Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-3233 | IFTP0010 | SV-13260r2_rule | Medium |
Description |
---|
The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data. |
STIG | Date |
---|---|
z/OS TSS STIG | 2018-10-04 |
Check Text ( C-21868r1_chk ) |
---|
a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(OMVSUSER) Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon ACID is FTPD. 3) The FTPD ACID has the STC facility. 4) The FTPD ACID has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING. |
Fix Text (F-19215r1_fix) |
---|
a (Manual) - Review the FTP Server daemon account, privileges, and access authorizations defined to the ACP. Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon ACID is FTPD. 3) The FTPD ACID has the STC facility. 4) The FTPD ACID has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. For example: TSS CREATE(FTPD) TYPE(USER) NAME(FTPD) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(FTPD) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(FTPD) SOURCE(INTRDR) TSS ADD(FTPD) UID(0) HOME(/) OMVSPGM(/bin/sh) TSS ADD(FTPD) MASTFAC(TCP) TSS ADD(STC) PROCNAME(FTPD) ACID(FTPD) TSS PERMIT(FTPD) IBMFAC(BPX.DAEMON) ACCESS(READ) TSS PERMIT(FTPD) IBMFAC(BPX.POE) ACCESS(READ) TSS PERMIT(FTPD) SERVAUTH(EZB.STACKACCESS.)ACCESS(READ) |