IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223974	TSS0-FT-000020	SV-223974r561402_rule		Medium

Description
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000392-GPOS-00172

Description

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000392-GPOS-00172

STIG	Date
IBM z/OS TSS Security Technical Implementation Guide	2022-01-05

Details

Check Text ( C-25647r516321_chk )
If FTPDATA is configured with the following SMF statements, this is not a finding. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out]

Check Text ( C-25647r516321_chk )

If FTPDATA is configured with the following SMF statements, this is not a finding.

FTP.DATA Configuration Statements
SMF TYPE119
SMFJES TYPE119
SMFSQL TYPE119
SMFAPPE [Not coded or commented out]
SMFDEL [Not coded or commented out]
SMFEXIT [Not coded or commented out]
SMFLOGN [Not coded or commented out]
SMFREN [Not coded or commented out]
SMFRETR [Not coded or commented out]
SMFSTOR [Not coded or commented out]

Fix Text (F-25635r516322_fix)
Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below or that they are commented out. SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 – Append 70 – Delete and Multiple Delete 72 – Invalid Logon Attempt 70 – Rename 70 – Get (Retrieve) and Multiple Get 70 – Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.

Fix Text (F-25635r516322_fix)

Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below or that they are commented out.

SMF TYPE119
SMFJES TYPE119
SMFSQL TYPE119
SMFAPPE [Not coded or commented out]
SMFDEL [Not coded or commented out]
SMFEXIT [Not coded or commented out]
SMFLOGN [Not coded or commented out]
SMFREN [Not coded or commented out]
SMFRETR [Not coded or commented out]
SMFSTOR [Not coded or commented out]

The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes:

70 – Append
70 – Delete and Multiple Delete
72 – Invalid Logon Attempt
70 – Rename
70 – Get (Retrieve) and Multiple Get
70 – Put (Store and Store Unique) and Multiple Put

SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.