IBM HARDWARE MANAGEMENT CONSOLE (HMC) STIG

U_IBM_Hardware_Management_Console_V1R4_Manual-xccdf.xml

IBM Main Frame Hardware Management Console. Used to perform Initial Program Loads (IPLs), power on resets, shutdowns, and configuring of hardware components for system logical partitions.
Details

Version / Release: V1R4

Published: 2014-09-18

Updated At: 2018-09-23 02:53:33

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-29986r2_rule HLESC010 CCI-002101 HIGH The Enterprise System Connection (ESCON) Director (ESCD) Application Console must be located in a secure location The ESCD Application Console is used to add, change, and delete port configurations and dynamically switch paths between devices. If the ESCON Director Application Console is not located in a secured location, unauthorized personnel can bypass security, access the system, and alter the environment. This could impact the integrity and confidentiality of operations. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2
SV-29994r2_rule HLESC020 CCI-002227 MEDIUM Sign-on to the ESCD Application Console must be restricted to only authorized personnel. The ESCD Application Console is used to add, change, and delete port configurations and to dynamically switch paths between devices. Access to the ESCD Application Console is restricted to three classes of personnel: Administrators, service representatives and operators. The administrator sign-on controls passwords at all levels, the service representative sign-on allows access to maintenance procedures, and the operator sign-on allows for configuration changes and use of the Director utilities. Unrestricted use by unauthorized personnel could impact the integrity of the environment. This would result in a loss of secure operations and impact data operating environment integrity. NOTE: Many newer installations no longer support the ESCD Application Console. For installations not supporting the ESCD Application Console, this check is not applicable.System AdministratorSystems ProgrammerECLP-1
SV-29995r2_rule HLESC030 CCI-000169 HIGH The ESCON Director Application Console Event log must be enabled. The ESCON Director Console Event Log is used to record all ESCON Director Changes. Failure to create an ESCON Director Application Console Event log results in the lack of monitoring and accountability of configuration changes. In addition, its use in the execution of a contingency plan could be compromised and security degraded. NOTE: Many newer installations no longer support the ESCON Director Console. For installations not supporting the ESCON Director Console, this check is not applicable.System AdministratorSystems ProgrammerECAT-1, ECAT-2
SV-29998r2_rule HLESC080 CCI-002227 MEDIUM The Distributed Console Access Facility (DCAF) Console must be restricted to only authorized personnel. The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerECLP-1
SV-29999r1_rule HMC0010 CCI-002916 HIGH The Hardware Management Console must be located in a secure location. The Hardware Management Console is used to perform Initial Program Load (IPLs) and control the Processor Resource/System Manager (PR/SM). If the Hardware Management Console is not located in a secure location, unauthorized personnel can bypass security, access the system, and alter the environment. This can lead to loss of secure operations if not corrected immediately.Information Assurance OfficerInformation Assurance ManagerSecurity ManagerSystems ProgrammerPECF-1, PECF-2, PEPF-1, PEPF-2
SV-30007r2_rule HMC0030 CCI-002883 MEDIUM Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be restricted to an authorized vendor site. Dial-out access from the Hardware Management Console could impact the integrity of the environment, by enabling the possible introduction of spyware or other malicious code. It is important to note that it should be properly configured to only go to an authorized vendor site. Note: This feature will be activated for Non-Classified Systems only. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSecurity ManagerSystems ProgrammerEBRP-1, EBRU-1
SV-30008r1_rule HMC0040 CCI-002227 MEDIUM Access to the Hardware Management Console must be restricted to only authorized personnel. Access to the Hardware Management Console if not properly restricted to authorized personnel could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorInformation Assurance ManagerSecurity ManagerECLP-1, PECF-1, PECF-2, PRMP-1, PRMP-2
SV-30013r2_rule HMC0050 CCI-002227 MEDIUM Automatic Call Answering to the Hardware Management Console must be disabled. Automatic Call Answering to the Hardware Management Console allows unrestricted access by unauthorized personnel and could lead to a bypass of security, access to the system, and an altering of the environment. This would result in a loss of secure operations and impact the integrity of the operating environment, files, and programs. Note: Dial-in access to the Hardware Management Console is prohibited. Also, many newer processors (e.g., zEC12/zBC12 processors) will not have modems. If there is no modem, this check is not applicable.System AdministratorSystems ProgrammerEBRP-1, EBRU-1
