Title

The FTP daemon must be configured for logging or verbose mode. (Cat III impact)

Discussion

The -l option allows basic logging of connections. The verbose (on HP) and the debug (on Solaris) allow logging of what files the ftp session transferred. This extra logging makes it possible to easily track which files are being transferred onto or from a system. If they are not configured, the only option for tracking is the audit files. The audit files are much harder to read. If auditing is not properly configured, then there would be no record at all of the file transfer transactions.

Check Content

Perform: # grep ftpd /etc/inetd.conf Check the line for ftpd to see if the -v options are invoked. If not, this is a finding.

Fix Text

The v option enables more verbose logging, shows the accessed file names, and the logout timestamp. The syslog.conf file must be configured to log daemon.info and daemon.debug to a proper log file in which to capture the data. The output goes into the system log file. The log file is /var/adm/syslog. Edit the inetd.conf file. Locate the line that defines ftpd by typing /ftpd/cr. Add the v option where ftpd appears to the right of the pathname for ftpd. For instance: ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -v This is a requirement even when the system is using TCP_WRAPPERS and/or secure shell. The only time it is not a requirement is if the ftp daemon is not configured to run.

Additional Identifiers

Rule ID: SV-38995r1_rule

Vulnerability ID: V-845

Group Title: GEN004980

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.