Anonymous FTP must not be active on the system unless authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-846 | GEN004820 | SV-35100r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package. |
| STIG | Date |
|---|---|
| HP-UX 11.23 Security Technical Implementation Guide | 2015-12-02 |
Details
| Check Text ( C-36580r2_chk ) |
|---|
| Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding. |
| Fix Text (F-31948r2_fix) |
|---|
| Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file. |