Title

MVS data sets for the FTP Server are not properly protected. (Cat II impact)

Discussion

MVS data sets of the FTP Server provide the configuration and operational characteristics of this product. Failure to properly secure these data sets may lead to unauthorized access resulting in the compromise of the integrity and availability of customer data and some system services.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - SENSITVE.RPT(FTPRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(IFTP0080) b) Ensure the following data set controls are in effect for the FTP Server: 1) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is restricted to systems programming personnel. NOTE: READ access to all authenticated users is permitted. 2) WRITE and ALLOCATE access to the data set containing the FTP Data configuration file is logged. 3) WRITE and ALLOCATE access to the data set containing the FTP banner file is restricted to systems programming personnel. 4) READ access to the data set containing the FTP banner file is permitted to all authenticated users. NOTES: The MVS data sets mentioned above are not used in every configuration. Absence of a data set will not be considered a FINDING. The data set containing the FTP Data configuration file is determined by checking the SYSFTPD DD statement in the FTP started task JCL. The data set containing the FTP banner file is determined by checking the BANNER statement in the FTP Data configuration file. b) If all of the items in (b) are true, there is NO FINDING. c) If any item in (b) is untrue, this is a FINDING.

Fix Text

Review the data set access authorizations defined to the ACP for the FTP.DATA and FTP.BANNER files. Ensure these data sets are protected as follows: The data set containing the FTP.DATA configuration file allows read access to all authenticated users and all other access is restricted to systems programming personnel. All write and allocate access to the data set containing the FTP.DATA configuration file is logged. The data set containing the FTP banner file allows read access to all authenticated users and all other access is restricted to systems programming personnel.

Additional Identifiers

Rule ID: SV-3240r2_rule

Vulnerability ID: V-3240

Group Title: IFTP0080

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.