Check: IBMZ-VM-000170
IBM zVM STIG:
IBMZ-VM-000170
(in version v1 r0.1)
Title
The IBM z/VM CA VM:Secure product must be installed and operating. (Cat II impact)
Discussion
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Check Content
Verify that CA VM:Secure product is operational on the system by entering the following command: From CMS Command line enter “VMSECURE VERSION”. If there is no response “VMSECURE” is not logged in, this is a finding.
Fix Text
CA VM:Secure product audits all commands. Ensure that CA VM:Secure product is installed and operational. Using CA VM:Secure product audit of all commands with z/VM standard journal record assures that all pertinent information is stored.
Additional Identifiers
Rule ID:
Vulnerability ID: IBMZ-VM-000170
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
Controls
| Number | Title |
|---|---|
| AU-3 (1) |
Additional Audit Information |