Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify an "ACCESS RULE" record exists on the system using the following command: VMSECURE CONFIG PRODUCT If there is no "ACCESS RULE" record, this is a finding. Verify that CA VM:SECURE RULES can be added using the following command: VMSECURE RULES USER If a rules file does not open, this is a finding.
Ensure the Rules Facility is installed and the Product Config file contains an "ACCESS RULES" statement.
Determine location of "DTCPARMS" File for each of the following installed servers: FTP (FTPSERVE) IMAP (IMAP) NFS (VMNFS) REXEC (REXECD) If each "DTCPARMS" file includes the following statements, this is not a finding. :ESM_Enable.YES :ESM_Racroute.YES (or a valid exit name) :ESM_Validate.YES (or a valid exit name)
For each of the following installed severs: FTP (FTPSERVE) IMAP (IMAP) NFS (VMNFS) REXEC (REXECD) Configure the DTCPARMS file in the TCP/IP configuration to include the following statements: :ESM_Enable.YES :ESM_Racroute.YES (or a valid exit name) :ESM_Validate.YES (or a valid exit name)
Verify the CA VM:Secure product is operational on the system by entering the following command. From the "CMS" command line enter: VMSECURE VERSION If there is no response, "VMSECURE" is not logged in, this is a finding.
CA VM:Secure product audits all commands. Ensure CA VM:Secure product is installed and operational. Using CA VM:Secure product audit of all commands with z/VM standard journal record assures that all pertinent information is stored.
Display the System Configuration File. If the "JOURNALING" statement is set to: Facility ON LOGON Lockout after three attempts for 15 minutes, this is not a finding. Note: Site may set Lockout value at 0, this will require system administrator action for reset. Issue "QUERY JOURNAL" command. If the response is as follows this is not a finding: Journal: LOGON-on
Configure the System Configuration "JOURNALING" statement to: Facility ON LOGON Lockout after 3 attempts for 15 minutes or 0 if system administrator action is desired.
Examine VM:Secure Security Config File. If there is no Journal record this is a finding. If the Journal record has a maximum consecutive invalid password attempts set to 3, this is not a finding. Note: The "warning" setting may be determined by the site but must be 3 or less. Example: JOURNAL 3 3
Edit the SECURITY CONFIG file: vmsecure config security Configure a JOURNAL record in the SECURITY CONFIG file as follows: JOURNAL 3 3 Note: The "warning" setting may be determined by the site but must be 3 or less.
Display the System Configuration file "LOGO_Config" statement. Determine the file name and file type of a LOGO configuration file. For each LOGO file Identified: If the file contains the following logon banner, this is not a finding. The below banner is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. If all the items above are true, this is not finding. If any item above is untrue, this is a finding.
Configure files identified by the System Configuration file "LOGO_Config" statement to point to a file containing the following Banner. The banner below is mandatory and deviations are not permitted except as authorized in writing by the DoD Chief Information Officer. The thrust of this new policy is to make it clear that there is no expectation of privacy when using DoD information systems and all use of DoD information systems is subject to searching, auditing, inspecting, seizing, and monitoring, even if some personal use of a system is permitted: STANDARD MANDATORY DOD NOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Examine the CMS search order. Verify the FTP Server access to a FTP BANNER file. If there is no accessible FTP BANNER file, this is a finding. Ensure that the "FTP Banner" file contains the following: The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding.
Configure the "FTP Banner" file to contain the following: The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Examine the "LOGO_CONFIG" settings for the file name of the logo configuration file. Ensure that the file name indicated in the statement contains the DoD official Logon Banner. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding. If any item above is untrue, this is a finding.
Configure the "LOGO_CONFIG" statement to indicate a file that contains the DoD Standard Banner. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
If there are no FTP servers active, this is not applicable. Issue "SMSG" command for each FTP Server. Query "FTAUDIT". If the "Exit" is not enabled, this is a finding.
Include the "FTAUDIT" statement in the TCP/IP Configuration file.
Examine the "SSLSERVERID" statement in the TCP/IP server configuration file. If the "SSLSERVERID" statement identifies at least one userID for an SSL server, this is not a finding.
Configure the "SSLSERVERID" statement to force auto logging of an SSL server before all other servers in the "AUTOLOG" list.
Determine the VMSECURE Audit disk. Note: Consult the z/VM system administrator for this information. Review all rules that grant access to the identified VM:Secure AUDIT disk. If any grant access to anyone other than a system administrator or security administrator, this is a finding.
