Skip to content

IBM zVM Using CA VM:Secure Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-OS-000426-GPOS-00190

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES.

    &lt;VulnDiscussion&gt;Information can be either unintentionally or maliciously disclosed or modified during preparation for transmission, for examp...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000324-GPOS-00125

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM ANY Privilege Class must not be listed for privilege commands.

    &lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or proce...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • CA VM:Secure product CONFIG file must be restricted to appropriate personnel.

    &lt;VulnDiscussion&gt;Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the sys...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • CA VM:Secure product Rules Facility must be restricted to appropriate personnel.

    &lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists ensure...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/VM must employ a Session manager.

    &lt;VulnDiscussion&gt;A session manager controls the semi-permanent interactive information interchange, also known as a dialogue, between a user a...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM System administrator must develop a notification routine for account management.

    &lt;VulnDiscussion&gt;Information system accounts are utilized for identifying individual users or for identifying the operating system processes t...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.

    &lt;VulnDiscussion&gt;Proper configuration management procedures for information systems provide for the proper configuration and maintenance in ac...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.

    &lt;VulnDiscussion&gt;Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Firewalls provide moni...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.

    &lt;VulnDiscussion&gt;Audit processing failures include, for example, software/hardware errors, failures in the audit capturing mechanisms, and aud...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.

    &lt;VulnDiscussion&gt;If anomalies are not acted upon, security functions may fail to secure the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&g...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.

    &lt;VulnDiscussion&gt;Proper handling of temporary, inactive, and emergency accounts require automatic notification and action rather than at the c...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.

    &lt;VulnDiscussion&gt;Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format ...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.

    &lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • IBM z/VM must employ Clock synchronization software.

    &lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the cor...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.

    &lt;VulnDiscussion&gt;Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthor...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.

    &lt;VulnDiscussion&gt;If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.

    &lt;VulnDiscussion&gt;If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.

    &lt;VulnDiscussion&gt;If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...
    Rule Medium Severity
  • SRG-OS-000480-GPOS-00227

    <GroupDescription></GroupDescription>
    Group
  • The IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.

    &lt;VulnDiscussion&gt;If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it m...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules