DISA STIGS Viewer

Finding ID	Version	Rule ID	IA Controls	Severity
V-269403	ALMA-09-037750	SV-269403r1050286_rule		High

Description

Passwords must be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. An FTP server provides an unencrypted file transfer mechanism that does not protect the confidentiality of user credentials or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SFTP or other encrypted file transfer methods must be used instead. Removing the server and client packages prevents inbound and outbound communications from being compromised.

STIG	Date
CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide	2025-05-22

Check Text (C-73434r1049640_chk)

Verify that AlmaLinux OS 9 does not have an FTP client or server package installed with the following command: $ rpm -qa | grep ftp If the "vsftpd" server or "ftp" client packages are installed, this is a finding. Note that there may be third-party or alternative packages that provide the same functionality, which should also be removed.

Fix Text (F-73335r1048586_fix)

Remove the default FTP client and server packages using the following command: $ dnf remove vsftpd ftp