STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set.

DISA Rule

SV-223744r604139_rule

Vulnerability Number

V-223744

Group Title

SRG-OS-000163-GPOS-00072

Rule Version

RACF-FT-000120

Severity

CAT II

CCI(s)

• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
• CCI-000804 - The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Weight

10

Fix Recommendation

Review the FTP daemon’s started task JCL. Ensure that the ANONYMOUS and INACTIVE startup parameters are not specified and configuration file names are specified on the appropriate DD statements.

The FTP daemon program can accept parameters in the JCL procedure that is used to start the daemon. The ANONYMOUS and ANONYMOUS= keywords are designed to allow anonymous FTP connections. The INACTIVE keyword is designed to set the timeout value for inactive connections. Control of these options is recommended through the configuration file statements rather than the startup parameters.

The systems programmer responsible for supporting ICS will ensure that the startup parameters for the FTP daemon does not include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords.

During initialization the FTP daemon searches multiple locations for the TCPIP.DATA and FTP.DATA files according to fixed sequences. In the daemon’s started task JCL, Data Definition (DD) statements will be used to specify the locations of the files. The SYSTCPD DD statement identifies the TCPIP.DATA file and the SYSFTPD DD statement identifies the FTP.DATA file.

The systems programmer responsible for supporting ICS will ensure that the FTP daemon’s started task JCL specifies the SYSTCPD and SYSFTPD DD statements for configuration files.

Check Contents

Refer to the FTPD started task procedure.

If the SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively, this is not a finding.

If the ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.

If the ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement, this is not a finding.

If the INACTIVE keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.

Vulnerability Number

V-223744

Documentable

False

Rule Version

RACF-FT-000120

Severity Override Guidance

Refer to the FTPD started task procedure.

If the SYSTCPD and SYSFTPD DD statements specify the TCP/IP Data and FTP Data configuration files respectively, this is not a finding.

If the ANONYMOUS keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.

If the ANONYMOUS=logonid combination is not coded on the PARM parameter on the EXEC statement, this is not a finding.

If the INACTIVE keyword is not coded on the PARM parameter on the EXEC statement, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments