UCF STIG Viewer Logo

The FTP daemon must be configured for logging or verbose mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-845 GEN004980 SV-37547r1_rule ECAR-1 ECAR-2 ECAR-3 Low
Description
The -l option allows basic logging of connections. The verbose (on HP) and the debug (on Solaris) allow logging of what files the ftp session transferred. This extra logging makes it possible to easily track which files are being transferred onto or from a system. If they are not configured, the only option for tracking is the audit files. The audit files are much harder to read. If auditing is not properly configured, then there would be no record at all of the file transfer transactions.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-36202r2_chk )
Find if logging is applied to the ftp daemon. The procedure depends on the implementation of ftpd used by the system.

Procedures:

For vsftpd:
If vsftpd is started by xinetd:

#grep vsftpd /etc/xinetd.d/*
This will indicate the xinetd.d startup file

#grep server_args
This will indicate the vsftpd config file used when starting through xinetd.
If the line is missing then "/etc/vsftpd/vsftpd.conf", the default config file, is used.

#grep xferlog_enable
If "xferlog_enable" is missing or is not set to "yes", this is a finding.

If vsftp is not started by xinetd:
#grep xferlog_enable /etc/vsftpd/vsftpd.conf
If "xferlog_enable" is missing or is not set to "yes", this is a finding.


For gssftp:
Find if the -l option will be applied when xinetd starts gssftp
# grep server_args /etc/xinetd.d/gssftp
If the line is missing or does not contain at least one -l, this is a finding.

Fix Text (F-31461r1_fix)
Enable logging by changing ftpd startup or config files.

Procedure:
The procedure depends on the implementation of ftpd used by the system.

For vsftpd:

Ensure the server settings in "/etc/vsftpd.conf" (or other configuration file specified by the vaftpd xinetd.d startup file) contains:

xferlog_enable = yes

For gssftp:
If the "disable" server setting is missing or set to "no" in "/etc/xinetd.d/gssftp" then
ensure the server settings in "/etc/xinetd.d/gssftp" contains:

server_args = -l

The -l option may be added up to three times. Each -l will provide increasing verbosity on the log. Refer to the main page for ftpd for more information.

For both if started using xinetd:
If the "disable" server setting is missing or set to "no" in the /etc/xinetd.d startup file then
ensure the server settings contains:

log_on_success += DURATION USERID
This will log the startup and shutdown of the daemon.

log_on_failure += HOST USERID