UCF STIG Viewer Logo

IBM z/VM tapes must use Tape Encryption.


Overview

Finding ID Version Rule ID IA Controls Severity
V-237928 IBMZ-VM-000750 SV-237928r858991_rule Medium
Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM.
STIG Date
IBM zVM Using CA VM:Secure Security Technical Implementation Guide 2022-08-31

Details

Check Text ( C-41138r858990_chk )
Verify Tape Encryption is in use.

For IBM drives issue the following command:

Class B:
QUERY TAPES DETAIL

or

Class G:
QUERY VIRTUAL TAPES

If resulting text includes "ACTIVE KEY LABELS", this is not a finding.

Regardless of the drive type if there is no encryption available, this is a finding.
Fix Text (F-41097r649623_fix)
Consult CP Administration manual for procedures to set up IBM Device Encryption.

For any other drive type consult manufacturer for encryption procedures.