STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.

DISA Rule

SV-223981r561402_rule

Vulnerability Number

V-223981

Group Title

SRG-OS-000163-GPOS-00072

Rule Version

TSS0-FT-000090

Severity

CAT II

CCI(s)

CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.

Weight

Fix Recommendation

Review the FTP daemon’s started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements.

The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters.

The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords.

During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon’s started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file.

The systems programmer responsible for supporting ICS will ensure that the FTP daemon’s started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.

Check Contents

Refer to the Profile configuration file specified on the PROFILE DD statement in the TCPIP started task JCL.

If all the items below are true, this is not a finding.

If any of the items below are untrue, this is a finding.

The following items are in effect for the FTP daemon’s started task JCL:

-The SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively.
-The ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement.
-The ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement.
-The INACTIVE keyword is not coded on the PARM parameter on the EXEC statement.

The AUTOLOG statement block can be configured to have TCP/IP start the FTP Server. The FTP entry (e.g., FTPD) can include the PARMSTRING parameter to pass parameters to the FTP procedure when started.

NOTE: Parameters passed on the PARMSTRING parameter override parameters specified in the FTP procedure.

If an FTP entry is configured in the AUTOLOG statement block in the TCP/IP Profile configuration file, ensure the following items are in effect:

-The ANONYMOUS keyword is not coded on the PARMSTRING parameter.
-The ANONYMOUS=logonid combination is not coded on the PARMSTRING parameter.
-The INACTIVE keyword is not coded on PARMSTRING parameter.

IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments