Thank you. Now can IBM present this type of materials to the organizations that train, manage and certify system auditors? Does IBM have any audit training classes, not just for z/VM but for any/all computer systems?
/Tom Kern Alan Altmark wrote: > On Friday, 09/25/2009 at 01:19 EDT, Thomas Kern <[email protected]> > wrote: >> Alan, would IBM be interested in promoting a better list of auditing >> questions/checklists? > > If you follow the guidelines in the Secure Configuration Guide (sans > mandatory access controls, if desired) you have a pretty good start to a > security audit checklist. > > Snippet.... > o Do not use the DEDICATE statement in the system directory to dedicate > console terminals unless they are under the strictest physical > supervision. > o CP commands issued using the COMMAND directory statement run with full > system privileges, just as though the command was issued by the system > administrator. Use of the COMMAND statement is audited under the control > of the DIRECTRY_CMD system event. > o Do not allow any of the following directory control statements (or > operands or options on the directory control statements) to appear in the > CP system directory entry of any non-trusted virtual machine in the > system: > ? IUCV with the ANY or *IDENT RESANY operand > ? OPTION with any of the following operands: > - COMSRV > - DEVMaint > - DIAG88 > - DIAG98 > - D84NOPAS > - MAINTCCW > Note: These options are allowed (and some may even be required) for > trusted virtual machines in z/VM, but must be removed from all non-trusted > virtual machines. > o Do not define a user with a password of NOPASS. > o Do not allow minidisk extents to overlap, except when used for system > backup purposes, as this may expose users to data that they are not > authorized to see. > o Network services MUST NOT allow anonymous access to the system or its > resources. For example, the TCP/IP DTCPARMS configuration files MUST NOT > contain any occurrences of :Anonymous.YES. > > I also have a PCI compliance document on my To Do list. > > So I guess the answer to your question is "Yes". > > Alan Altmark > z/VM Development > IBM Endicott >
