FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3235	IFTP0030	SV-3235r2_rule	DCCS-1 DCCS-2	Medium

Description
The statements in the FTP.DATA configuration file specify the parameters and values that control the operation of the FTP Server components including the use of anonymous FTP. Several of the parameters must have specific settings to provide a secure configuration. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.

Description

The statements in the FTP.DATA configuration file specify the parameters and values that control the operation of the FTP Server components including the use of anonymous FTP. Several of the parameters must have specific settings to provide a secure configuration. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-20016r1_chk )
a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0030) b) Ensure the following items are in effect for the configuration statements specified in the FTP Data configuration file: 1) The ANONYMOUS statement is not coded (does not exist) or, if it does exist, it is commented out. NOTE: Other statements prefixed with ANONYMOUS may be present. These statements indicate the level of anonymous support and applicable restrictions if anonymous support is enabled using the ANONYMOUS statement. These other ANONYMOUS-prefixed statements may be ignored. 2) The INACTIVE statement is coded with a value between 1 and 900 (seconds). NOTES: 900 indicates a session timeout value of 15 minutes. 0 disables the inactivity timer check. 3) The UMASK statement is coded with a value of 077. 4) The BANNER statement is coded. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING. FTP.DATA CONFIGURATION STATEMENTS STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077

Check Text ( C-20016r1_chk )

a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL.

Automated Analysis
Refer to the following report produced by the IBM Communications Server Data Collection:

- PDI(IFTP0030)

b) Ensure the following items are in effect for the configuration statements specified in the FTP Data configuration file:

1) The ANONYMOUS statement is not coded (does not exist) or, if it does exist, it is commented out.

NOTE: Other statements prefixed with ANONYMOUS may be present. These statements indicate the level of anonymous support and applicable restrictions if anonymous support is enabled using the ANONYMOUS statement. These other ANONYMOUS-prefixed statements may be ignored.

2) The INACTIVE statement is coded with a value between 1 and 900 (seconds).

NOTES: 900 indicates a session timeout value of 15 minutes.
0 disables the inactivity timer check.

3) The UMASK statement is coded with a value of 077.

4) The BANNER statement is coded.

c) If all of the above are true, there is NO FINDING.

d) If any of the above is untrue, this is a FINDING.

FTP.DATA CONFIGURATION STATEMENTS
STATEMENT NOT CODED,
CODED WITHOUT VALUE,
OR PARAMETER VALUE
ANONYMOUS [Not Coded]
BANNER [An HFS file, e.g., /etc/ftp.banner]
INACTIVE [A value between 1 and 900 ]
UMASK 077

Fix Text (F-18159r1_fix)
Review the configuration statements in the FTP.DATA file and ensure they conform to the specifications in the FTP.DATA CONFIGURATION STATEMENTS below: STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077 [See Note 1] NOTE: If the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the IAO.

Fix Text (F-18159r1_fix)

Review the configuration statements in the FTP.DATA file and ensure they conform to the specifications in the

FTP.DATA CONFIGURATION STATEMENTS below:

STATEMENT NOT CODED,
CODED WITHOUT VALUE,
OR PARAMETER VALUE

ANONYMOUS [Not Coded]

BANNER [An HFS file, e.g., /etc/ftp.banner]

INACTIVE [A value between 1 and 900 ]

UMASK 077 [See Note 1]

NOTE: If the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the IAO.