Check: ASP4-SH-060150
IBM Aspera Platform 4.2 STIG:
ASP4-SH-060150
(in versions v1 r2 through v1 r1)
Title
IBM Aspera Shares must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). (Cat II impact)
Discussion
Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromise resources within the network infrastructure. By identifying and authenticating non-organizational users, their access to network resources can be restricted accordingly. IBM Aspera Faspex external users must register for an account and be authenticated before downloading a package. This authentication is conducted by the IBM Aspera Faspex server using password authentication.
Check Content
If the IBM Aspera Shares feature of the Aspera Platform is not installed, this is Not Applicable. To ensure that all external recipients of Shares packages must register for an account before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Verify that the "Self Registration" option is set to "Moderated" or "None". If the "Self Registration" option is set to "Unmoderated", this is a finding.
Fix Text
To configure Aspera Shares to authenticate all external recipients of Shares packages before they can download packages or files within packages: - Log in to the IBM Aspera Shares web page as a user with administrative privilege. - Select the "Admin" tab. - Scroll down to the "Security" section. - Select the "User Security" option from the left menu. - Use the dropdown menu to set the "Self Registration" option to "Moderated" or "None". - Select "Save" at the bottom of the page.
Additional Identifiers
Rule ID: SV-252602r817976_rule
Vulnerability ID: V-252602
Group Title: SRG-NET-000169-ALG-000102
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000804 |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
Controls
Number | Title |
---|---|
IA-8 |
Identification And Authentication (Non-Organizational Users) |