STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to STIGs

IBM zVM Using CA VM:Secure Security Technical Implementation Guide

Version

V2R2

Release Date

Aug 31, 2022

SCAP Benchmark ID

IBM_zVM_CA_VMSecure_STIG

Total Checks

77

Tags

other
CAT I: 4CAT II: 73CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKLExport CSVExport JSONDownload STIG ZIP

Checks (77)

V-237897HIGHCA VM:Secure product Rules Facility must be installed and operating.V-237898HIGHThe IBM z/VM TCP/IP DTCPARMS files must be properly configured to connect to an external security manager.V-237899MEDIUMCA VM:Secure product must be installed and operating.V-237900MEDIUMThe IBM z/VM JOURNALING LOGON parameter must be set for lockout after 3 attempts for 15 minutes.V-237901MEDIUMThe CA VM:Secure JOURNAL Facility parameters must be set for lockout after 3 attempts.V-237902MEDIUMThe IBM z/VM LOGO Configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system.V-237903MEDIUMThe IBM z/VM TCP/IP FTP Server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system and until users acknowledge the usage conditions and take explicit actions to log on for further access.V-237904MEDIUMThe IBM z/VM LOGO configuration file must be configured to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access.V-237905MEDIUMFor FTP processing Z/VM TCP/IP FTP server Exit must be enabled.V-237906MEDIUMThe IBM z/VM TCP/IP configuration must include an SSLSERVERID statement.V-237907MEDIUMCA VM:Secure product AUDIT file must be restricted to authorized personnel.V-237908MEDIUMThe IBM z/VM Journal option must be specified in the Product Configuration File.V-237909MEDIUMAll digital certificates in use must have a valid path to a trusted Certification authority.V-237910MEDIUMThe IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.V-237911HIGHCA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.V-237912MEDIUMCA VM:Secure product AUTOEXP record in the Security Config File must be properly set.V-237913MEDIUMCA VM:Secure product PASSWORD user exit must be coded with the PWLIST option properly set.V-237914MEDIUMIBM zVM CA VM:Secure product PASSWORD user exit must be in use.V-237915MEDIUMIBM z/VM must be configured to disable non-essential capabilities.V-237916MEDIUMCA VM:Secure product Config Delay LOG option must be set to 0.V-237917MEDIUMCA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.V-237918MEDIUMAll IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.V-237919MEDIUMThe IBM z/VM Security Manager must provide a procedure to disable userIDs after 35 days of inactivity.V-237920HIGHThe IBM z/VM TCP/IP VMSSL command operands must be configured properly.V-237921MEDIUMThe IBM z/VM TCP/IP ANONYMOU statement must not be coded in FTP configuration.V-237922MEDIUMCA VM:Secure product ADMIN GLOBALS command must be restricted to systems programming personnel.V-237923MEDIUMCA VM:Secure must have a security group for Security Administrators only.V-237924MEDIUMThe IBM z/VM SYSTEM CONFIG file must be configured to clear TDISK on IPL.V-237925MEDIUMThe IBM z/VM TCP/IP FOREIGNIPCONLIMIT statement must be properly configured.V-237926MEDIUMThe IBM z/VM TCP/IP PERSISTCONNECTIONLIMIT statement must be properly configured.V-237927MEDIUMThe IBM z/VM TCP/IP PENDINGCONNECTIONLIMIT statement must be properly configured.V-237928MEDIUMIBM z/VM tapes must use Tape Encryption.V-237929MEDIUMThe IBM z/VM TCP/IP must be configured to display the mandatory DoD Notice and Consent banner before granting access to the system.V-237930MEDIUMThe IBM z/VM JOURNALING statement must be coded on the configuration file.V-237931MEDIUMCA VM:Secure product SECURITY CONFIG file must be restricted to appropriate personnel.V-237932MEDIUMThe IBM z/VM AUDT and Journal Mini Disks must be restricted to the appropriate system administrators.V-237933MEDIUMIBM z/VM must remove or disable emergency accounts after the crisis is resolved or 72 hours.V-237934MEDIUMThe IBM z/VM must restrict link access to the disk on which system software