Title

The IBM z/VM TCP/IP DTCPARM files must be properly configured. (Cat I impact)

Discussion

A comprehensive account management process such as provided by External Security Managers (ESM) which includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts.

Check Content

Examine the “TCP/IP” configuration file for each TCP/IP Stack. Ensure that there is a “DTCPARM” File for each installed server. If each “DTCPARM” file include the following statements, this is not a finding. :ESM_Enable.YES :ESM_Racroute.YES :ESM_Validate.YES

Fix Text

For each TCP/IP Stack, configure the DTCPARM file in the TCP/IP configuration to include the following statements: :ESM_Enable.YES :ESM_Racroute.YES :ESM_Validate.YES

Additional Identifiers

Rule ID:

Vulnerability ID: IBMZ-VM-000020

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.