MVS data sets for the FTP Server are not properly protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-3240	IFTP0080	SV-3240r2_rule	DCCS-1 DCCS-2 DCSL-1	Medium

Description
MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-2764r1_chk )
a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(FTPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(IFTP0080) b) Ensure the following data set controls are in effect for the FTP Server: 1) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel. NOTE: READ access to all authenticated users is permitted. 2) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged. 3) WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel. 4) READ access to the data set containing the FTP banner file is permitted to all authenticated users. NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a FINDING. The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL. The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file. b) If all of the items in (b) are true, there is NO FINDING. c) If any item in (b) is untrue, this is a FINDING.

Check Text ( C-2764r1_chk )

a) Refer to the following report produced by the ACF2 Data Collection:

- SENSITVE.RPT(FTPRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(IFTP0080)

b) Ensure the following data set controls are in effect for the FTP Server:

1) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel.

NOTE: READ access to all authenticated users is permitted.

2) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged.

3) WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel.

4) READ access to the data set containing the FTP banner file is permitted to all authenticated users.

NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a FINDING.

The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL.

The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file.

b) If all of the items in (b) are true, there is NO FINDING.

c) If any item in (b) is untrue, this is a FINDING.

Fix Text (F-18170r1_fix)
Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Ensure these data sets are protected as follows: The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel. All write and allocate access to the data set containing the FTP.DATA configuration file is logged. The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.

Fix Text (F-18170r1_fix)

Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Ensure these data sets are protected as follows:

The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel.

All write and allocate access to the data set containing the FTP.DATA configuration file is logged.

The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.