Ensure access to VMSECURE AUDIT disk is restricted to system administrators or security administrators.
Examine the "Product Configuration" file. If the JOURNALING Statement does not specify "ON", this is a finding.
Configure the Product Configuration files' JOURNALING statement to "JOURNALING ON".
Invoke the "gskkyman" utility. From the "Key Management" Menu display Certificate Information. If no certificate information is found, this is not a finding. Note: Certificates are only valid when their status is "TRUST". Therefore, you may ignore certificates with the "NOTRUST" status during the following checks. If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or External Certification Authority (ECA), this is not a finding. Reference the Cyber Exchange website for complete information as to which certificates are acceptable (https://cyber.mil/pki-pke/pkipke-document-library/).
Remove or and replace certificates whose issuer's distinguished name does not lead to a DoD PKI Root Certification Authority, External Root Certification Authority (ECA), or an approved External Partner PKI's Root Certification Authority.
Issue command openvm list /etc./gskadm/ (own) If the file permissions are as displayed below, this is not a finding. User ID Group Name Permissions Type Path name component gskadmin security rw- r-- --- F 'Database.kdb' gskadmin security rw- --- --- F 'Database.rdb' gskadmin security rw- r-- --- F 'Database.sth'
Ensure proper permissions are assigned to key databases. Issue the "OPENVM PERMIT" commands to assign proper permissions.
Examine the "VMXRPI" Config file used for building the current nucleus. If the "ENCRYP" record is missing, this is a finding. If the "ENCRYPT" record does not specify "DES3", this is a finding. If the DES3KEY Record is missing, this is a finding.
Configure the "VMXRPI" Config file to include the following records: ENCRYPT DES3 DES3KEY word1 word2 word3 word4 word5 word6 or DES3KEY EXIT filename EXEC|TEXT
Examine the "SECURITY CONFIG" file. If there is no "AUTOEXP" record, this is a finding. If the "AUTOEXP" record is configured as below, this is not finding. AUTOEXP 50 60
Include an "AUTOEXP" record in the "SECURITY CONFIG" file that is configured as follows: AUTOEXP 50 60
If there is no CA VM:Secure Product PASSWORD user exit in use, this is a finding. Examine the CA VM:Secure product PASSWORD user exit for requirement that uses a "PWLIST" option that prohibits password reuse for five generations. If this code is missing, this is a finding.
Engineer code in the CA VM:Secure Product PASSWORD user exit that uses a "PWLIST" that prohibits password reuse for five generations.
If there is no CA VM:Secure PASSWORD user exit in use, this is a finding. Review the CA VM:Secure Password user exit. If there is no code that enforces a minimum 8-character password, this is a finding. If there is no code that prohibits the use of all numbers in the new password, this is a finding. If there is no code that prohibits the use of user name in the new password, this is a finding. If there is no code that prohibits the use of userID in the new password, this is a finding. If there is no code that prohibits the use of consecutive repeated characters, this is a finding. If there is no code requiring that at least one special character be used in the new password, this is a finding. If there is no code that enforces 24 hours/1 day as the minimum password lifetime, this is a finding. If there is no code that enforces a minimum that at least one lowercase character is used in the new password, this is a finding. If there is no code that enforces a minimum that at least one numeric character is used in the new password, this is a finding. If there is no code that enforces a minimum that at least one uppercase character is used in the new password, this is a finding. If there is no code that enforces change of at least 50% of the total number of characters when passwords are changed, this is a finding.
Configure a CA VM:Secure PASSWORD user exit that enforces a minimum 8-character password length. Ensure that the following macros are updated with proper PASSWORD user exit: FORCEPWC VMXCHGPW MAINT USE00080
Determine if the System administrator has a documented manual process to review and disable non-essential capabilities for z/VM. If there is no policy and process to review and disable non-essential capabilities, this is a finding. If capabilities identified in the policy are not disabled, this is a finding.
Develop a policy for a procedure to review and disable non-essential capabilities for z/VM. Ensure that all identified non-essential capabilities are disabled.
Display the CA VM:Secure product Config file. If the "DELAYLOG" record does not exist, this is not a finding. If the "DELAYLOG" record is set to "0", this is not a finding.
Configure DELAYLOG = 0 or delete the "DELAYLOG" configuration file record.
Examine the "SECURITY CONFIG" file. If a "NORULE" record exists and is set to "REJECT", this is not a finding.
Configure the "SECURITY CONFIG" file to include a "NORULE" record that is set to "REJECT".
