Title

The IBM z/VM CA VM:Secure product AUDIT file must be restricted to authorized personnel. (Cat II impact)

Discussion

If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.

Check Content

Issue command “VMSECURE” Rules System (you must be a system administrator to use this parameter). If the rule grants access to the 1D0 minidisk to anyone other than system administrators or security administrators, this is a finding.

Fix Text

Ensure that access to “VMSECURE” 1D0 minidisk is restricted to system administrators or security administrators.

Additional Identifiers

Rule ID:

Vulnerability ID: IBMZ-VM-000210

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.