An error occurred:

Check: IFTP0010

zOS TSS STIG: IFTP0010 (in versions v6 r43 through v6 r30)

Title

The FTP Server daemon is defined improperly. (Cat II impact)

Discussion

The FTP Server daemon requires special privileges and access to sensitive resources to provide its system services. Failure to properly define and control the FTP Server daemon could lead to unauthorized access. This exposure may result in the compromise of the integrity and availability of the operating system environment, ACP, and customer data.

Check Content

a) Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(OMVSUSER) Refer to the JCL procedure libraries defined to JES2. b) Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon ACID is FTPD. 3) The FTPD ACID has the STC facility. 4) The FTPD ACID has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. c) If all of the items in (b) are true, there is NO FINDING. d) If any item in (b) is untrue, this is a FINDING.

Fix Text

a (Manual) - Review the FTP Server daemon account, privileges, and access authorizations defined to the ACP. Ensure the following items are in effect for the FTP daemon: 1) The FTP daemon is started from a JCL procedure library defined to JES2. NOTE: The JCL member is typically named FTPD 2) The FTP daemon ACID is FTPD. 3) The FTPD ACID has the STC facility. 4) The FTPD ACID has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh. For example: TSS CREATE(FTPD) TYPE(USER) NAME(FTPD) DEPT(existing-dept) FACILITY(STC) PASSWORD(password,0) TSS ADD(FTPD) DFLTGRP(STCTCPX) GROUP(STCTCPX) TSS ADD(FTPD) SOURCE(INTRDR) TSS ADD(FTPD) UID(0) HOME(/) OMVSPGM(/bin/sh) TSS ADD(FTPD) MASTFAC(TCP) TSS ADD(STC) PROCNAME(FTPD) ACID(FTPD) TSS PERMIT(FTPD) IBMFAC(BPX.DAEMON) ACCESS(READ) TSS PERMIT(FTPD) IBMFAC(BPX.POE) ACCESS(READ) TSS PERMIT(FTPD) SERVAUTH(EZB.STACKACCESS.)ACCESS(READ)

Additional Identifiers

Rule ID: SV-13260r2_rule

Vulnerability ID: V-3233

Group Title: IFTP0010

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2

Identification and Authentication (organizational Users)