Hello everyone. I'm developing  compliance check for ftp banner whether BANNER statement has proper content. It look similar way:

ALLOC TYPE=input dd=banner PATH='/xxxx/yyyyy/ftp.banner'
OPTION site_banner=banner                            
newlist type=IP_FTP_REGION nodup nopage retain       
select complex=*                                     
sortlist banner banner_match

Unfortunately, from above query I get the banner_match - "No", what means something wrong with banner configuration. 

I've checked - the file exists in USS ishell

Is this something wrong with my query or banner file configuration within zSecure?

I was following this documentation - STIG rules that require ALLOCATE and OPTION statements

Preparation for CKACUST and CKACUSV members - IBM Documentation

------------------------------
Viktorija Kulbaciauskiene
------------------------------

Hi Viktorija,

the documentation of the field BANNER_MATCH is as follows:

This flag field shows whether each line, from the file that is specified with the SITE_BANNER OPTION,
occurs in the first 64 KB of the welcome banner to be displayed immediately after a client connects to
the FTP server. This welcome banner can be stored in a USS file, data set, or member and is specified
on the FTP BANNER configuration statement. Leading and trailing blanks of a line are not included and
the comparisons are case-insensitive. The field is missing when the file that contains the logon banner
specification could not be opened, when the specified SITE_BANNER OPTION file cannot be opened,
or when no such file was specified.

Thus, according to my understanding, your outcome of "No"  for the BANNER_MATCH field indicates that not each line in the file that your have configured as the SITE_BANNER matches with the first 64 KB of the welcome banner to be displayed immediately after a client connects to the FTP server.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------

Original Message:
Sent: Mon June 19, 2023 04:41 AM
From: Viktorija Kulbaciauskiene
Subject: SITE_BANNER OPTION

Hello everyone. I'm developing  compliance check for ftp banner whether BANNER statement has proper content. It look similar way:

ALLOC TYPE=input dd=banner PATH='/xxxx/yyyyy/ftp.banner'
OPTION site_banner=banner                            
newlist type=IP_FTP_REGION nodup nopage retain       
select complex=*                                     
sortlist banner banner_match

Unfortunately, from above query I get the banner_match - "No", what means something wrong with banner configuration. 

I've checked - the file exists in USS ishell

Is this something wrong with my query or banner file configuration within zSecure?

I was following this documentation - STIG rules that require ALLOCATE and OPTION statements

Preparation for CKACUST and CKACUSV members - IBM Documentation

------------------------------
Viktorija Kulbaciauskiene
------------------------------

As Tom wrote, the contents of your file /xxxx/yyyyy/ftp.banner is used as a standard to check the actual FTP banner value.  zSecure looks in the actual FTP banner from CKFREEZE, and verifies that (values/keywords/phrases) from /xxxx/yyyyy/ftp.banner are included anywhere in the first 64 kbytes of the actual banner.

What could go wrong?  ASCII/EBCDIC conversion in the UNIX file?  Single space vs double space?  Trailing line with garbage in the standard that is not in the actual banner?

How to resolve? 

• Try writing ONE WORD from the banner in your file /xxxx/yyyyy/ftp.banner and see if the BANNER_MATCH field changes.
• Allocate to a PDS member or sequential data set, to ensure UNIX file ASCII/EBCDIC confusion is not at play.

------------------------------
Rob van Hoboken
------------------------------