Check: IFTP0030
zOS RACF STIG:
IFTP0030
(in versions v6 r43 through v6 r30)
Title
FTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements. (Cat II impact)
Discussion
The statements in the FTP.DATA configuration file specify the parameters and values that control the operation of the FTP Server components including the use of anonymous FTP. Several of the parameters must have specific settings to provide a secure configuration. Inappropriate values could result in undesirable operations and degraded security. This exposure may result in unauthorized access impacting data integrity or the availability of some system services.
Check Content
a) Refer to the Data configuration file specified on the SYSFTPD DD statement in the FTP started task JCL. Automated Analysis Refer to the following report produced by the IBM Communications Server Data Collection: - PDI(IFTP0030) b) Ensure the following items are in effect for the configuration statements specified in the FTP Data configuration file: 1) The ANONYMOUS statement is not coded (does not exist) or, if it does exist, it is commented out. NOTE: Other statements prefixed with ANONYMOUS may be present. These statements indicate the level of anonymous support and applicable restrictions if anonymous support is enabled using the ANONYMOUS statement. These other ANONYMOUS-prefixed statements may be ignored. 2) The INACTIVE statement is coded with a value between 1 and 900 (seconds). NOTES: 900 indicates a session timeout value of 15 minutes. 0 disables the inactivity timer check. 3) The UMASK statement is coded with a value of 077. 4) The BANNER statement is coded. c) If all of the above are true, there is NO FINDING. d) If any of the above is untrue, this is a FINDING. FTP.DATA CONFIGURATION STATEMENTS STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077
Fix Text
Review the configuration statements in the FTP.DATA file and ensure they conform to the specifications in the FTP.DATA CONFIGURATION STATEMENTS below: STATEMENT NOT CODED, CODED WITHOUT VALUE, OR PARAMETER VALUE ANONYMOUS [Not Coded] BANNER [An HFS file, e.g., /etc/ftp.banner] INACTIVE [A value between 1 and 900 ] UMASK 077 [See Note 1] NOTE: If the FTP Server requires a UMASK value less restrictive than 077, requirements should be justified and documented with the IAO.
Additional Identifiers
Rule ID: SV-3235r2_rule
Vulnerability ID: V-3235
Group Title: IFTP0030
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000048 |
The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001133 |
The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity. |