Check: ASP4-TS-020250
IBM Aspera Platform 4.2 STIG:
ASP4-TS-020250
(in versions v1 r2 through v1 r1)
Title
The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system. (Cat II impact)
Discussion
By restricting the transfer users to a limited part of the server's file system, this prevents unauthorized data transfers. By default, all system users can establish a FASP connection and are only restricted by file permissions.
Check Content
Verify the Aspera High-Speed Transfer Server restricts Aspera transfer users to a limited part of the server's file system. Check that each user is restricted to a specific transfer folder with the following command: Warning: If an invalid user/group name is entered, the asuserdata command will return results that may appear accurate. Ensure that the user/group name is valid and entered into the command correctly. $ sudo /opt/aspera/bin/asuserdata -u <username> | grep absolute canonical_absolute: "<specifictranferfolder>" absolute: "<sepcifictransferfolder>" If the transfer user's docroot is set to "<Empty String>" or is blank, this is a finding.
Fix Text
Configure the Aspera High-Speed Transfer Server to restrict Aspera transfer users to a limited part of the server's file system with the following command: $ sudo /opt/aspera/bin/asconfigurator -x "set_user_data; user_name, <username>;canonical_absolute,<transferfolder>; absolute,<transferfolder>" Restart the IBM Aspera Node service to activate the changes. $ sudo systemctl restart asperanoded.service
Additional Identifiers
Rule ID: SV-252641r818093_rule
Vulnerability ID: V-252641
Group Title: SRG-NET-000132-ALG-000087
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |