An error occurred:

Check: RACF-FT-000010

IBM z/OS RACF STIG: RACF-FT-000010 (in versions v8 r14 through v7 r1)

Title

IBM z/OS SMF recording options for the FTP Server must be configured to write SMF records for all eligible events. (Cat II impact)

Discussion

The FTP Server can provide audit data in the form of SMF records. The SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. Failure to collect and retain audit data may contribute to the loss of accountability and hamper security audit activities. Satisfies: SRG-OS-000032-GPOS-00013, SRG-OS-000392-GPOS-00172

Check Content

If FTPDATA is configured with the following SMF statements, this is not a finding. FTP.DATA Configuration Statements SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out]

Fix Text

Configure SMF options to conform to the specifications in the FTPDATA Configuration Statements below: SMF TYPE119 SMFJES TYPE119 SMFSQL TYPE119 SMFAPPE [Not coded or commented out] SMFDEL [Not coded or commented out] SMFEXIT [Not coded or commented out] SMFLOGN [Not coded or commented out] SMFREN [Not coded or commented out] SMFRETR [Not coded or commented out] SMFSTOR [Not coded or commented out] The FTP Server can provide audit data in the form of SMF records. SMF record type 119, the TCP/IP Statistics record, can be written with the following subtypes: 70 - Append 70 - Delete and Multiple Delete 72 - Invalid Logon Attempt 70 - Rename 70 - Get (Retrieve) and Multiple Get 70 - Put (Store and Store Unique) and Multiple Put SMF data produced by the FTP Server provides transaction information for both successful and unsuccessful FTP commands. This data may provide valuable information for security audit activities. Type 119 records use a more standard format and provide more information.

Additional Identifiers

Rule ID: SV-223733r868828_rule

Vulnerability ID: V-223733

Group Title: SRG-OS-000032-GPOS-00013

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000067

The information system monitors remote access methods.
CCI-002884

The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-17 (1)

Automated Monitoring / Control
MA-4 (1)

Auditing And Review