Title

IBM z/OS FTP Control cards must be properly stored in a secure PDS file. (Cat II impact)

Discussion

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Check Content

Provide list(s) of the locations for all FTP control cards within a given application/AIS, ensuring no FTP control cards are within in-stream JCL, JCL libraries, or any open access data sets. The list must indicate which application uses the PDS and access requirements for those PDSs (who and what level of access). Lists/spreadsheet used for documenting the meeting of this requirement must be maintained by the responsible application/AIS team, available upon request and not maintained by the mainframe ISSO. Obtain the list/spreadsheet from the application/AIS team. Access to FTP scripts and/or data files located on host system(s) that contain FTP userid and or password will be restricted to individuals responsible for the application connectivity who have a legitimate requirement to know the userid and password on a remote system. FTP control cards within In-stream JCL, JCL libraries, or open access libraries/data sets is a finding. If anyone not listed in the spreadsheet by userid has access of "Read" or greater to the FTP control cards, this is a finding.

Fix Text

Create a list or spreadsheet of the locations where FTP control cards are stored, who should have access to those libraries, and which applications the FTP control cards are for. Add columns for all people permitted access to the secured PDS. Ensure that the FTP control cards for each FTP are stored in a secure PDS and are not placed in the JCL libraries or in-stream JCL for each FTP.

Additional Identifiers

Rule ID: SV-223977r1130288_rule

Vulnerability ID: V-223977

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.