/opt/aspera/bin/aspshell" is not "shell_exec_t", this is a finding.
Discussion
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
Fix
Configure the IBM Aspera HSTS SELinux context type for "aspshell" with the following commands: $ sudo echo /bin/aspshell >> /etc/shells $ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell $ sudo semanage fcontext -a -t shell_exec_t "/opt/aspera/bin/aspshell" $ sudo restorecon -v /opt/aspera/bin/aspshell
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060150: IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Verify that the "Self Registration" option is set to "Moderated" or "None". If the "Self Registration" option is set to "Unmoderated", this is a finding.
Discussion
Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.
Fix
To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Use the dropdown menu to set the "Self Registration" option to "Moderated" or "None". - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050150: IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Using a web browser, navigate to the default IBM Aspera Faspex web page. Use the SAML link and authenticate using known working credentials. If entry of a factor provided by a device separate from the system gaining access is NOT required, this is a finding.
Discussion
For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. An example of compliance with this requirement is the use of a one-time password token and PIN coupled with a password; or the use of a CAC/PIV card and PIN coupled with a password. Satisfies: SRG-NET-000339-ALG-000090, SRG-NET-000340-ALG-000091, SRG-NET-000349-ALG-000106
Fix
For implementations using the IBM Aspera Faspex feature, configure SAML to use an existing IdP that implements multi-factor authentication.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050230: The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex only uses TLS 1.2 or greater with the following command: $ sudo grep SSLProtocol /opt/aspera/common/apache/conf/extra/httpd-ssl.conf SSLProtocol TLSv1.2 If the values for SSLProtocol vary from the above example, this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Faspex feature, the default configuration of Faspex has TLS 1.0, 1.1 and 1.2 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097
Fix
Configure IBM Aspera Faspex to use TLS 1.2. Add/Edit the following line in the Apache configuration file /opt/aspera/common/apache/conf/extra/httpd-ssl.conf. SSLProtocol TLSv1.2 Restart Apache for these changes to take effect. $ sudo /opt/aspera/common/asctl/asctl apache:restart
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-SH-060170: The IBM Aspera Shares feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares only uses TLS 1.2 or greater with the following command: $ sudo grep ssl_protocols /opt/aspera/shares/etc/nginx/nginx.conf ssl_protocols TLSv1.2; If the results of the command display versions below "TLSv1.2", this is a finding.
Discussion
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Encryption provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection, thereby providing a degree of confidentiality. The encryption strength of the mechanism is selected based on the security categorization of the information. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). For implementations using the IBM Aspera Shares feature, the default nginx configuration of Shares has TLS 1.0, 1.1 and 1.2 enabled to support older browsers. Satisfies: SRG-NET-000062-ALG-000011, SRG-NET-000400-ALG-000097
Fix
Configure IBM Aspera Shares to use TLS 1.2. Add/Edit the following line in the nginx.conf file located at /opt/aspera/shares/etc/nginx/nginx.conf. ssl_protocols TLSv1.2; Restart nginx for these changes to take effect. $ sudo /opt/aspera/shares/sbin/sv restart nginix
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-TS-020320: The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
Verify the rootkeystore.db file has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /opt/aspera/etc/rootkeystore.db 600 /opt/aspera/etc/rootkeystore.db If the resulting mode is more permissive than "0600", this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.
Fix
Configure the rootkeystore.db file to have a mode of "0600" or less permissive with the following command: $ sudo chmod 0600 /opt/aspera/etc/rootkeystore.db
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030230: The IBM Aspera High-Speed Transfer Endpoint must restrict users read, write, and browse permissions by default.
Verify the IBM Aspera High-Speed Transfer Endpoint restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. The IBM Aspera High Speed Transfer Endpoint inherently uses file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the IBM Aspera High-Speed Transfer Endpoint to restrict users read, write, and browse permissions by default with the following commands: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050120: IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex allows the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Require new users to change password on first login" option is checked. If the "Require new users to change password on first login" option is not checked, this is a finding.
Discussion
Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial login. Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log in, yet force them to change the password once they have successfully authenticated.
Fix
Configure IBM Aspera Faspex to allow the use of a temporary password for logins with an immediate change to a permanent password: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check in the "Require new users to change password on first login" option check box. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050170: IBM Aspera Faspex must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Lock users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Lock users" section is set to more than "3" failed login attempts, this is a finding. If the "Lock users" section is set to more than "15" minutes, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Fix
Configure IBM Aspera Faspex to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Edit the "Faspex accounts" "Lock users" section failed login attempts option to "3" or less. - Edit the "Lock users" section attempts within minutes to "15" or less. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020290: The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.
