Check: ASP4-FA-050180
IBM Aspera Platform 4.2 STIG:
ASP4-FA-050180
(in versions v1 r2 through v1 r1)
Title
IBM Aspera Faspex must prevent concurrent logins for all accounts. (Cat II impact)
Discussion
Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions must be the same as the requirements specified for the application for which it serves as intermediary. This policy only applies to application gateways/firewalls (e.g., identity management or authentication gateways) that provide user account services as part of the intermediary services.
Check Content
If the IBM Aspera Faspex feature of the Aspera Platform is not installed, this is Not Applicable. Verify IBM Aspera Faspex prevents concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Verify the "Faspex accounts" "Prevent concurrent login" option is checked. If the "Prevent concurrent login" is not checked, this is a finding.
Fix Text
Configure IBM Aspera Faspex to prevent concurrent logins for all accounts: - Log in to the IBM Aspera Faspex web page as a user with administrative privilege. - Select the "Server" tab. - Select the "Configuration" tab. - Select the "Security" section. - Put a check the "Faspex accounts" "Prevent concurrent login" check box. - Select "Update" at the bottom of the page.
Additional Identifiers
Rule ID: SV-252582r817916_rule
Vulnerability ID: V-252582
Group Title: SRG-NET-000053-ALG-000001
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000054 |
The information system limits the number of concurrent sessions for each organization-defined account and/or account type to an organization-defined number of sessions. |
Controls
Number | Title |
---|---|
AC-10 |
Concurrent Session Control |