UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Anonymous FTP must not be active on the system unless authorized.


Overview

Finding ID Version Rule ID IA Controls Severity
V-846 GEN004820 SV-35100r1_rule ECSC-1 Medium
Description
Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package.
STIG Date
HP-UX 11.31 Security Technical Implementation Guide 2018-03-01

Details

Check Text ( C-36580r2_chk )
Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the
password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp.

If the login is successful, this is a finding.
Fix Text (F-31948r2_fix)
Configure the FTP service to not permit anonymous logins.
Remove the user(s) ftp and/or anonymous from the /etc/passwd file.