Verify the Aspera High-Speed Transfer Server set the default docroot to an empty folder. Check that the default docroot points to an empty folder with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep absolute canonical_absolute: "<someemptyfolder>" absolute: "<someemptyfolder>" If the default docroot is set to "<Empty String>", this is a finding. Review the default docroot file path from the previous command to ensure it is empty. $ sudo find <somefilepath> -maxdepth 0 -empty -exec echo {} is empty. \; <somefilepath> is empty. If the command does not return "<somefilepath> is empty.", this is a finding.
Discussion
By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis. By default, all system users can establish a FASP connection and are only restricted by file permissions.
Fix
Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;canonical_absolute,<someemptyfolder>; absolute,<someemptyfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TE-030180: The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
Verify the IBM Aspera High-Speed Transfer Endpoint limits the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep concurrent transfer_manager_max_concurrent_sessions: "20" If the value returned (in this example 20 is the default) is not an organization-defined number, this is a finding.
Discussion
Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. The number of incoming transfer requests to the IBM Aspera High-Speed Transfer Endpoints permitted via a POST to the REST service can be limited by the setting of "transfer_manager_max_concurrent_sessions" in The IBM Aspera.conf.
Fix
Configure the IBM Aspera High-Speed Transfer Endpoint to limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types with the following command: $ sudo /opt/aspera/bin/asconfiguration -x "set_server_data; transfer_manager_max_concurrent_sessions,<insertorganizationvaluehere>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020120: The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.
For implementations using IBM Aspera High-Speed Transfer Server, check for a <ssh_host_key_fingerprint> entry within the <server> section within The IBM Aspera High-Speed Transfer Server installation configuration file at /opt/aspera/etc/aspera.conf using the following command: $ sudo more /opt/aspera/etc/aspera.conf | grep ssh_host_key_fingerprint If the command does not return XML containing the fingerprint, this is a finding. Test that the certificates used by Aspera Node service is a valid signed certificate (not self signed) by running the following command after substituting the FQDN for "servername": $ sudo /opt/aspera/bin/openssl s_client -connect servername:9092 If the certificate is not DoD issued, this is a finding.
Discussion
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications protection for the application session rather than for the network packet and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Depending on the required degree of confidentiality and integrity, web services/SOA will require the use of mutual authentication (two-way/bidirectional).
Fix
For implementations using the IBM Aspera High Speed Transfer Server, configure the host key fingerprint using the following procedure: 1. Retrieve the server's SHA-1 fingerprint using the following command: $ sudo cat /etc/ssh/ssh_host_rsa_key.pub | awk '{print $2}' | base64 -d | sha1sum 2. Set the SSH host key fingerprint in /opt/aspera/etc/aspera.conf using the following command after substituting the string returned from the previous command for "INSERTFINGERPRINTHERE": $ sudo /opt/aspera/bin/asconfigurator -x "set_server_data;ssh_host_key_fingerprint,INSERTFINGERPRINTHERE" 3. Restart the IBM Aspera Node service to activate the change using the following command: $ sudo systemctl restart asperanoded.service Implement a signed certificate (/opt/aspera/etc/aspera_server_cert.pem) for the IBM Aspera High Speed Transfer Server according to the instructions "Setting up SSL for your Nodes" and "Installing SSL Certificates" within the IBM Aspera High-Speed Transfer Server Admin Guide. Restart the IBM Aspera Node service to activate the change to the certificate using the following command: $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050200: IBM Aspera Faspex must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Faspex packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Verify that the option "Require external users to register" is checked. If this option is not checked, this is a finding. Also ensure IBM Aspera Faspex is configured for "Moderated" self-registration when permitting use by external users. To do this, verify the "Moderated" option is selected from the picklist for "Self registration" under the Registrations heading. If this option is not checked, this is a finding.
Discussion
Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.
Fix
To configure Aspera Faspex to authenticate all external recipients of Faspex packages before they can download packages or files within packages: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" option from the left menu. - Check the option "Require external users to register" under the "Registrations" heading. - Select the "Moderated" option from the picklist for "Self registration" under the Registrations heading. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040180: IBM Aspera Console must lock accounts after three unsuccessful login attempts within a 15-minute timeframe.
Verify IBM Aspera Console locks accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Deactivate Users" section is set to "3" or less failed login attempts within "15" minutes or less. If the "Deactivate Users" section is set to more than "3" failed login attempts, this is a finding. If the "Deactivate Users" section is set to more than "15" minutes, this is a finding.