For each TCP/IP server defined examine the TCP/IP Configuration Port Statements. Consult DISA Ports, Protocols, and Services Management (PPSM) Category Assurance Levels (CAL). Verify that the ports and protocols being used are not prohibited and are necessary for the operation of the application server and the hosted applications. If any of the ports or protocols is prohibited or not necessary for the application server operation, this is a finding.
Configure the application server definition in TCP/IP configuration file to disable any ports or protocols that are prohibited by the PPSM CAL and vulnerability assessments.
Examine the procedure for disabling user accounts. If the procedure performs the following steps, this is not a finding. - Monitors the time since last logon. - Checks all userIDs for inactivity more than 35 days. - If found, the ISSO must suspend an account, but not delete it until it is verified by the local ISSO that the user no longer requires access. - If verification is not received within 60 days, the account may be deleted.
Develop a procedure that includes the following steps: - Monitors the time since last logon. - Checks all userIDs for inactivity more than 35 days. - If found, the ISSO must suspend an account, but not delete it until it is verified by the local ISSO that the user no longer requires access. - If verification is not received within 60 days, the account may be deleted.
Determine and examine the "DTCPARMS" file for each SSL server pool. If the "VMSSL" command is not included in a :PARMS tag, this is a finding. If the "VMSSL" command is not configured as follows, this is a finding. FIPS (Operand FIPS is equivalent to setting MODE FIPS-140-2.) MODE FIPS-140-2 (Operand MODE FIPS-140-2 is equivalent to setting operand FIPS.) PROTOcol TLSV1_2
Configure the SSL DTCPARMS file with a :PARMS tag that includes "VMSSL" command. Configure the "VMSSL" command to MODE FIPS-140-2, either by including the FIPS operand or by setting the "MODE" operand to FIPS-140-2. Include the PROTOcol operands for TLSV1_2.
If there is no FTP Server active, this is not applicable. Examine the "DTCPARMS" file for each active FTP server. If there is ":ANONYMOUS" or ":ANONYMOU" statement, this is a finding. Examine the "SRVRFTP" command. If "ANONYMOU" is coded, this is a finding.
Ensure the ":ANONYMOUS" or ":ANONYMOU" statement is not coded in the "DTCPARMS" or "SRVRFTP" command.
Examine the "AUTHORIZ" config file. If authorization to "ADMIN GLOBALS" is granted to "SYS Admin", this is not a finding.
Configure grant statements in the "AUTHORIZ" file using the "ADMIN GLOBALS" command that list Sys Admins only.
Ask the Security Administrator for the defined groups that have authorization to perform security tasks, i.e., create and change rules for any userID in the Rules Facility. Examine the members (users) in each of these groups. If any user does not have the role of Security Administrator, this is a finding.
Define a security group in the Rules Facility for Security Administrators only.
Examine the SYSTEM CONFIG file. If the "Feature" statement specifies ENABLE CLEAR_TDISK, this is not a finding.
Ensure that the following statement is in the SYSTEM CONFIG file: FEATURES ENABLE CLEAR_TDISK Further, before a minidisk is assigned to a user, the minidisk must be formatted to clear it of any residual data. CMS FORMAT, ICKDSF, or any other low-level formatting program that erases all of the data on the minidisk may be used.
Examine "TCP/IP" configuration file. If there is no "FOREIGNIPCONLIMIT" statement, this is a finding. If the "FOREIGNIPCONLIMIT" has a value of "0", this is a finding.
Configure the "FOREIGNIPCONLIMIT" statement with a value specifying the maximum number of connections that a foreign IP address is allowed to have open at the same time. The System Administrator should determine the proper value.
Examine the "TCP/IP" configuration file. If there is no "PERSISTCONNECTIONLIMIT" statement, this is a finding.
Configure the "PERSISTCONNECTIONLIMIT" statement with a value that is less than the "TCBPOOLSIZE".
Examine the "TCP/IP" configuration file. If there is no "PENDINGCONNECTIONLIMIT" statement, this is a finding.
Configure the "PENDINGCONNECTIONLIMIT" statement with a value that is less than the "TCBPOOLSIZE".
Verify Tape Encryption is in use. For IBM drives issue the following command: Class B: QUERY TAPES DETAIL or Class G: QUERY VIRTUAL TAPES If resulting text includes "ACTIVE KEY LABELS", this is not a finding. Regardless of the drive type if there is no encryption available, this is a finding.
Consult CP Administration manual for procedures to set up IBM Device Encryption. For any other drive type consult manufacturer for encryption procedures.
