The IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-78843	IBMZ-VM-000020	SV-93549r1_rule		High

Description
A comprehensive account management process such as provided by External Security Managers (ESM) which includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. DTCPARMS setting assures that an ESM is enabled. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts.

Description

A comprehensive account management process such as provided by External Security Managers (ESM) which includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. DTCPARMS setting assures that an ESM is enabled. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts.

STIG	Date
IBM z/VM Using CA VM:Secure Security Technical Implementation Guide	2017-12-11

Details

Check Text ( C-78429r1_chk )
Determine location of “DTCPARMS” File for each of the following installed servers: FTP (FTPSERVE) IMAP (IMAP) NFS (VMNFS) REXEC (REXECD) If each “DTCPARMS” file includes the following statements, this is not a finding. :ESM_Enable.YES :ESM_Racroute.YES (or a valid exit name) :ESM_Validate.YES (or a valid exit name)

Fix Text (F-85593r1_fix)
For each of the following installed severs: FTP (FTPSERVE) IMAP (IMAP) NFS (VMNFS) REXEC (REXECD) Configure the DTCPARMS file in the TCP/IP configuration to include the following statements: :ESM_Enable.YES :ESM_Racroute.YES (or a valid exit name) :ESM_Validate.YES (or a valid exit name)