Check: IFTP0010
zOS RACF STIG:
IFTP0010
(in versions v6 r43 through v6 r30)
Title
The FTP Server daemon is not defined with proper security parameters. (Cat II impact)
Discussion
The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.
Check Content
a) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - DSMON.RPT(RACSPT) Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon userid is FTPD. 3) The FTPD userid is defined as a PROTECTED userid. 4) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. 5) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.
Fix Text
Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes. Ensure the following items are in effect for all MCS consoles: 1. The FTP daemon userid must be FTPD and a matching entry in the STARTED resource class exists enabling the use of the standard userid and an appropriate group. 2. The FTPD userid is defined as a PROTECTED userid. 3) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. Sample commands to accomplish these requirements are shown here: Add the FTPD userid: AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh')) RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES)) Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.
Additional Identifiers
Rule ID: SV-13259r2_rule
Vulnerability ID: V-3233
Group Title: IFTP0010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |