Check: IBMZ-VM-000150
IBM zVM STIG:
IBMZ-VM-000150
(in version v1 r0.1)
Title
The IBM z/VM CA VM:Secure product must be installed and operating. (Cat II impact)
Discussion
Without establishing where events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know where events occurred, such as operating system components, modules, device identifiers, node names, file names, and functionality. Associating information about where the event occurred within the operating system provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
Check Content
Verify that CA VM:Secure product is operational on the system by entering the following command: From CMS Command line enter “VMSECURE VERSION”. If there is no response “VMSECURE” is not logged in, this is a finding.
Fix Text
CA VM:Secure product audits all commands. Ensure that CA VM:Secure product is installed and operational. Using CA VM:Secure product audit of all commands with z/VM standard journal record assures that all pertinent information is stored.
Additional Identifiers
Rule ID:
Vulnerability ID: IBMZ-VM-000150
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
Controls
Number | Title |
---|---|
AU-3 |
Content Of Audit Records |