Check: ASP4-CS-040250
IBM Aspera Platform 4.2 STIG:
ASP4-CS-040250
(in versions v1 r2 through v1 r1)
Title
The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access. (Cat II impact)
Discussion
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key holder.
Check Content
Verify the /opt/aspera/console/config/secret.yml file is owned by root with the following command: $ sudo stat -c "%U" /opt/aspera/console/config/secret.yml root If "root" is not returned as a result, this is a finding.
Fix Text
Configure the /opt/aspera/console/config/secret.yml file to be owned by root with the following command: $ sudo chown root /opt/aspera/console/config/secret.yml
Additional Identifiers
Rule ID: SV-252572r831497_rule
Vulnerability ID: V-252572
Group Title: SRG-NET-000512-ALG-000062
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
Controls
Number | Title |
---|---|
AC-3 (4) |
Discretionary Access Control |