Check: GEN004820
HP-UX 11.23 STIG:
GEN004820
(in version v1 r8)
Title
Anonymous FTP must not be active on the system unless authorized. (Cat II impact)
Discussion
Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package.
Check Content
Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding.
Fix Text
Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file.
Additional Identifiers
Rule ID: SV-35100r1_rule
Vulnerability ID: V-846
Group Title: GEN004820
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001475 |
The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included. |
Controls
Number | Title |
---|---|
AC-22 |
Publicly Accessible Content |