UCF STIG Viewer Logo

IBM zVM Using CA VM:Secure Security Technical Implementation Guide


Overview

Date Finding Count (77)
2021-06-16 CAT I (High): 4 CAT II (Med): 73 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-237898 High The IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.
V-237920 High The IBM z/VM TCP/IP VMSSL command operands must be configured properly.
V-237911 High CA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.
V-237897 High CA VM:Secure product Rules Facility must be installed and operating.
V-237942 Medium The CA VM:Secure LOGONBY command must be restricted to system administrators.
V-237943 Medium The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.
V-237940 Medium The IBM z/VM Portmapper server virtual machine userID must be included in the AUTOLOG statement of the TCP/IP server configuration file.
V-237941 Medium CA VM:Secure product MANAGE command must be restricted to system administrators.
V-237946 Medium IBM z/VM TCP/IP config file INTERNALCLIENTPARMS statement must be properly configured.
V-237900 Medium The IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes.
V-237944 Medium The IBM z/VM JOURNALING statement must be properly configured.
V-237945 Medium The IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.
V-237964 Medium The IBM z/VM System administrator must develop a notification routine for account management.
V-237965 Medium The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.
V-237948 Medium The IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES.
V-237901 Medium The CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts.
V-237960 Medium CA VM:Secure product CONFIG file must be restricted to appropriate personnel.
V-237961 Medium CA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.
V-237962 Medium CA VM:Secure product Rules Facility must be restricted to appropriate personnel.
V-237963 Medium IBM z/VM must employ a Session manager.
V-237906 Medium The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.
V-237907 Medium CA VM:Secure product AUDIT file must be restricted to authorized personnel.
V-237904 Medium The IBM z/VM LOGO configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-237905 Medium For FTP processing Z/VM TCP/IP FTP server Exit must be enabled.
V-237902 Medium The IBM z/VM LOGO Configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.
V-237903 Medium The IBM z/VM TCP/IP FTP Server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system and until users acknowledge the usage conditions and take explicit actions to log on for further access.
V-237926 Medium The IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.
V-237927 Medium The IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.
V-237928 Medium IBM z/VM tapes must use Tape Encryption.
V-237929 Medium The IBM z/VM TCP/IP must be configured to display the mandatory DoD Notice and Consent banner before granting access to the system.
V-237908 Medium The IBM z/VM Journal option must be specified in the Product Configuration File.
V-237909 Medium All digital certificates in use must have a valid path to a trusted Certification authority.
V-237938 Medium CA VM:Secure product audit records must offload audit records to a different system or media.
V-237919 Medium The IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.
V-237957 Medium CA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.
V-237968 Medium The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.
V-237923 Medium CA VM:Secure must have a security group for Security Administrators only.
V-237910 Medium The IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.
V-237966 Medium IBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.
V-237955 Medium The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.
V-237954 Medium The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.
V-237918 Medium All IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-237956 Medium The IBM z/VM ANY Privilege Class must not be listed for privilege commands.
V-237959 Medium CA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.
V-237913 Medium CA VM:Secure product PASSWORD user exit must be coded with the PWLIST option properly set.
V-237912 Medium CA VM:Secure product AUTOEXP record in the Security Config File must be properly set.
V-237973 Medium The IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.
V-237914 Medium IBM zVM CA VM:Secure product PASSWORD user exit must be in use.
V-237971 Medium The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.
V-237970 Medium IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.
V-237933 Medium IBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours.
V-237932 Medium The IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.
V-237931 Medium CA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel.
V-237930 Medium The IBM z/VM JOURNALING statement must be coded on the configuration file.
V-237937 Medium The IBM z/VM journal minidisk space allocation must be large enough for one weeks worth of audit records.
V-237917 Medium CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
V-237935 Medium The IBM z/VM Privilege command class A and Class B must be properly assigned.
V-237934 Medium The IBM z/VM must restrict link access to the disk on which system software resides.
V-237939 Medium CA VM:Secure product audit records must be offloaded on a weekly basis.
V-237916 Medium CA VM:Secure product Config Delay LOG option must be set to 0.
V-237972 Medium IBM z/VM must employ Clock synchronization software.
V-245532 Medium The IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.
V-237925 Medium The IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.
V-237899 Medium CA VM:Secure product must be installed and operating.
V-245533 Medium The IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.
V-237969 Medium IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.
V-237921 Medium The IBM z/VM TCP/IP ANONYMOU statement must not be coded in FTP configuration.
V-237922 Medium CA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel.
V-237947 Medium All IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.
V-237915 Medium IBM z/VM must be configured to disable non-essential capabilities.
V-237958 Medium CA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.
V-245531 Medium The IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.
V-245534 Medium The IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.
V-237924 Medium The IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL.
V-237967 Medium The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.
V-245530 Medium The IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.
V-237936 Medium CA VM:Secure AUTHORIZ CONFIG file must be properly configured.