Check: IBMZ-VM-000750
IBM zVM STIG:
IBMZ-VM-000750
(in version v1 r0.1)
Title
z/VM tapes must use Tape Encryption. (Cat II impact)
Discussion
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM.
Check Content
Verify Tape Encryption is in use. Issue the following command: Class B: QUERY TAPES DETAIL or Class G: QUERY VIRTUAL TAPES If resulting text includes “ACTIVE KEY LABELS”, this is not a finding.
Fix Text
Consult CP Administration manual for procedures to set up Device Encryption.
Additional Identifiers
Rule ID:
Vulnerability ID: IBMZ-VM-000750
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
Controls
| Number | Title |
|---|---|
| SC-28 |
Protection Of Information At Rest |