Check the TELNET connection exit. If there is no TELNET connection exit, this is a finding. If the TELNET connection exit does not send a Notice and Consent message before access is granted, this is a finding.
Configure the TELNET connection exit to display a Notice and Consent banner message before access is granted to TELNET.
Examine the Product configuration file. If the "JOURNALING" statement does not specify "ON", this is a finding.
Configure the system configuration "JOURNALING" statement to "JOURNALING ON".
Query the CA VM:Secure product rules. If there are product rules granting access to the disk on which the "SECURITY CONFIG" file resides for auditors, system administrators or security administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the "SECURITY CONFIG" file resides to auditors, system administrators or security administrators only.
Examine the CA VM:Secure rules. If there are Link rules for audit disk granted to anyone other than system administrators, security administrators, or system auditors, this is a finding.
Create a CA VM:Secure rule that grants access to system administrators, security administrators, or system auditors only.
Ask the system administrator (SA) for a documented process to remove or disable emergency accounts after a crisis has been resolved or 72 hours. If there is no documented process, this is a finding. If there are emergency accounts enabled check date/time of resolution of last crisis event. If date/time is greater than 72 hours, this is a finding.
Develop a policy and process to remove or disable emergency accounts after a crisis has been resolved or 72 hours. Ensure that all emergency accounts are disabled after a crisis has been resolved or 72 hours.
Examine the CA VM:Secure rules. If there are Link rules for system software disks granted to anyone other than system administrators, this is a finding.
Create a CA VM:Secure rule that grants access for system software disks to system administrators only.
Examine CP Directory. If Privilege CLASS A or B is granted to anyone other than systems administrators or systems operators, this is a finding. Note: Restrict link to disk where system software resides.
Configure the IBM z/VM to grant CP Privilege Class A or B to system administrators or system operators only.
Examine "AUTHORIZ CONFIG" file. If Authorizations are granted as follows, this is not a finding. Grant the CA VM:Secure system administrator authorization to use all commands and menu selections. Grant directory managers authorization to use a particular command, group of commands, or menu selection. By carefully planning these authorizations, you can delegate many of the daily directory and disk space management tasks to the directory managers. Plan these authorizations carefully to cover all aspects of your site's VM installation. Grant general users authorization to use those commands and menu selections that enable them to manage their own virtual machine. Users can then perform tasks such as maintaining their own system password and controlling access to their minidisks by others.
Assure that the following authorizations are configured: Grant the CA VM:Secure system administrator authorization to use all commands and menu selections. Grant directory managers authorization to use a particular command, group of commands, or menu selection. By carefully planning these authorizations, you can delegate many of the daily directory and disk space management tasks to the directory managers. Plan these authorizations carefully to cover all aspects of your site's VM installation. Grant general users authorization to use those commands and menu selections that enable them to manage their own virtual machine. Users can then perform tasks such as maintaining their own system password and controlling access to their minidisks by others. For example, for users in the Technical Support group, you may want to authorize them to use all selections on the "User Selection" menu.
Examine the "MDISK" statement for journaling. If the space allocations are not large enough for one weeks' worth of audit records, this is a finding.
Monitor journal minidisks for required space allocation for one week's worth of data. The system administrator will determine the required space allocation. Assure space allocation is large enough for one week of audit records.
If there is no documented process for audit offload, this is a finding. Examine the documented user process for audit record offload. If the procedure does not offload to a different system or media, this is a finding.
Develop a user written procedure to offload audit records to a different system or media.
Check audit offload procedure. If it can be determined that the audit records are being offloaded on a weekly basis, this is not a finding.
Develop procedures that offload Audit minidisk on a weekly basis.
Examine the TCP/IP configuration for "AUTOLOG". If the userID for auto logger is not in the "AUTOLOG" statement of the TCP/IP server configuration file, this is a finding.
Include the Portmapper server virtual machine userID in the "AUTOLOG" statement of the TCP/IP server configuration file. The Portmapper server is then automatically started when TCP/IP is initialized. The IBM default userID for this server is PORTMAP, but review installation to assure proper ID is included.
Examine "AUTHORIZ CONFIG" file. If the "MANAGE" command is only granted to system administrators, this is not a finding.
Include the "GRANT" statement for the "MANAGE" command to restrict to system administrators only.
Examine the CA VM:Secure Rules facility for "LOGONBY" rules. If the "LOGONBY" rules specifies users that are not system administrators, this is a finding.