SV-30015r1_rule HMC0070 CCI-000169 MEDIUM The Hardware Management Console Event log must be active. The Hardware Management Console controls the operation and availability of the Central Processor Complex (CPC). Failure to create and maintain the Hardware Management Console Event log could result in the lack of monitoring and accountability of CPC control activity. System AdministratorSystems ProgrammerECAT-1, ECAT-2
SV-30021r1_rule HMC0080 CCI-001989 HIGH The manufacturer’s default passwords must be changed for all Hardware Management Console (HMC) Management software. The changing of passwords from the HMC default values, blocks malicious users with knowledge of these default passwords, from creating a denial of service or from reconfiguring the HMC topology leading to a compromise of sensitive data. The system administrator will ensure that the manufacturer’s default passwords are changed for all HMC management software.System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
SV-30022r1_rule HMC0090 CCI-000213 MEDIUM Predefined task roles to the Hardware Management Console (HMC) must be specified to limit capabilities of individual users. Individual task roles with access to specific resources if not created and restricted, will allow unrestricted access to system functions. The following is an example of some managed resource categories: Tasks are functions that a user can perform, and the managed resource role defines where those tasks might be carried out. The Access Administrator assigns a user ID and user roles to each user of the Hardware Management Console. • OPERATOR OPERATOR • ADVANCED ADVANCED OPERATOR • ACSADMIN ACCESS ADMINISTRTOR • SYSPROG SYSTEM PROGRAMMER • SERVICE SRVICE REPRESENTATIVE Failure to establish this environment may lead to uncontrolled access to system resources. System AdministratorSystems ProgrammerECLP-1
SV-30023r1_rule HMC0100 CCI-000760 MEDIUM Individual user accounts with passwords must be maintained for the Hardware Management Console operating system and application. Without identification and authentication, unauthorized users could reconfigure the Hardware Management Console or disrupt its operation by logging in to the system or application and execute unauthorized commands. The System Administrator will ensure individual user accounts with passwords are set up and maintained for the Hardware Management Console. System AdministratorSystems ProgrammerIAIA-1, IAIA-2
SV-30024r1_rule HMC0110 CCI-000200 MEDIUM The PASSWORD History Count value must be set to 10 or greater. History Count specifies the number of previous passwords saved for each USERID and compares it with an intended new password. If there is a match with one of the previous passwords, or with the current password, it will reject the intended new password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
SV-30026r1_rule HMC0120 CCI-000199 MEDIUM The PASSWORD expiration day(s) value must be set to equal or less then 60 days. Expiration Day(s) specifies the maximum number of days that each user's password is valid. When a user logs on to the Hardware Management Console it compares the system password interval value specified in the user profile and it uses the lower of the two values to determine if the user's, password has expired. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. System AdministratorInformation Assurance OfficerInformation Assurance ManagerSystems ProgrammerIAIA-1, IAIA-2
SV-30027r1_rule HMC0130 CCI-000044 MEDIUM Maximum failed password attempts before disable delay must be set to 3 or less. The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a userID. A 60- minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2
SV-30028r1_rule HMC0140 CCI-000192 MEDIUM The password values must be set to meet the requirements in accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above, and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)). In accordance with DoDI 8500.2 for DoD information systems processing sensitive information and above and CJCSI 6510.01E (INFORMATION ASSURANCE (IA) AND COMPUTER NETWORK DEFENSE (CND)).. The following recommendations concerning password requirements are mandatory and apply equally to both classified and unclassified systems: (1) Passwords are to be fourteen (14) characters. (2) Passwords are to be a mix of upper and lower-case alphabetic, numeric, and special characters, including at least one of each. Special characters include the national characters (i.e., @, #, and $) and other non-alphabetic and non-numeric characters typically found on a keyboard. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the Hardware Management Console control options introduces the possibility of exposure during the migration process or contingency plan activation.System AdministratorSystems ProgrammerDCCS-1, DCCS-2, IAIA-1, IAIA-2
