STIGQter STIGQter: STIG Summary: IBM z/VM Using CA VM:Secure Security Technical Implementation Guide

Version: 1

Release: 2 Benchmark Date: 27 Apr 2018

CheckedNameTitle
SV-93547r1_ruleCA VM:Secure product Rules Facility must be installed and operating.
SV-93549r1_ruleThe IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.
SV-93551r1_ruleCA VM:Secure product must be installed and operating.
SV-93553r2_ruleThe IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes.
SV-93555r1_ruleThe CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts.
SV-93557r1_ruleThe IBM z/VM LOGO Configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.
SV-93559r1_ruleThe IBM z/VM TCP/IP FTP Server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system and until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-93561r1_ruleThe IBM z/VM LOGO configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.
SV-93563r1_ruleFor FTP processing Z/VM TCP/IP FTP server Exit must be enabled.
SV-93565r1_ruleThe IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.
SV-93567r1_ruleCA VM:Secure product AUDIT file must be restricted to authorized personnel.
SV-93569r1_ruleThe IBM z/VM Journal option must be specified in the Product Configuration File.
SV-93571r1_ruleAll digital certificates in use must have a valid path to a trusted Certification authority.
SV-93573r1_ruleThe IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.
SV-93575r1_ruleCA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.
SV-93577r1_ruleCA VM:Secure product AUTOEXP record in the Security Config File must be properly set.
SV-93579r1_ruleCA VM:Secure product PASSWORD user exit must be coded with the PWLIST option properly set.
SV-93581r1_ruleIBM zVM CA VM:Secure product PASSWORD user exit must be in use.
SV-93583r1_ruleIBM z/VM must be configured to disable non-essential capabilities.
SV-93585r1_ruleCA VM:Secure product Config Delay LOG option must be set to 0.
SV-93587r1_ruleCA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
SV-93589r1_ruleAll IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-93591r1_ruleThe IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.
SV-93593r1_ruleThe IBM z/VM TCP/IP VMSSL command operands must be configured properly.
SV-93595r1_ruleThe IBM z/VM TCP/IP ANONYMOU statement must not be coded in FTP configuration.
SV-93597r1_ruleCA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel.
SV-93599r1_ruleCA VM:Secure must have a security group for Security Administrators only.
SV-93601r1_ruleThe IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL.
SV-93603r1_ruleThe IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.
SV-93605r1_ruleThe IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.
SV-93607r1_ruleThe IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.
SV-93609r1_ruleIBM z/VM tapes must use Tape Encryption.
SV-93611r1_ruleThe IBM z/VM TCP/IP must be configured to display the mandatory DoD Notice and Consent banner before granting access to the system.
SV-93613r1_ruleThe IBM z/VM JOURNALING statement must be coded on the configuration file.
SV-93615r1_ruleCA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel.
SV-93617r1_ruleThe IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.
SV-93619r1_ruleIBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours.
SV-93621r1_ruleThe IBM z/VM must restrict link access to the disk on which system software resides.
SV-93623r1_ruleThe IBM z/VM Privilege command class A and Class B must be properly assigned.
SV-93625r1_ruleCA VM:Secure AUTHORIZ CONFIG file must be properly configured.
SV-93627r1_ruleThe IBM z/VM journal minidisk space allocation must be large enough for one weeks worth of audit records.
SV-93629r1_ruleCA VM:Secure product audit records must offload audit records to a different system or media.
SV-93631r1_ruleCA VM:Secure product audit records must be offloaded on a weekly basis.
SV-93633r1_ruleThe IBM z/VM Portmapper server virtual machine userID must be included in the AUTOLOG statement of the TCP/IP server configuration file.
SV-93635r1_ruleCA VM:Secure product MANAGE command must be restricted to system administrators.
SV-93637r1_ruleThe CA VM:Secure LOGONBY command must be restricted to system administrators.
SV-93639r1_ruleThe IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.
SV-93641r2_ruleThe IBM z/VM JOURNALING statement must be properly configured.
SV-93643r1_ruleThe IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.
SV-93645r1_ruleIBM z/VM TCP/IP config file INTERNALCLIENTPARMS statement must be properly configured.
SV-93647r1_ruleAll IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.
SV-93649r1_ruleThe IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES.
SV-93651r1_ruleThe IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.
SV-93653r1_ruleThe IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.
SV-93655r1_ruleThe IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.
SV-93657r1_ruleThe IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.
SV-93659r1_ruleThe IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.
SV-93661r1_ruleThe IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.
SV-93663r1_ruleThe IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.
SV-93665r1_ruleThe IBM z/VM ANY Privilege Class must not be listed for privilege commands.
SV-93667r1_ruleCA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.
SV-93669r1_ruleCA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.
SV-93671r1_ruleCA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.
SV-93673r1_ruleCA VM:Secure product CONFIG file must be restricted to appropriate personnel.
SV-93675r1_ruleCA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.
SV-93677r1_ruleCA VM:Secure product Rules Facility must be restricted to appropriate personnel.
SV-93679r1_ruleIBM z/VM must employ a Session manager.
SV-93681r1_ruleThe IBM z/VM System administrator must develop a notification routine for account management.
SV-93683r1_ruleThe IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.
SV-93685r1_ruleIBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.
SV-93687r1_ruleThe IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.
SV-93689r1_ruleThe IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.
SV-93691r1_ruleIBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.
SV-93693r1_ruleIBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.
SV-93695r1_ruleThe IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.
SV-93697r1_ruleIBM z/VM must employ Clock synchronization software.
SV-93699r1_ruleThe IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.