Assure that any "LOGONBY" rules in the CA VM: Secure Rules Facility only specifies users who are system administrators.
Examine user directory definitions to determine CP Privilege class. If CP Privilege Class A, B, or D is assigned to non-privilege users, this is a finding.
Ensure that non-privilege users are not assigned CP Privilege Class A, B, or D.
View system config "JOURNALING" statement. If the "JOURNALING" statement "LOGON" operand is configured as below, this is not a finding. Logon, Account after 3 attempts, See IBMZ-VM-000040 for LOCKOUT setting. Link, Account after 3 attempts, Disable after 3 attempts
Configure the system config "JOURNALING" statement to include the following: Logon, Account after 3 attempts, See IBMZ-VM-000040 for LOCKOUT setting. Link, Account after 3 attempts, Disable after 3 attempts
Examine the FTP Server configuration file. If there is no "SECUREDATA" statement, this is a finding. If the "SECUREDATA" statement specifies "REQUIRED", this is not a finding. Note: If there is no "SECUREDATA" or the "SECUREDATA" specifies "ALLOWED" but there is a documented implementation plan with a definite completion date for setting "SECUREDATA" to "REQUIRED" on file with the ISSM, this can be downgraded to a CAT III.
Configure the "SECUREDATA" statement in the FTP server configuration file to specify "REQUIRED". Note: Care should be taken before implementing this requirement in a production environment. Develop a documented plan of action that has a definite completion date. File the plan with the ISSM.
Examine the TCP/IP config file "INTERNALCLIENTPARMS" statement. If the following "INTERNALCLIENTPARMS" sub statement are included, this is not a finding. PORT Num not 20 or 21 SECURECONNECTION REQUIRED CLIENTCERTCHECK FULL
Configure the TCP/IP config "INTERNALCLIENTPARM" statement to include the following: PORTNUM <secure FTP PORT Number> SECURECONNECTION REQUIRED CLIENTCERTCHECK FULL
Determine SSL/TLS capability. Examine the TCP/IP config file. If the "SSLSERVERID" statement identifies at least one userID for SSL server, this is not a finding.
Configure the "SSLSERVERID" statement to force auto logging of an SSL server before all other servers in the "AUTOLOG" list.
Examine the TCP/IP DATA file. If "SECURETELNETCLIENT" option is set to "YES", this is not a finding.
Configure the TCP/IP DATA file "SECURETELNETCLIENT" option to "YES".
Examine user directory definitions to determine privilege class. If the CP privilege Class C is assigned to system programmers only, this is not a finding. If the CP privilege Class E is assigned to system analyst only, this is not a finding.
Configure the CP Privilege Class. Assign CP Privilege Classes, C and E, to system programmers and/or system analysts only.
Examine user directory definitions to determine Privilege Class. If CP Privilege Class F is assigned to anyone other than a service representative or system administrator, this is a finding.
Configure CP Privilege Class F to service representatives and system administrators only.
Examine defined-privileged commands. If any of the defined-privileged commands are defined with Privilege Class "ANY", this is a finding.
Review the defined-privileged commands. Assure that CP privileged commands are not defined with a Privilege Class of "ANY".
Query the CA VM:Secure rules. If there are product rules granting access to the disk on which the "VMXRPI" configuration file resides for system administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the "VMXRPI" configuration file resides to system administrators only.
Query the CA VM:Secure product rules. If there are product rules granting access to the disk on which the "DASD CONFIG" file resides for system administrators or DASD administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the "DASD CONFIG" file resides to system administrators or DASD administrators only.
Query the CA VM:Secure product rules. If there are product rules granting access to the disk on which the "AUTHORIZ CONFIG" file resides for system administrators or security administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the "AUTHORIZ CONFIG" file resides to system administrators or security administrators only.
Query the CA VM:Secure Product rules. If there are product rules granting access to the disk on which the product "CONFIG" file resides for system administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the product "CONFIG" file resides to system administrators only.
Query the CA VM:Secure product rules. If there are product rules granting access to the disk on which the "SFS" configuration file resides for system administrators or DASD administrators only, this is not a finding.
Create rules in the CA VM:Secure product Rules Facility that restricts access to the disk where the "SFS" configuration file resides to system administrators or DASD administrators only.
Issue Command: VMSECURE CONFIG AUTHORIZ Inspect the "GRANT" statements. If there are statements that grant the authority to create system rules or rules that apply to other users is only granted to appropriate personnel, this is not a finding.
