The IBM z/OS FTP server daemon must be defined with proper security parameters.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223742	RACF-FT-000100	SV-223742r533199_rule		Medium

Description
The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2020-10-09

Details

Check Text ( C-25415r514914_chk )
From z/OS command screen enter: ListUser FTPD OMVS (FTPD is usual name of the FTP daemon) If all of the following are true, this is not a finding. If either of the following is untrue, this is a finding. -The FTPD userid is defined as a PROTECTED userid. -The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. From z/OS command screen enter: RList STARTED FTPD If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Check Text ( C-25415r514914_chk )

From z/OS command screen enter:
ListUser FTPD OMVS (FTPD is usual name of the FTP daemon)

If all of the following are true, this is not a finding.

If either of the following is untrue, this is a finding.

-The FTPD userid is defined as a PROTECTED userid.
-The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

From z/OS command screen enter:
RList STARTED FTPD

If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Fix Text (F-25403r514915_fix)
Define the FTP daemon userid and a matching entry in the STARTED resource class enabling the use of the standard userid and an appropriate group. Define the FTPD userid as a PROTECTED userid. Define the FTPD userid with the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. Sample commands to accomplish these requirements are shown here: Add the FTPD userid: AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES)) Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.

Fix Text (F-25403r514915_fix)

Define the FTP daemon userid and a matching entry in the STARTED resource class enabling the use of the standard userid and an appropriate group.

Define the FTPD userid as a PROTECTED userid.

Define the FTPD userid with the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

Sample commands to accomplish these requirements are shown here:
Add the FTPD userid:

AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))

RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES))

Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.