Check: ASP4-CS-040240
IBM Aspera Platform 4.2 STIG:
ASP4-CS-040240
(in versions v1 r2 through v1 r1)
Title
The IBM Aspera Console private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access. (Cat II impact)
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Check Content
Verify the /opt/aspera/console/config/secret.yml file is group-owned by root with the following command: $ sudo stat -c "%G" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Fix Text
Configure the /opt/aspera/console/config/secret.yml file to be group-owned by root with the following command: $ sudo chgrp root /opt/aspera/console/config/secret.yml
Additional Identifiers
Rule ID: SV-252571r831496_rule
Vulnerability ID: V-252571
Group Title: SRG-NET-000512-ALG-000062
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
Controls
Number | Title |
---|---|
AC-3 (4) |
Discretionary Access Control |