On Friday, 09/25/2009 at 01:19 EDT, Thomas Kern <[email protected]>
wrote:
> Alan, would IBM be interested in promoting a better list of auditing
> questions/checklists?
If you follow the guidelines in the Secure Configuration Guide (sans
mandatory access controls, if desired) you have a pretty good start to a
security audit checklist.
Snippet....
o Do not use the DEDICATE statement in the system directory to dedicate
console terminals unless they are under the strictest physical
supervision.
o CP commands issued using the COMMAND directory statement run with full
system privileges, just as though the command was issued by the system
administrator. Use of the COMMAND statement is audited under the control
of the DIRECTRY_CMD system event.
o Do not allow any of the following directory control statements (or
operands or options on the directory control statements) to appear in the
CP system directory entry of any non-trusted virtual machine in the
system:
? IUCV with the ANY or *IDENT RESANY operand
? OPTION with any of the following operands:
- COMSRV
- DEVMaint
- DIAG88
- DIAG98
- D84NOPAS
- MAINTCCW
Note: These options are allowed (and some may even be required) for
trusted virtual machines in z/VM, but must be removed from all non-trusted
virtual machines.
o Do not define a user with a password of NOPASS.
o Do not allow minidisk extents to overlap, except when used for system
backup purposes, as this may expose users to data that they are not
authorized to see.
o Network services MUST NOT allow anonymous access to the system or its
resources. For example, the TCP/IP DTCPARMS configuration files MUST NOT
contain any occurrences of :Anonymous.YES.
I also have a PCI compliance document on my To Do list.
So I guess the answer to your question is "Yes".
Alan Altmark
z/VM Development
IBM Endicott