Discussion
By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Fix
Configure IBM Aspera Console to lock accounts after three unsuccessful login attempts within a 15-minute timeframe: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Deactivate Users" section failed login attempts option to "3" or less. - Edit the "Deactivate Users" section attempts within minutes to "15" or less. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020310: The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
Verify the rootkeystore.db file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/etc/rootkeystore.db root If "root" is not returned as a result, this is a finding.
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder. The rootkeystore.db functions as a backup and main source of truth for encrypted secrets.
Fix
Configure the rootkeystore.db file to be owned by root with the following command: $ sudo chown root /opt/aspera/etc/rootkeystore.db
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050270: IBM Aspera Faspex must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex implements cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Verify that the "Use encryption-at-rest" radio button is set to "Always". If the "Use encryption-at-rest" radio button is set to "Never" or "Optional", this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway).
Fix
Configure the IBM Aspera Faspex to implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section from the left menu. - Scroll down to the "Encryption" section. - Select the "Use encryption-at-rest" radio button "Always". - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050320: The IBM Aspera Faspex Server must restrict users read, write, and browse permissions by default.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex restricts users read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep -w 'read_allowed\|write_allowed\|dir_allowed' read_allowed: "false" write_allowed: "false" dir_allowed: "false" If no results are returned or if the results produce a "true" value, this is a finding.
Discussion
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoD systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. ALGs must use these policies and mechanisms to control access on behalf of the application for which it is acting as intermediary. IBM Aspera High Speed Transfer Server and IBM Aspera High Speed Transfer Endpoint inherently use file and group ownership of files and directories to support authorization for all supported operating systems. As an additional step and security best practice, ensure all transfers in or out of the authenticated connection are configured to be controlled based on privileges granted to specific users and groups within IBM Aspera configuration.
Fix
Configure the IBM Aspera Faspex to restrict users' read, write, and browse permissions by default with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;read_allowed,false;write_allowed,false;dir_allowed,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040230: The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
Ensure that encryption is required for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Verify that the "Transport Encryption" option is set to "aes-128". If the "Transport Encryption" option is set to "none", this is a finding.
Discussion
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless connections. Remote access methods include, for example, proxied remote encrypted traffic (e.g., TLS gateways, web content filters, and webmail proxies). Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. This requirement applies to ALGs providing remote access proxy services as part of its intermediary services (e.g., OWA or TLS gateway). Satisfies: SRG-NET-000063-ALG-000012, SRG-NET-000510-ALG-000025, SRG-NET-000510-ALG-000111
Fix
Configure the system to require encryption for all transfers by the IBM Aspera Console: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Transfer Defaults" section. - Select the "Transport Encryption" option of "aes-128". - Select "Save" at the bottom of the page.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
ASP4-FA-050130: IBM Aspera Faspex must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify the IBM Aspera Faspex default webpage displays the Standard Mandatory DoD-approved Notice and Consent Banner. Using a web browser, go to the default IBM Aspera Faspex website. If the Standard Mandatory DoD-approved Notice and Consent Banner is not present, this is a finding.
Discussion
Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to network elements that have the concept of a user account and have the login function residing on the network element. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." This policy only applies to ALGs (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services. Satisfies: SRG-NET-000041-ALG-000022, SRG-NET-000043-ALG-000024
Fix
Configure the IBM Aspera Faspex default webpage to display the Standard Mandatory DoD-approved Notice and Consent Banner. - Log in to IBM Aspera Faspex as an administrative user. - Go to Server >> Notifications >> Login Announcement and enter the approved language.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
ASP4-FA-050280: IBM Aspera Faspex must protect audit information from unauthorized modification.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify that the log files for IBM Aspera Faspex have no world access. $ sudo find /opt/aspera/faspex/log/ \( -perm -0001 -o -perm -0002 -o -perm -0004 \) -print If results are returned from the above command, this is a finding.
Discussion
If audit data were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit data, the information system and/or the application must protect audit information from unauthorized modification. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Some commonly employed methods include ensuring log files receive the proper file system permissions, and limiting log data locations. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. This does not apply to audit logs generated on behalf of the device itself (management). Satisfies: SRG-NET-000098-ALG-000056, SRG-NET-000099-ALG-000057, SRG-NET-000100-ALG-000058
Fix
Remove world access from any IBM Aspera Faspex log file that has world permissions granted. $ sudo chmod o-rwx <placefilenamehere>
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040160: IBM Aspera Console interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
Verify IBM Aspera Console interactive sessions are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session Timeout" option is set to more than "10" minutes, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006
Fix
Configure IBM Aspera Console interactive sessions to terminate after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Configuration" tab. - Select the "Defaults" tab. - Scroll down to the "Security" section. - Edit the "Session Timeout" option to "10" minutes or less. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020250: The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.