resides.V-237935MEDIUMThe IBM z/VM Privilege command class A and Class B must be properly assigned.V-237936MEDIUMCA VM:Secure AUTHORIZ CONFIG file must be properly configured.V-237937MEDIUMThe IBM z/VM journal minidisk space allocation must be large enough for one weeks worth of audit records.V-237938MEDIUMCA VM:Secure product audit records must offload audit records to a different system or media.V-237939MEDIUMCA VM:Secure product audit records must be offloaded on a weekly basis.V-237940MEDIUMThe IBM z/VM Portmapper server virtual machine userID must be included in the AUTOLOG statement of the TCP/IP server configuration file.V-237941MEDIUMCA VM:Secure product MANAGE command must be restricted to system administrators.V-237942MEDIUMThe CA VM:Secure LOGONBY command must be restricted to system administrators.V-237943MEDIUMThe IBM z/VM CP Privilege Class A, B, and D must be restricted to appropriate system operators.V-237944MEDIUMThe IBM z/VM JOURNALING statement must be properly configured.V-237945MEDIUMThe IBM z/VM TCP/IP SECUREDATA option for FTP must be set to REQUIRED.V-237946MEDIUMIBM z/VM TCP/IP config file INTERNALCLIENTPARMS statement must be properly configured.V-237947MEDIUMAll IBM z/VM TCP/IP servers must be configured for SSL/TLS connection.V-237948MEDIUMThe IBM z/VM TCP/IP SECURETELNETCLIENT option for telnet must be set to YES.V-237954MEDIUMThe IBM z/VM Privilege Classes C and E must be restricted to appropriate system administrators.V-237955MEDIUMThe IBM z/VM Privilege Class F must be restricted to service representatives and system administrators only.V-237956MEDIUMThe IBM z/VM ANY Privilege Class must not be listed for privilege commands.V-237957MEDIUMCA VM:Secure product VMXRPI configuration file must be restricted to authorized personnel.V-237958MEDIUMCA VM:Secure product DASD CONFIG file must be restricted to appropriate personnel.V-237959MEDIUMCA VM:Secure product AUTHORIZ CONFIG file must be restricted to appropriate personnel.V-237960MEDIUMCA VM:Secure product CONFIG file must be restricted to appropriate personnel.V-237961MEDIUMCA VM:Secure Product SFS configuration file must be restricted to appropriate personnel.V-237962MEDIUMCA VM:Secure product Rules Facility must be restricted to appropriate personnel.V-237963MEDIUMIBM z/VM must employ a Session manager.V-237964MEDIUMThe IBM z/VM System administrator must develop a notification routine for account management.V-237965MEDIUMThe IBM z/VM system administrator must develop routines and processes for the proper configuration and maintenance of Software.V-237966MEDIUMIBM z/VM must be protected by an external firewall that has a deny-all, allow-by-exception policy.V-237967MEDIUMThe IBM z/VM System administrator must develop routines and processes for notification in the event of audit failure.V-237968MEDIUMThe IBM z/VM system administrator must develop procedures maintaining information system operation in the event of anomalies.V-237969MEDIUMIBM z/VM system administrator must develop procedures to manually control temporary, interactive, and emergency accounts.V-237970MEDIUMIBM z/VM must have access to an audit reduction tool that allows for central data review and analysis.V-237971MEDIUMThe IBM z/VM system administrator must develop and perform a procedure to validate the correct operation of security functions.V-237972MEDIUMIBM z/VM must employ Clock synchronization software.V-237973MEDIUMThe IBM z/VM systems requiring data at rest must employ IBMs DS8000 for full disk encryption.V-245530MEDIUMThe IBM z/VM TCP/IP NSLOOKUP statement for UFT servers must be properly configured.V-245531MEDIUMThe IBM z/VM TCP/IP DOMAINLOOKUP statement must be properly configured.V-245532MEDIUMThe IBM z/VM TCP/IP NSINTERADDR statement must be present in the TCPIP DATA configuration.V-245533MEDIUMThe IBM z/VM CHECKSUM statement must be included in the TCP/IP configuration file.V-245534MEDIUMThe IBM z/VM DOMAINSEARCH statement in the TCPIP DATA file must be configured with proper domain names for name resolution.