Check: ASP4-TS-020150
IBM Aspera Platform 4.2 STIG:
ASP4-TS-020150
(in versions v1 r2 through v1 r1)
Title
The IBM Aspera High-Speed Transfer Server must configure the SELinux context type to allow the "aspshell". (Cat II impact)
Discussion
Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
Check Content
Verify the IBM Aspera HSTS configures the SELinux context type for "aspshell" with the following commands: $ sudo ls -l /bin/aspshell lrwxrwxrwx. 1 root root 24 Sep 1 17:38 /bin/aspshell -> /opt/aspera/bin/aspshell If /bin/aspshell is not simlinked to /opt/aspera/bin/aspshell, this is a finding. $ sudo ls -Z /opt/aspera/bin/aspshell -rwxr-xr-x. root root system_u:object_r:shell_exec_t:S0 /bin/aspshell If the context type of "/opt/aspera/bin/aspshell" is not "shell_exec_t", this is a finding.
Fix Text
Configure the IBM Aspera HSTS SELinux context type for "aspshell" with the following commands: $ sudo echo /bin/aspshell >> /etc/shells $ sudo ln -s /opt/aspera/bin/aspshell /bin/aspshell $ sudo semanage fcontext -a -t shell_exec_t "/opt/aspera/bin/aspshell" $ sudo restorecon -v /opt/aspera/bin/aspshell
Additional Identifiers
Rule ID: SV-252631r831526_rule
Vulnerability ID: V-252631
Group Title: SRG-NET-000512-ALG-000062
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002696 |
The information system verifies correct operation of organization-defined security functions. |
Controls
Number | Title |
---|---|
SI-6 |
Security Function Verification |