STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: The FTP Server daemon is not defined with proper security parameters.

DISA Rule

SV-13259r2_rule

Vulnerability Number

V-3233

Group Title

IFTP0010

Rule Version

IFTP0010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Evaluate the impact of correcting any deficiencies. Develop a plan of action and implement the required changes.
Ensure the following items are in effect for all MCS consoles:

1. The FTP daemon userid must be FTPD and a matching entry in the STARTED resource class exists enabling the use of the standard userid and an appropriate group.

2. The FTPD userid is defined as a PROTECTED userid.

3) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

Sample commands to accomplish these requirements are shown here:

Add the FTPD userid:

AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))

RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES))

Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.

Check Contents

a) Refer to the following reports produced by the RACF Data Collection:

- RACFCMDS.RPT(LISTUSER)
- DSMON.RPT(RACSPT)

Refer to the JCL procedure libraries defined to JES2.

b) Ensure the following items are in effect for the FTP daemon:

1) The FTP daemon is started from a JCL procedure library defined to JES2.
NOTE: The JCL member is typically named FTPD
2) The FTP daemon userid is FTPD.
3) The FTPD userid is defined as a PROTECTED userid.
4) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.
5) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group.

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Vulnerability Number

V-3233

Documentable

False

Rule Version

IFTP0010

Severity Override Guidance

a) Refer to the following reports produced by the RACF Data Collection:

- RACFCMDS.RPT(LISTUSER)
- DSMON.RPT(RACSPT)

Refer to the JCL procedure libraries defined to JES2.

b) Ensure the following items are in effect for the FTP daemon:

1) The FTP daemon is started from a JCL procedure library defined to JES2.
NOTE: The JCL member is typically named FTPD
2) The FTP daemon userid is FTPD.
3) The FTPD userid is defined as a PROTECTED userid.
4) The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.
5) A matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group.

c) If all of the items in (b) are true, there is NO FINDING.

d) If any item in (b) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

197

Comments