| Checked | Name | Title |
|---|
| ☐ | SV-93547r1_rule | CA VM:Secure product Rules Facility must be installed and operating. |
| ☐ | SV-93549r1_rule | The IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager. |
| ☐ | SV-93551r1_rule | CA VM:Secure product must be installed and operating. |
| ☐ | SV-93553r2_rule | The IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes. |
| ☐ | SV-93555r1_rule | The CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts. |
| ☐ | SV-93557r1_rule | The IBM z/VM LOGO Configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system. |
| ☐ | SV-93559r1_rule | The IBM z/VM TCP/IP FTP Server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system and until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-93561r1_rule | The IBM z/VM LOGO configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access. |
| ☐ | SV-93563r1_rule | For FTP processing Z/VM TCP/IP FTP server Exit must be enabled. |
| ☐ | SV-93565r1_rule | The IBM z/VM TCP/IP configuration must include an SSLSERVERID statement. |
| ☐ | SV-93567r1_rule | CA VM:Secure product AUDIT file must be restricted to authorized personnel. |
| ☐ | SV-93569r1_rule | The IBM z/VM Journal option must be specified in the Product Configuration File. |
| ☐ | SV-93571r1_rule | All digital certificates in use must have a valid path to a trusted Certification authority. |
| ☐ | SV-93573r1_rule | The IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions. |
| ☐ | SV-93575r1_rule | CA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords. |
| ☐ | SV-93577r1_rule | CA VM:Secure product AUTOEXP record in the Security Config File must be properly set. |
| ☐ | SV-93579r1_rule | CA VM:Secure product PASSWORD user exit must be coded with the PWLIST option properly set. |
| ☐ | SV-93581r1_rule | IBM zVM CA VM:Secure product PASSWORD user exit must be in use. |
| ☐ | SV-93583r1_rule | IBM z/VM must be configured to disable non-essential capabilities. |
| ☐ | SV-93585r1_rule | CA VM:Secure product Config Delay LOG option must be set to 0. |
| ☐ | SV-93587r1_rule | CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT. |
| ☐ | SV-93589r1_rule | All IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. |
| ☐ | SV-93591r1_rule | The IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity. |
| ☐ | SV-93593r1_rule | The IBM z/VM TCP/IP VMSSL command operands must be configured properly. |
| ☐ | SV-93595r1_rule | The IBM z/VM TCP/IP ANONYMOU statement must not be coded in FTP configuration. |
| ☐ | SV-93597r1_rule | CA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel. |
| ☐ | SV-93599r1_rule | CA VM:Secure must have a security group for Security Administrators only. |
| ☐ | SV-93601r1_rule | The IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL. |
| ☐ | SV-93603r1_rule | The IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured. |
| ☐ | SV-93605r1_rule | The IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured. |
| ☐ | SV-93607r1_rule | The IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured. |
| ☐ | SV-93609r1_rule | IBM z/VM tapes must use Tape Encryption. |
| ☐ | SV-93611r1_rule | The IBM z/VM TCP/IP must be configured to display the mandatory DoD Notice and Consent banner before granting access to the system. |
| ☐ | SV-93613r1_rule | The IBM z/VM JOURNALING statement must be coded on the configuration file. |
| ☐ | SV-93615r1_rule | CA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel. |
| ☐ | SV-93617r1_rule | The IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators. |
| ☐ | SV-93619r1_rule | IBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours. |
| ☐ | SV-93621r1_rule | The IBM z/VM must restrict link access to the disk on which system software resides. |
| ☐ | SV-93623r1_rule | The IBM z/VM Privilege command class A and Class B must be properly assigned. |
| ☐ | SV-93625r1_rule | CA VM:Secure AUTHORIZ CONFIG file must be properly configured. |
| ☐ | SV-93627r1_rule | The IBM z/VM journal minidisk space allocation must be large enough for one weeks worth of audit records. |
| ☐ | SV-93629r1_rule | CA VM:Secure product audit records must offload audit records to a different system or media. |
| ☐ | SV-93631r1_rule | CA VM:Secure product audit records must be offloaded on a weekly basis. |
| ☐ | SV-93633r1_rule | The IBM z/VM Portmapper server virtual machine userID must be included in the AUTOLOG statement of the TCP/IP server configuration file. |
| ☐ | SV-93635r1_rule | CA VM:Secure product MANAGE command must be restricted to system administrators. |
| ☐ | SV-93637r1_rule | The CA VM:Secure LOGONBY command must be restricted to system administrators. |
| ☐ | SV-93639r1_rule | The IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators. |
| ☐ | SV-93641r2_rule | The IBM z/VM JOURNALING statement must be properly configured. |
| ☐ | SV-93643r1_rule | The IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED. |
| ☐ | SV-93645r1_rule | IBM z/VM TCP/IP config file INTERNALCLIENTPARMS statement must be properly configured. |
| ☐ | SV-93647r1_rule | All IBM z/VM TCP/IP servers must be configured for SSL/TLS connection. |
| ☐ | SV-93649r1_rule | The IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES. |
| ☐ | SV-93651r1_rule | The IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured. |
| ☐ | SV-93653r1_rule | The IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured. |
| ☐ | SV-93655r1_rule | The IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration. |
| ☐ | SV-93657r1_rule | The IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file. |
| ☐ | SV-93659r1_rule | The IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution. |
| ☐ | SV-93661r1_rule | The IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators. |
| ☐ | SV-93663r1_rule | The IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only. |
| ☐ | SV-93665r1_rule | The IBM z/VM ANY Privilege Class must not be listed for privilege commands. |
| ☐ | SV-93667r1_rule | CA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel. |
| ☐ | SV-93669r1_rule | CA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel. |
| ☐ | SV-93671r1_rule | CA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel. |
| ☐ | SV-93673r1_rule | CA VM:Secure product CONFIG file must be restricted to appropriate personnel. |
| ☐ | SV-93675r1_rule | CA VM:Secure Product SFS configuration file must be restricted to appropriate personnel. |
| ☐ | SV-93677r1_rule | CA VM:Secure product Rules Facility must be restricted to appropriate personnel. |
| ☐ | SV-93679r1_rule | IBM z/VM must employ a Session manager. |
| ☐ | SV-93681r1_rule | The IBM z/VM System administrator must develop a notification routine for account management. |
| ☐ | SV-93683r1_rule | The IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software. |
| ☐ | SV-93685r1_rule | IBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy. |
| ☐ | SV-93687r1_rule | The IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure. |
| ☐ | SV-93689r1_rule | The IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies. |
| ☐ | SV-93691r1_rule | IBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts. |
| ☐ | SV-93693r1_rule | IBM z/VM must have access to an audit reduction tool that allows for central data review and analysis. |
| ☐ | SV-93695r1_rule | The IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions. |
| ☐ | SV-93697r1_rule | IBM z/VM must employ Clock synchronization software. |
| ☐ | SV-93699r1_rule | The IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption. |
STIGQter: STIG Summary: