UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

MVS data sets for the FTP Server are not properly protected.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3240 IFTP0080 SV-3240r2_rule DCCS-1 DCCS-2 DCSL-1 Medium
Description
MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.
STIG Date
z/OS TSS STIG 2017-06-26

Details

Check Text ( C-2764r1_chk )
a) Refer to the following report produced by the ACF2 Data Collection:

- SENSITVE.RPT(FTPRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(IFTP0080)

b) Ensure the following data set controls are in effect for the FTP Server:

1) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel.

NOTE: READ access to all authenticated users is permitted.

2) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged.

3) WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel.

4) READ access to the data set containing the FTP banner file is permitted to all authenticated users.

NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a FINDING.

The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL.

The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file.

b) If all of the items in (b) are true, there is NO FINDING.

c) If any item in (b) is untrue, this is a FINDING.
Fix Text (F-18170r1_fix)
Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Ensure these data sets are protected as follows:

The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel.

All write and allocate access to the data set containing the FTP.DATA configuration file is logged.

The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.