Check: ASP4-TS-020290
IBM Aspera Platform 4.2 STIG:
ASP4-TS-020290
(in versions v1 r2 through v1 r1)
Title
The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder. (Cat II impact)
Discussion
By restricting the default document root for the Aspera HSTS, this allows for explicit access to be defined on a per user basis. By default, all system users can establish a FASP connection and are only restricted by file permissions.
Check Content
Verify the Aspera High-Speed Transfer Server set the default docroot to an empty folder. Check that the default docroot points to an empty folder with the following command: $ sudo /opt/aspera/bin/asuserdata -a | grep absolute canonical_absolute: "<someemptyfolder>" absolute: "<someemptyfolder>" If the default docroot is set to "<Empty String>", this is a finding. Review the default docroot file path from the previous command to ensure it is empty. $ sudo find <somefilepath> -maxdepth 0 -empty -exec echo {} is empty. \; <somefilepath> is empty. If the command does not return "<somefilepath> is empty.", this is a finding.
Fix Text
Configure the Aspera High-Speed Transfer Server to set the default docroot to an empty folder with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_node_data;canonical_absolute,<someemptyfolder>; absolute,<someemptyfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Additional Identifiers
Rule ID: SV-252645r818105_rule
Vulnerability ID: V-252645
Group Title: SRG-NET-000132-ALG-000087
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |