Navigate

Check: GEN004820

HP-UX 11.31 STIG: GEN004820 (in versions v1 r19 through v1 r13)

Title

Anonymous FTP must not be active on the system unless authorized. (Cat II impact)

Discussion

Due to the numerous vulnerabilities inherent in anonymous FTP, it is not recommended for use. If anonymous FTP must be used on a system, the requirement must be authorized and approved in the system accreditation package.

Check Content

Attempt to log in with anonymous or ftp. The user can type any string of characters as a password. (By convention, the password is the host name of the user's host or the user's email address.) The anonymous user is then given access only to user ftp's home directory, usually called /home/ftp. If the login is successful, this is a finding.

Fix Text

Configure the FTP service to not permit anonymous logins. Remove the user(s) ftp and/or anonymous from the /etc/passwd file.

Additional Identifiers

Rule ID: SV-35100r1_rule

Vulnerability ID: V-846

Group Title: GEN004820

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-001475	The organization reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-22	Publicly Accessible Content