UCF STIG Viewer Logo

IBM z/VM Using CA VM:Secure Security Technical Implementation Guide


Overview

Date Finding Count (77)
2018-04-04 CAT I (High): 4 CAT II (Med): 73 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-78887 High The IBM z/VM TCP/IP VMSSL command operands must be configured properly.
V-78869 High CA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.
V-78841 High CA VM:Secure product Rules Facility must be installed and operating.
V-78843 High The IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.
V-78849 Medium The CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts.
V-78969 Medium CA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.
V-78879 Medium CA VM:Secure product Config Delay LOG option must be set to 0.
V-78845 Medium CA VM:Secure product must be installed and operating.
V-78993 Medium The IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.
V-78927 Medium The IBM z/VM Portmapper server virtual machine userID must be included in the AUTOLOG statement of the TCP/IP server configuration file.
V-78967 Medium CA VM:Secure product CONFIG file must be restricted to appropriate personnel.
V-78921 Medium The IBM z/VM journal minidisk space allocation must be large enough for one weeks worth of audit records.
V-78859 Medium The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.
V-78863 Medium The IBM z/VM Journal option must be specified in the Product Configuration File.
V-78857 Medium For FTP processing Z/VM TCP/IP FTP server Exit must be enabled.
V-78855 Medium The IBM z/VM LOGO configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-78989 Medium The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.
V-78851 Medium The IBM z/VM LOGO Configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.
V-78985 Medium IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.
V-78987 Medium IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.
V-78903 Medium IBM z/VM tapes must use Tape Encryption.
V-78981 Medium The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.
V-78881 Medium CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
V-78983 Medium The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.
V-78905 Medium The IBM z/VM TCP/IP must be configured to display the mandatory DoD Notice and Consent banner before granting access to the system.
V-78891 Medium CA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel.
V-78847 Medium The IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes.
V-78901 Medium The IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.
V-78895 Medium The IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL.
V-78941 Medium All IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.
V-78943 Medium The IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES.
V-78923 Medium CA VM:Secure product audit records must offload audit records to a different system or media.
V-78947 Medium The IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.
V-78933 Medium The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.
V-78939 Medium IBM z/VM TCP/IP config file INTERNALCLIENTPARMS statement must be properly configured.
V-78937 Medium The IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.
V-78963 Medium CA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.
V-78877 Medium IBM z/VM must be configured to disable non-essential capabilities.
V-78929 Medium CA VM:Secure product MANAGE command must be restricted to system administrators.
V-78907 Medium The IBM z/VM JOURNALING statement must be coded on the configuration file.
V-78961 Medium CA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.
V-78885 Medium The IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.
V-78875 Medium IBM zVM CA VM:Secure product PASSWORD user exit must be in use.
V-78949 Medium The IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.
V-78945 Medium The IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.
V-78867 Medium The IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.
V-78865 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-78889 Medium The IBM z/VM TCP/IP ANONYMOU statement must not be coded in FTP configuration.
V-78853 Medium The IBM z/VM TCP/IP FTP Server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system and until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-78975 Medium The IBM z/VM System administrator must develop a notification routine for account management.
V-78897 Medium The IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.
V-78977 Medium The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.
V-78925 Medium CA VM:Secure product audit records must be offloaded on a weekly basis.
V-78971 Medium CA VM:Secure product Rules Facility must be restricted to appropriate personnel.
V-78959 Medium The IBM z/VM ANY Privilege Class must not be listed for privilege commands.
V-78973 Medium IBM z/VM must employ a Session manager.
V-78917 Medium The IBM z/VM Privilege command class A and Class B must be properly assigned.
V-78893 Medium CA VM:Secure must have a security group for Security Administrators only.
V-78965 Medium CA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.
V-78979 Medium IBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.
V-78883 Medium All IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-78991 Medium IBM z/VM must employ Clock synchronization software.
V-78871 Medium CA VM:Secure product AUTOEXP record in the Security Config File must be properly set.
V-78931 Medium The CA VM:Secure LOGONBY command must be restricted to system administrators.
V-78915 Medium The IBM z/VM must restrict link access to the disk on which system software resides.
V-78899 Medium The IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.
V-78913 Medium IBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-78955 Medium The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.
V-78911 Medium The IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.
V-78953 Medium The IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.
V-78909 Medium CA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel.
V-78951 Medium The IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.
V-78873 Medium CA VM:Secure product PASSWORD user exit must be coded with the PWLIST option properly set.
V-78957 Medium The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.
V-78935 Medium The IBM z/VM JOURNALING statement must be properly configured.
V-78919 Medium CA VM:Secure AUTHORIZ CONFIG file must be properly configured.
V-78861 Medium CA VM:Secure product AUDIT file must be restricted to authorized personnel.