Check: RACF-FT-000120
IBM z/OS RACF STIG:
RACF-FT-000120
(in versions v8 r14 through v7 r1)
Title
IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. (Cat II impact)
Discussion
To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Check Content
Refer to the FTPD started task procedure. If the SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively, this is not a finding. If the ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding. If the ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement, this is not a finding. If the INACTIVE keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.
Fix Text
Review the FTP daemon's started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements. The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters. The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon's started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file. The systems programmer responsible for supporting ICS will ensure that the FTP daemon's started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.
Additional Identifiers
Rule ID: SV-223744r868835_rule
Vulnerability ID: V-223744
Group Title: SRG-OS-000163-GPOS-00072
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000804 |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |