Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Anonymous FTP must not be active on the system unless authorized.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-846 | GEN004820 | SV-35100r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package. |
| STIG | Date |
|---|---|
| HP-UX 11.31 Security Technical Implementation Guide | 2016-12-20 |
Details
| Check Text ( C-36580r2_chk ) |
|---|
| Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding. |
| Fix Text (F-31948r2_fix) |
|---|
| Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file. |