Title

The FTP daemon must be configured for logging or verbose mode. (Cat III impact)

Discussion

The -l option allows logging of connections. This extra logging makes it possible to easily track which files are being transferred onto or from a system. If they are not configured, the only option for tracking is the audit files. The audit files are much harder to read. If auditing is not properly configured, then there would be no record at all of the file transfer transactions.

Check Content

Perform: # grep ftpd /etc/inetd.conf, Check the line for ftpd to check if the -l argument. If the ftpd is invoked without the -l argument, this is a finding. Check the /etc/syslog.conf file for daemon.info or *.info. # more /etc/syslog.conf If daemon.info or *.info is not being logged, this is a finding.

Fix Text

Edit the /etc/inetd.conf file and add the -l argument to the ftpd service line. # vi /etc/inetd.conf Restart inetd.conf # refresh -s inetd Add daemon.info or *.info to the /etc/syslog.conf file. #vi /etc/syslog.conf *.info /var/log/syslog Restart the syslog daemon. # refresh -s syslogd

Additional Identifiers

Rule ID: SV-38991r1_rule

Vulnerability ID: V-845

Group Title: GEN004980

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.