Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-846 | GEN004820 | SV-35100r1_rule | ECSC-1 | Medium |
Description |
---|
Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package. |
STIG | Date |
---|---|
HP-UX 11.23 Security Technical Implementation Guide | 2015-06-12 |
Check Text ( C-36580r2_chk ) |
---|
Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding. |
Fix Text (F-31948r2_fix) |
---|
Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file. |