SV-30029r1_rule HMC0150 CCI-000057 MEDIUM The terminal or workstation must lock out after a maximum of 15 minutes of inactivity, requiring the account password to resume. If the system, workstation, or terminal does not lock the session after more than15 minutes of inactivity, requiring a password to resume operations, the system or individual data could be compromised by an alert intruder who could exploit the oversight.System AdministratorSystems ProgrammerPESL-1
SV-30030r1_rule HMC0160 CCI-000048 MEDIUM The Department of Defense (DoD) logon banner must be displayed prior to any login attempt. Failure to display the required DoD logon banner prior to a login attempt may void legal proceedings resulting from unauthorized access to system resources and may leave the SA, IAO, IAM, and Installation Commander open to legal proceedings for not advising users that keystrokes are being audited.System AdministratorInformation Assurance OfficerSystems ProgrammerECWM-1
SV-30031r2_rule HMC0170 CCI-001749 MEDIUM A private web server must subscribe to certificates, issued from any DoD-authorized Certificate Authority, as an access control mechanism for web users. If the Hardware Management Consoles (HMC) is network-connected, use SSL encryption techniques, through digital certificates to provide message privacy, message integrity and mutual authentication between clients and servers. To maintain data integrity the IBM Certificate distributed with the HMC's is to be replaced by a DoD-authorized Certificate. Note: This check applies only to network-connected HMCs.System AdministratorSystems ProgrammerIATS-1, IATS-2
SV-30032r3_rule HMC0180 CCI-001348 MEDIUM Hardware Management Console audit record content data must be backed up. The Hardware Management Console has the ability to backup and display the following data: 1) Critical console data 2) Critical hard disk information 3) Backup of critical CPC data and 4) Security Logs. Failure to backup and archive the listed data could make auditing of system incidents and history unavailable and could impact recovery for failed components. System AdministratorSystems ProgrammerCOSW-1, ECTB-1
SV-30043r1_rule HMC0200 CCI-001453 MEDIUM Hardware Management Console management must be accomplished by using the out-of-band or direct connection method. Removing the management traffic from the production network diminishes the security profile of the Hardware Management Console servers by allowing all the management ports to be closed on the production network. The System Administrator will ensure that Hardware Management Console management is accomplished using the out-of-band or direct connection method.System AdministratorNetwork Security OfficerSystems ProgrammerDCBP-1
SV-30052r1_rule HLP0010 CCI-002101 MEDIUM Unauthorized partitions must not exist on the system complex. The running of unauthorized Logical Partitions (LPARs) could allow a “Trojan horse” version of the operating environment to be introduced into the system complex. This could impact the integrity of the system complex and the confidentiality of the data that resides in it.System AdministratorSystems ProgrammerECSC-1
SV-30053r1_rule HLP0020 CCI-000213 MEDIUM On Classified Systems, Logical Partition must be restricted with read/write access to only its own IOCDS. Unrestricted control over the IOCDS files could result in unauthorized updates and impact the configuration of the environment by allowing unauthorized access to a restricted resource. This could severely damage the integrity of the environment and the system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2
SV-30055r1_rule HLP0030 CCI-000226 MEDIUM Processor Resource/Systems Manager (PR/SM) must not allow unrestricted issuing of control program commands. Unrestricted control over the issuing of system commands by a Logical Partition could result in unauthorized data access and inadvertent updates. This could result in severe damage to system resources.System AdministratorSystems ProgrammerECCD-1, ECCD-2
SV-30056r1_rule HLP0040 CCI-000213 HIGH Classified Logical Partition (LPAR) channel paths must be restricted. Restricted LPAR channel paths are necessary to ensure data integrity. Unrestricted LPAR channel path access could result in a compromise of data integrity. When a classified LPAR exists on a mainframe which requires total isolation, all paths to that LPAR must be restricted.System AdministratorSystems ProgrammerECCD-1, ECCD-2
SV-30057r1_rule HLP0050 CCI-000213 MEDIUM On Classified Systems the Processor Resource/Systems Manager (PR/SM) must not allow access to system complex data. Allowing unrestricted access to all Logical Partition data could result in the possibility of unauthorized access and updating of data. This could also impact the integrity of the processing environment.System AdministratorSystems ProgrammerECCD-1, ECCD-2
SV-30058r1_rule HLP0060 CCI-000213 HIGH Central processors must be restricted for classified/restricted Logical Partitions (LPARs). Allowing unrestricted access to classified processors for all LPARs could cause the corruption and loss of classified data sets, which could compromise classified processing.System AdministratorSystems ProgrammerECCD-1, ECCD-2
