Title

The FTP Server daemon is not defined with proper security parameters. (Cat II impact)

Discussion

The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Check Content

a) Refer to the following reports produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTSTC) - ACF2CMDS.RPT(OMVSUSER) Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon logonid is FTPD. 3) The FTPD logonid is defined with the STC attribute. 4) The FTPD logonid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix Text

The systems programmer responsible for supporting ICS will ensure that the FTP daemon runs under its own user account. Specifically, it does not share the account defined for the z/OS UNIX kernel. Review the FTP Server daemon account, privileges, and access authorizations defined to the ACP. Ensure they conform to the requirements below. The following commands can be used to create the user account that is required for the FTP daemon: SET LID INSERT FTPD NAME(FTPD) GROUP(STCTCPX) STC SET PROFILE(USER) DIVISION(OMVS) INSERT FTPD UID(0) HOME(/) PROGRAM(/bin/sh) F ACF2,REBUILD(USR),CLASS(P)

Additional Identifiers

Rule ID: SV-3233r2_rule

Vulnerability ID: V-3233

Group Title: IFTP0010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.