IBM Aspera Platform 4.2 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-NET-000512-ALG-000062
Group -
The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must be group-owned by root to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
SRG-NET-000512-ALG-000062
Group -
The IBM Aspera High-Speed Transfer Server private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
SRG-NET-000344-ALG-000098
Group -
The IBM Aspera High-Speed Transfer Server must prohibit the use of cached authenticators after an organization-defined time period.
If the cached authenticator information is out of date, the validity of the authentication information may be questionable. This requirement applies to all ALGs that may cache user authenticators ...Rule Medium Severity -
The IBM Aspera Platform must be configured to support centralized management and configuration.
Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a del...Rule Medium Severity -
The IBM Aspera Console must protect audit tools from unauthorized access.
Protecting audit data also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on au...Rule Medium Severity -
IBM Aspera Console must enforce password complexity by requiring at least fifteen characters, with at least one upper case letter, one lower case letter, one number, and one symbol.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
IBM Aspera Console must prevent concurrent logins for all accounts.
Limiting the number of current sessions per user is helpful in limiting risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not ad...Rule Medium Severity -
The IBM Aspera Console must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user ...Rule High Severity -
The IBM Aspera Console private/secret cryptographic keys file must be owned by root to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
The IBM Aspera Console private/secret cryptographic keys file must have a mode of 0600 or less permissive to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
IBM Aspera Faspex must allow the use of a temporary password for logins with an immediate change to a permanent password.
Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary pass...Rule Medium Severity -
IBM Aspera Faspex must disable account identifiers after 35 days of inactivity.
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts...Rule Medium Severity -
IBM Aspera Faspex must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication ...Rule Medium Severity -
IBM Aspera Faspex passwords must be prohibited from reuse for a minimum of five generations.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user...Rule Medium Severity -
The IBM Aspera Faspex feature must be configured to use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions.
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information s...Rule High Severity -
IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational user...Rule Medium Severity -
IBM Aspera Faspex must be configured to use NIST FIPS-validated cryptography to protect the integrity of file transfers.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user ...Rule High Severity -
The IBM Aspera Faspex private/secret cryptographic keys file must be owned by faspex to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
The IBM Aspera Faspex Server must restrict users from using transfer services by default.
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and ...Rule Medium Severity -
IBM Aspera Shares must implement multifactor authentication for remote access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
For remote access to non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication ...Rule Medium Severity -
IBM Aspera Shares must require password complexity features to be enabled.
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resistin...Rule Medium Severity -
IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users...Rule Medium Severity -
The IBM Aspera Shares private/secret cryptographic keys file must be group-owned by nobody to prevent unauthorized read access.
Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key data allows an adversary to impersonate the key ...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Endpoint must be configured to comply with the required TLS settings in NIST SP 800-52.
SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the g...Rule High Severity -
The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications pro...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Endpoint must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user ...Rule High Severity -
The IBM Aspera High-Speed Transfer Endpoint must limit the number of concurrent sessions to an organization-defined number for all accounts and/or account types.
Network element management includes the ability to control the number of users and user sessions that utilize a network element. Limiting the number of current sessions per user is helpful in limit...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Endpoint must restrict users from using transfer services by default.
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and ...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.
Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions. This requirement focuses on communications pro...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must be configured to use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access is access to DoD-nonpublic information systems by an authorized user ...Rule High Severity -
The IBM Aspera High-Speed Transfer Server must enable password protection of the node database.
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security bas...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must have a master-key set to encrypt the dynamic token encryption key.
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security bas...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must not store group content-protection secrets in plain text.
Configuring the network element to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security bas...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".
By default, all system users can establish a FASP connection and are only restricted by file permissions. Restrict the user's file operations by assigning them to use aspshell, which permits only t...Rule Medium Severity -
The IBM Aspera High-Speed Transfer Server must restrict users read, write, and browse permissions by default.
Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the immediate compromise and ...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.