SV-30081r1_rule HMC0035 CCI-001762 HIGH Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems. This feature will not be activated for any classified systems. Allowing dial-out access from the Hardware Management Console could impact the integrity of the environment by enabling the possible introduction of spyware or other malicious code. System AdministratorSystems ProgrammerEBRP-1, EBRU-1
SV-31292r2_rule HLESC085 CCI-000764 MEDIUM DCAF Console access must require a password to be entered by each user. The DCAF Console enables an operator to access the ESCON Director Application remotely. Access to a DCAF Console by unauthorized personnel could result in varying of ESCON Directors online or offline and applying configuration changes. Unrestricted use by unauthorized personnel could lead to bypass of security, unlimited access to the system, and an altering of the environment. This would result in a loss of secure operations and will impact data operating integrity of the environment. NOTE: Many newer installations no longer support the ESCON Director Application. For installations not supporting the ESCON Director Application, this check is not applicable.System AdministratorSystems ProgrammerECCD-1, IAIA-1, IAIA-2
SV-31555r1_rule HMC0045 CCI-000225 MEDIUM Access to the Hardware Management Console (HMC) must be restricted by assigning users proper roles and responsibilities. Access to the HMC if not properly controlled and restricted by assigning users proper roles and responsibilities, could allow modification to areas outside the need-to-know and abilities of the individual resulting in a bypass of security and an altering of the environment. This would result in a loss of secure operations and can cause an impact to data operating environment integrity.System AdministratorECAN-1, ECLP-1, PRMP-1, PRMP-2
SV-31556r1_rule HMC0185 CCI-000130 MEDIUM Audit records content must contain valid information to allow for proper incident reporting. The content of audit data must validate that the information contains: User IDs Successful and unsuccessful attempts to access security files (e.g., audit records, password files, access control files, etc) Date and time of the event Type of event Success or failure of event Successful and unsuccessful logons Denial of access resulting from excessive number of logon attempts Failure to not contain this information may hamper attempts to trace events and not allow proper tracking of incidents during a forensic investigation System AdministratorECAR-1, ECAR-2
SV-31558r1_rule HMC0210 CCI-001762 HIGH Product engineering access to the Hardware Management Console must be disabled. The Hardware Management Console has a built-in feature that allows Product Engineers access to the console. With access authority, IBM Product Engineering can log on the Hardware Management Console with an exclusive user identification (ID) that provides tasks and operations for problem determination. Product Engineering access is provided by a reserved password and permanent user ID. You cannot view, discard, or change the password and user ID, but you can control their use for accessing the Hardware Management Console. User IDs and passwords that are hard-coded and cannot be modified are a violation of NIST 800-53 and multiple other compliance regulations. Failure to disable this access would allow unauthorized access and could lead to security violations on the HMC.System AdministratorSystems Programmer
SV-31580r1_rule HMC0220 CCI-002310 HIGH Connection to the Internet for IBM remote support must be in compliance with the Remote Access STIGs. Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on the Hardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1
SV-31588r1_rule HMC0135 CCI-002238 LOW A maximum of 60-minute delay must be specified for the password retry after 3 failed attempts to enter your password The Maximum failed attempts before disable delay is not set to 3. This specifies the number of consecutive incorrect password attempts the Hardware Management Console allows as 3 times, before setting a 60-minute delay to attempt to retry the password. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. Note: The Hardware Management Console does not allow a revoke of a user ID.A 60-minute delay time setting is being substituted.System AdministratorSystems ProgrammerECLO-1, ECLO-2
SV-31589r1_rule HMC0225 CCI-002310 HIGH Connection to the Internet for IBM remote support must be in compliance with mitigations specified in the Ports and Protocols and Services Management (PPSM) requirements. Failure to securely connect to remote sites can leave systems open to multiple attacks and security violations through the network. Failure to securely implement remote support connections can lead to unauthorized access or denial of service attacks on theHardware Management Console.System AdministratorNetwork Security OfficerEBRP-1, EBRU-1