Ensure the product Rules Facility is installed. Ensure that authority to create system rules or rules that apply to other users is only granted to appropriate personnel.
Examine running systems. If access is gained to the z/VM system without going through a session manager, this is a finding.
Ensure that a session manager is in use with the system.
Ask the system administrator (SA) for documented procedures and routines for account management. If there is no procedure or the procedure is not documented and filed with the ISSO, this is a finding.
Develop processes, routines, and/or scripts for the notification of account management.
Ask the system administrator (SA) for documented procedures and routines for proper configuration management of software. If there are no procedures or the procedures are not documented and on file with the ISSO, this is a finding.
Develop a procedure for proper configuration of software components. Include proper maintenance procedures.
Ask the system administrator for a network system plan. If there is no firewall defined for the IBM z/VM system, this is a finding. If the firewall does not have a deny-all, allow-by-exception policy, this is a finding.
Ensure that the network has a firewall installed that provides a deny-all, allow-by-exception protection for the IBM z/VM system.
Ask the system administrator (SA) for documented routines and procures for notification in the event of audit failure. If there are no routines or procedures or they are not documented and filed with the ISSO, this is a finding.
Develop a procedure for notification in the event of audit failure.
Ask the system administrator for a procedure to notify appropriate personnel in the event of system anomalies or failure. If there is no procedure for notification and resolution or they are not documented and on file with the ISSO, this is a finding.
Develop a procedure for the notification and resolution of operation information system operation anomalies. Assure that procedures are documented and filed with the ISSO/ISSM.
Ask the system administrator (SA) for documented manual procedures to handle temporary, inactive, and emergency accounts. If there are no procedures or they are not documented and filed with the ISSM/ISSO, this is a finding.
Develop a manual procedure to handle temporary, inactive, and emergency accounts in accordance with appropriate policies. Ensure that the procedures are documented and filed with ISSM/ISSO.
Ask the system administrator if there is an audit reduction tool available for use with IBM z/VM. Determine if a process is established to route audit records to the tool. If there is no audit tool available, this is a finding. If a procedure for routing audit records to the tool is not documented and on file with the ISSM/ISSO, this is a finding.
Develop a process for routing audit records to an audit reduction tool. Document the process and file with the ISSM/ISSO.
Ask the system administrator (SA) if there is a documented procedure for validation of security functions on file with the ISSM/ISSO. If there is none, this is a finding. Ask for evidence that the procedures are performed. If there is no evidentiary proof, this is a finding.
Develop a procedure that validates all security functions. Develop a log depicting date and time of validation signed by action official.
Determine if Clock synchronization software is use. If there is no Clock synchronization software in use, this is a finding. Determine if configuration allows for the synchronizing internal Clock to authoritative source. If software is improperly configured, this is a finding.
Configure Clock synchronizing software to compare internal clock to authoritative source at least every 24 hours and when time difference is greater than one second.
Determine if IBM's DS8000 Disks are in use. If they are not in use for systems that require "data at rest", this is a finding.
Employ IBM's DS8000 hardware to ensure full disk encryption.
Examine the "UFTD CONFIG" file. If "NSLOOKUP" statement is "YES", this is not a finding.
Configure the "NSLOOKUP" statement in the "UFTD CONFIG" file to "YES".
Examine the "TCPIP DATA" configuration file. If "DOMAINLOOKUP" statement is configured to "DNS", this is not a finding.
Configure the "DOMAINLOOKUP" statement to "DNS".
Examine the "TCPIP DATA" configuration file. If there is no "NSINTERADDR" statement in the "TCPIP DATA" configuration file, this is a finding.
Configure the "NSINTERADDR" statement in the "TCPIP DATA" configuration file to an appropriate address.
Examine the "TCP/IP" configuration file. If there is no "CHECKSUM" statement in the "TCP/IP" configuration file, this is a finding.
Configure the "TCP/IP" configuration file to include a "CHECKSUM" statement.
Examine the "TCPIP DATA" file. The domain specified for the "DOMAINORIGIN" statement is also used for host name resolution, as if it appeared in a "DOMAINSEARCH" statement. If there is no "DOMAINORIGIN" or "DOMAINSEARCH" statement, this is a finding. If the "DOMAINSEARCH" statement does not specify a proper domain, this is a finding. If the "DOMAINORIGIN" statement does not specify a proper domain, this is a finding.
Configure any statement in the "TCPIP DATA" file used during host name resolution such as "DOMAINSEARCH" statement or the "DOMAINORIGIN" statement with a proper domain name.