An error occurred:

Check: IFTP0090

zOS ACF2 STIG: IFTP0090 (in versions v6 r43 through v6 r30)

Title

The TFTP Server program is not properly protected. (Cat II impact)

Discussion

The Trivial File Transfer Protocol (TFTP) Server, known as tftpd, supports file transfer according to the industry standard Trivial File Transfer Protocol. The TFTP Server does not perform any user identification or authentication, allowing any client to connect to the TFTP Server. Due to this lack of security, the TFTP Server will not be used. Failure to restrict the use of the TFTP Server may result in unauthorized access to the host. This exposure may impact the integrity, availability, and privacy of application data.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - ACF2CMDS.RPT(ACFGSO) - SENSITVE.RPT(PROGRAM) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(IFTP0090) b) Ensure the following program controls are in effect for the TFTP Server: 1) Programs TFTPD and EZATD are defined in the GSO PPGM record. 2) Program resources TFTPD and EZATD are defined in the PROGRAM resource class. 3) No access to the program resources TFTPD and EZATD is permitted. c) If all items in (b) are true, there is NO FINDING. d) If any item (b) is untrue, this is a FINDING.

Fix Text

The IAO will ensure that the resource controls for the TFTP Server programs TFTPD and EZATD and ensure all access is restricted. Evaluate the impact of implementing the following change. Develop a plan of action and implement the change as required. 1) Ensure that the resource controls for the TFTP Server programs TFTPD and EZATD and ensure all access is restricted. Examples: SET CONTROL(GSO) CHANGE PPGM PGM-MASK(TFTPD EZATD) ADD F ACF2,REFRESH(PPGM) $KEY(TFTPD) TYPE(PGM) UID(*) PREVENT SET R(PGM) COMPILE 'ACF2.MVA.PGM(TFTPD)' STORE F ACF2,REBUILD(PGM) $KEY(EZATD) TYPE(PGM) UID(*) PREVENT SET R(PGM) COMPILE 'ACF2.MVA.PGM(EZATD)' STORE F ACF2,REBUILD(PGM)

Additional Identifiers

Rule ID: SV-3241r2_rule

Vulnerability ID: V-3241

Group Title: IFTP0090

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001764

The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
CCI-002235

The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6 (10)

Prohibit Non-Privileged Users From Executing Privileged Functions
CM-7 (2)

Prevent Program Execution