Verify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system. Check that each user is restricted to a specific transfer folder with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep absolute canonical_absolute: "<specifictranferfolder>" absolute: "<sepcifictransferfolder>" If the transfer user's docroot is set to "<Empty String>" or is blank, this is a finding.
Discussion
By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers. By default, all system users can establish a FASP connection and are only restricted by file permissions.
Fix
Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name, <username>;canonical_absolute,<transferfolder>; absolute,<transferfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-CS-040140: IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
Using a web browser, navigate to the IBM Aspera Console web page. IBM Aspera Console will automatically redirect to the IdP for authentication if it is configured for SAML authentication. If it does not redirect for authentication via the configured IdP, this is a finding. If redirected to the IdP login page, attempt to authenticate using the IdP with known working credentials to determine if the IdP is providing an appropriate SAML assertion for access. If unable to log in using known working credentials, this is a finding.
Discussion
User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges. IBM Aspera Console must use an IdP for authentication for security best practices. The IdP must not be installed on the IBM Aspera Console virtual machine, particularly if it resides on the untrusted zone of the Enclave. Refer to the IBM Aspera Console Admin Guide for data requirements for the SAML assertion including default attribute names, the IBM Aspera Console User Field, and required format within the assertion. For security best practices also ensure that the system hosting IBM Aspera Console uses Network Time Protocol or another system to keep times synchronized with the IdP/SAML Provider providing the SAML assertions. Clock drift between The IBM Aspera Console server and the IdP/SAML Provider will result in expired assertions and the inability to be successfully authenticated into IBM Aspera Console. Satisfies: SRG-NET-000138-ALG-000063, SRG-NET-000138-ALG-000088, SRG-NET-000138-ALG-000089, SRG-NET-000140-ALG-000094, SRG-NET-000147-ALG-000095
Fix
Configure SAML within the IBM Aspera Console to use an existing IdP with the following steps: - Log in to the IBM Aspera Console web page as a user with administrative privilege. - Select the "Accounts" tab. - Select the "SAML" tab. - Enter the IdP SSO Target (Redirect) URL. - Enter the IdP Cert Fingerprint. - Select from the dropdown menu the IdP Cert Fingerprint Algorithm. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-FA-050220: IBM Aspera Faspex user account passwords must have a 60-day maximum password lifetime restriction.
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex user account passwords have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Passwords expire" option is checked. - Verify the "Faspex accounts" "Passwords expire" options is set to "60" days or less. If the "Passwords expire" options is set to more than "60" days or the option is not checked, this is a finding.
Discussion
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the Aspera system does not limit the lifetime of passwords and force users to change update them, there is a risk passwords could be compromised.
Fix
Configure IBM Aspera Faspex user account passwords to have a 60-day maximum password lifetime restriction: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Passwords expire" check box. - Edit the "Faspex accounts" "Passwords expire" option to "60" days or less. - Select "Update" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-TS-020240: The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.
Verify the Aspera High-Speed Transfer Server restricts the use of the root account for transfers with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u root | grep allowed | grep true If results are returned from the above command, this is a finding.
Discussion
By incorporating a least privilege approach to the configuration of the Aspera HSTS platform, this will reduce the exposure of privileged accounts. By default, all system users can establish a FASP connection and are only restricted by file permissions.
Fix
Configure the Aspera High-Speed Transfer Server to restrict the use of the root account for transfers. For each privilege that is set to "true", run the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data;user_name,root;<privilege>,false" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
ASP4-SH-060100: The IBM Aspera Shares interactive session must be terminated after 10 minutes of inactivity for non-privileged and privileged sessions.
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Shares interactive session are terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option. - Verify the "Session timeout" option is set to "10" minutes or less. If the "Session timeout" option is set to more than "10" minutes, this is a finding.
Discussion
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Satisfies: SRG-NET-000213-ALG-000107, SRG-NET-000517-ALG-000006
Fix
Configure IBM Aspera Shares interactive session to terminated after 10 minutes of inactivity for non-privileged and privileged sessions: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the User Security option. - Edit the "Session timeout" option is set to "10" minutes or less. - Select "Save" at the bottom of the page.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None