FTP Control cards will be properly stored in a secure PDS file.

From z/OS RACF STIG

Part of IFTP0110

Associated with IA controls: IAIA-2, IAIA-1

Associated with: CCI-000202

SV-39518r2_rule FTP Control cards will be properly stored in a secure PDS file.

Vulnerability discussion

FTP control cards carry unencrypted information such as userids, passwords and remote IP Addresses. Without a requirement to store this information separate from the JCL and in-stream JCL, it allows a security exposure by allowing read exposure to this information from anyone having access to the JCL libraries.

Check content

Provide a list(s) of the locations for all FTP Control cards within a given application/AIS, ensuring no FTP control cards are within in-stream JCL, JCL libraries or any open access datasets. List shall indicate which application uses the PDS, and access requirements for those PDS’s (who and what level of access). Lists/spreadsheet used for documenting the meeting of this requirement shall be maintained by the responsible Application/AIS Team, available upon request and not maintained by DISA Mainframe IAO. Refer to the to the above list Access to FTP scripts and/or data files located on host system(s) that contain FTP userid and or password will be restricted to those individuals responsible for the application connectivity and who have a legitimate requirement to know the userid and password on a remote system. FTP Control Cards within In-stream JCL, within JCL libraries or open access libraries/datasets is a finding. Anyone having access of read or greater to the FTP control cards not listed within the spreadsheet by userid is a finding.

Fix text

Create a list or spreadsheet of the locations where FTP control cards are stored, who should have access to those libraries and which applications the FTP control cards are for. Add Columns for all people permitted access to the secured PDS. Make sure that the FTP control Cards for each FTP are stored in a secure PDS and that they are not placed in the JCL libraries or in the in-stream JCL for each FTP.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer