STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM z/OS FTP server daemon must be defined with proper security parameters.

DISA Rule

SV-223742r604139_rule

Vulnerability Number

V-223742

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

RACF-FT-000100

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Define the FTP daemon userid and a matching entry in the STARTED resource class enabling the use of the standard userid and an appropriate group.

Define the FTPD userid as a PROTECTED userid.

Define the FTPD userid with the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

Sample commands to accomplish these requirements are shown here:
Add the FTPD userid:

AU FTPD NAME('STC, FTP Daemon') NOPASSWORD NOOIDCARD DFLTGRP(STCTCPX) OWNER(STCTCPX) OMVS(UID(0) HOME('/') PROGRAM('/bin/sh'))

RDEF STARTED FTPD.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(=MEMBER) GROUP(STCTCPX) TRACE(YES))

Additional permissions may be required. See SYS1.TCPIP.SEZAINST(EZARACF) or IBM Comm Server: IP Config Guide.

Check Contents

From z/OS command screen enter:
ListUser FTPD OMVS (FTPD is usual name of the FTP daemon)

If all of the following are true, this is not a finding.

If either of the following is untrue, this is a finding.

-The FTPD userid is defined as a PROTECTED userid.
-The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

From z/OS command screen enter:
RList STARTED FTPD

If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Vulnerability Number

V-223742

Documentable

False

Rule Version

RACF-FT-000100

Severity Override Guidance

From z/OS command screen enter:
ListUser FTPD OMVS (FTPD is usual name of the FTP daemon)

If all of the following are true, this is not a finding.

If either of the following is untrue, this is a finding.

-The FTPD userid is defined as a PROTECTED userid.
-The FTPD userid has the following z/OS UNIX attributes: UID(0), HOME directory ‘/’, shell program /bin/sh.

From z/OS command screen enter:
RList STARTED FTPD

If a matching entry in the STARTED resource class exists enabling the use of the standard userid and appropriate group, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments