Title

The IBM z/VM CA VM:Secure product Config Delay LOG option must be set to 0. (Cat II impact)

Discussion

IBM z/VM 6.4.0 made changes to obscure whether a logon is invalid due to the user ID or due to the password. Both the logon prompting sequence and the message HCPLGA050E were changed. However, DELAYLOG causes a delay for a logon with an invalid password that it does not cause when the user ID is invalid. Thus, if you are using DELAYLOG with z/VM 6.4.0, you can inadvertently let someone trying to break into your system know that it is the password that is invalid.

Check Content

Display the Product Config file. If the DELAYLOG record does not exist, this is not a finding. If the DELAYLOG record is set to "0", this is not a finding.

Fix Text

Configure DELAYLOG = 0 or delete the DELAYLOG configuration file record.

Additional Identifiers

Rule ID:

Vulnerability ID: IBMZ-VM-000590

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.